lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <877c456jzq.fsf@microsoft.com>
Date: Mon, 31 Mar 2025 13:08:41 -0700
From: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>
To: sergeh@...nel.org
Cc: Jonathan Corbet <corbet@....net>, David Howells <dhowells@...hat.com>,
 Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller"
 <davem@...emloft.net>, Paul Moore <paul@...l-moore.com>, James Morris
 <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Masahiro Yamada
 <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Nicolas
 Schier <nicolas@...sle.eu>, Shuah Khan <shuah@...nel.org>, Mickaël Salaün
 <mic@...ikod.net>, Günther Noack <gnoack@...gle.com>, Nick
 Desaulniers
 <nick.desaulniers+lkml@...il.com>, Bill Wendling <morbo@...gle.com>,
 Justin Stitt <justinstitt@...gle.com>, Jarkko Sakkinen
 <jarkko@...nel.org>, Jan Stancek <jstancek@...hat.com>, Neal Gompa
 <neal@...pa.dev>, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
 keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
 linux-security-module@...r.kernel.org, linux-kbuild@...r.kernel.org,
 linux-kselftest@...r.kernel.org, bpf@...r.kernel.org,
 llvm@...ts.linux.dev, nkapron@...gle.com, teknoraver@...a.com,
 roberto.sassu@...wei.com, xiyou.wangcong@...il.com
Subject: Re: [RFC PATCH security-next 1/4] security: Hornet LSM

sergeh@...nel.org writes:

> On Fri, Mar 21, 2025 at 09:45:03AM -0700, Blaise Boscaccy wrote:
>> This adds the Hornet Linux Security Module which provides signature
>> verification of eBPF programs.
>> 
>> Hornet uses a similar signature verification scheme similar to that of
>
> used 'similar' twice
>
>> kernel modules. A pkcs#7 signature is appended to the end of an
>> executable file. During an invocation of bpf_prog_load, the signature
>> is fetched from the current task's executable file. That signature is
>> used to verify the integrity of the bpf instructions and maps which
>> where passed into the kernel. Additionally, Hornet implicitly trusts any
>
> s/where/were
>
>> programs which where loaded from inside kernel rather than userspace,
>
> s/where/were
>
>> which allows BPF_PRELOAD programs along with outputs for BPF_SYSCALL
>> programs to run.
>> 
>> Hornet allows users to continue to maintain an invariant that all code
>> running inside of the kernel has been signed and works well with
>> light-skeleton based loaders, or any statically generated program that
>> doesn't require userspace instruction rewriting.
>> 
>> Signed-off-by: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>
>> ---
>>  Documentation/admin-guide/LSM/Hornet.rst |  51 +++++
>>  crypto/asymmetric_keys/pkcs7_verify.c    |  10 +
>>  include/linux/kernel_read_file.h         |   1 +
>>  include/linux/verification.h             |   1 +
>>  include/uapi/linux/lsm.h                 |   1 +
>>  security/Kconfig                         |   3 +-
>>  security/Makefile                        |   1 +
>>  security/hornet/Kconfig                  |  11 ++
>>  security/hornet/Makefile                 |   4 +
>>  security/hornet/hornet_lsm.c             | 239 +++++++++++++++++++++++
>>  10 files changed, 321 insertions(+), 1 deletion(-)
>>  create mode 100644 Documentation/admin-guide/LSM/Hornet.rst
>>  create mode 100644 security/hornet/Kconfig
>>  create mode 100644 security/hornet/Makefile
>>  create mode 100644 security/hornet/hornet_lsm.c
>> 
>> diff --git a/Documentation/admin-guide/LSM/Hornet.rst b/Documentation/admin-guide/LSM/Hornet.rst
>> new file mode 100644
>> index 0000000000000..fa112412638f1
>> --- /dev/null
>> +++ b/Documentation/admin-guide/LSM/Hornet.rst
>> @@ -0,0 +1,51 @@
>> +======
>> +Hornet
>> +======
>> +
>> +Hornet is a Linux Security Module that provides signature verification
>> +for eBPF programs. This is selectable at build-time with
>> +``CONFIG_SECURITY_HORNET``.
>> +
>> +Overview
>> +========
>> +
>> +Hornet provides signature verification for eBPF programs by utilizing
>> +the existing PKCS#7 infrastructure that's used for module signature
>> +verification. Hornet works by creating a buffer containing the eBPF
>> +program instructions along with its associated maps and checking a
>> +signature against that buffer. The signature is appended to the end of
>> +the lskel executable file and is extracted at runtime via
>> +get_task_exe_file. Hornet works by hooking into the
>> +security_bpf_prog_load hook. Load invocations that originate from the
>> +kernel (bpf preload, results of bpf_syscall programs, etc.) are
>> +allowed to run unconditionally. Calls that originate from userspace
>> +require signature verification. If signature verification fails, the
>> +program will fail to load.
>> +
>> +Instruction/Map Ordering
>> +========================
>> +
>> +Hornet supports both sparse-array based maps via map discovery along
>> +with the newly added fd_array_cnt API for continuous map arrays. The
>> +buffer used for signature verification is assumed to be the
>> +instructions followed by all maps used, ordered by their index in
>> +fd_array.
>> +
>> +Tooling
>> +=======
>> +
>> +Some tooling is provided to aid with the development of signed eBPF lskels.
>> +
>> +extract-skel.sh
>> +---------------
>> +
>> +This simple shell script extracts the instructions and map data used
>> +by the light skeleton from the autogenerated header file created by
>> +bpftool.
>> +
>> +sign-ebpf
>> +---------
>> +
>> +sign-ebpf works similarly to the sign-file script with one key
>> +difference: it takes a separate input binary used for signature
>> +verification and will append the signature to a different output file.
>> diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
>> index f0d4ff3c20a83..1a5fbb3612188 100644
>> --- a/crypto/asymmetric_keys/pkcs7_verify.c
>> +++ b/crypto/asymmetric_keys/pkcs7_verify.c
>> @@ -428,6 +428,16 @@ int pkcs7_verify(struct pkcs7_message *pkcs7,
>>  		}
>>  		/* Authattr presence checked in parser */
>>  		break;
>> +	case VERIFYING_EBPF_SIGNATURE:
>> +		if (pkcs7->data_type != OID_data) {
>> +			pr_warn("Invalid ebpf sig (not pkcs7-data)\n");
>> +			return -EKEYREJECTED;
>> +		}
>> +		if (pkcs7->have_authattrs) {
>> +			pr_warn("Invalid ebpf sig (has authattrs)\n");
>> +			return -EKEYREJECTED;
>> +		}
>> +		break;
>>  	case VERIFYING_UNSPECIFIED_SIGNATURE:
>>  		if (pkcs7->data_type != OID_data) {
>>  			pr_warn("Invalid unspecified sig (not pkcs7-data)\n");
>> diff --git a/include/linux/kernel_read_file.h b/include/linux/kernel_read_file.h
>> index 90451e2e12bd1..7ed9337be5423 100644
>> --- a/include/linux/kernel_read_file.h
>> +++ b/include/linux/kernel_read_file.h
>> @@ -14,6 +14,7 @@
>>  	id(KEXEC_INITRAMFS, kexec-initramfs)	\
>>  	id(POLICY, security-policy)		\
>>  	id(X509_CERTIFICATE, x509-certificate)	\
>> +	id(EBPF, ebpf)				\
>>  	id(MAX_ID, )
>>  
>>  #define __fid_enumify(ENUM, dummy) READING_ ## ENUM,
>> diff --git a/include/linux/verification.h b/include/linux/verification.h
>> index 4f3022d081c31..812be8ad5f744 100644
>> --- a/include/linux/verification.h
>> +++ b/include/linux/verification.h
>> @@ -35,6 +35,7 @@ enum key_being_used_for {
>>  	VERIFYING_KEXEC_PE_SIGNATURE,
>>  	VERIFYING_KEY_SIGNATURE,
>>  	VERIFYING_KEY_SELF_SIGNATURE,
>> +	VERIFYING_EBPF_SIGNATURE,
>>  	VERIFYING_UNSPECIFIED_SIGNATURE,
>>  	NR__KEY_BEING_USED_FOR
>>  };
>> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
>> index 938593dfd5daf..2ff9bcdd551e2 100644
>> --- a/include/uapi/linux/lsm.h
>> +++ b/include/uapi/linux/lsm.h
>> @@ -65,6 +65,7 @@ struct lsm_ctx {
>>  #define LSM_ID_IMA		111
>>  #define LSM_ID_EVM		112
>>  #define LSM_ID_IPE		113
>> +#define LSM_ID_HORNET		114
>>  
>>  /*
>>   * LSM_ATTR_XXX definitions identify different LSM attributes
>> diff --git a/security/Kconfig b/security/Kconfig
>> index f10dbf15c2947..0030f0224c7ab 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -230,6 +230,7 @@ source "security/safesetid/Kconfig"
>>  source "security/lockdown/Kconfig"
>>  source "security/landlock/Kconfig"
>>  source "security/ipe/Kconfig"
>> +source "security/hornet/Kconfig"
>>  
>>  source "security/integrity/Kconfig"
>>  
>> @@ -273,7 +274,7 @@ config LSM
>>  	default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
>>  	default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
>>  	default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
>> -	default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
>> +	default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,hornet,bpf"
>>  	help
>>  	  A comma-separated list of LSMs, in initialization order.
>>  	  Any LSMs left off this list, except for those with order
>> diff --git a/security/Makefile b/security/Makefile
>> index 22ff4c8bd8cec..e24bccd951f88 100644
>> --- a/security/Makefile
>> +++ b/security/Makefile
>> @@ -26,6 +26,7 @@ obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
>>  obj-$(CONFIG_BPF_LSM)			+= bpf/
>>  obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/
>>  obj-$(CONFIG_SECURITY_IPE)		+= ipe/
>> +obj-$(CONFIG_SECURITY_HORNET)		+= hornet/
>>  
>>  # Object integrity file lists
>>  obj-$(CONFIG_INTEGRITY)			+= integrity/
>> diff --git a/security/hornet/Kconfig b/security/hornet/Kconfig
>> new file mode 100644
>> index 0000000000000..19406aa237ac6
>> --- /dev/null
>> +++ b/security/hornet/Kconfig
>> @@ -0,0 +1,11 @@
>> +# SPDX-License-Identifier: GPL-2.0-only
>> +config SECURITY_HORNET
>> +	bool "Hornet support"
>> +	depends on SECURITY
>> +	default n
>> +	help
>> +	  This selects Hornet.
>> +	  Further information can be found in
>> +	  Documentation/admin-guide/LSM/Hornet.rst.
>> +
>> +	  If you are unsure how to answer this question, answer N.
>> diff --git a/security/hornet/Makefile b/security/hornet/Makefile
>> new file mode 100644
>> index 0000000000000..79f4657b215fa
>> --- /dev/null
>> +++ b/security/hornet/Makefile
>> @@ -0,0 +1,4 @@
>> +# SPDX-License-Identifier: GPL-2.0-only
>> +obj-$(CONFIG_SECURITY_HORNET) := hornet.o
>> +
>> +hornet-y := hornet_lsm.o
>> diff --git a/security/hornet/hornet_lsm.c b/security/hornet/hornet_lsm.c
>> new file mode 100644
>> index 0000000000000..3616c68b76fbc
>> --- /dev/null
>> +++ b/security/hornet/hornet_lsm.c
>> @@ -0,0 +1,239 @@
>> +// SPDX-License-Identifier: GPL-2.0-only
>> +/*
>> + * Hornet Linux Security Module
>> + *
>> + * Author: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>
>> + *
>> + * Copyright (C) 2025 Microsoft Corporation
>> + */
>> +
>> +#include <linux/lsm_hooks.h>
>> +#include <uapi/linux/lsm.h>
>> +#include <linux/bpf.h>
>> +#include <linux/verification.h>
>> +#include <crypto/public_key.h>
>> +#include <linux/module_signature.h>
>> +#include <crypto/pkcs7.h>
>> +#include <linux/bpf_verifier.h>
>> +#include <linux/sort.h>
>> +
>> +#define EBPF_SIG_STRING "~eBPF signature appended~\n"
>> +
>> +struct hornet_maps {
>> +	u32 used_idx[MAX_USED_MAPS];
>> +	u32 used_map_cnt;
>> +	bpfptr_t fd_array;
>> +};
>> +
>> +static int cmp_idx(const void *a, const void *b)
>> +{
>> +	return *(const u32 *)a - *(const u32 *)b;
>> +}
>> +
>> +static int add_used_map(struct hornet_maps *maps, int idx)
>> +{
>> +	int i;
>> +
>> +	for (i = 0; i < maps->used_map_cnt; i++)
>> +		if (maps->used_idx[i] == idx)
>> +			return i;
>> +
>> +	if (maps->used_map_cnt >= MAX_USED_MAPS)
>> +		return -E2BIG;
>> +
>> +	maps->used_idx[maps->used_map_cnt] = idx;
>> +	return maps->used_map_cnt++;
>> +}
>> +
>> +static int hornet_find_maps(struct bpf_prog *prog, struct hornet_maps *maps)
>> +{
>> +	struct bpf_insn *insn = prog->insnsi;
>> +	int insn_cnt = prog->len;
>> +	int i;
>> +	int err;
>> +
>> +	for (i = 0; i < insn_cnt; i++, insn++) {
>> +		if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
>> +			switch (insn[0].src_reg) {
>> +			case BPF_PSEUDO_MAP_IDX_VALUE:
>> +			case BPF_PSEUDO_MAP_IDX:
>> +				err = add_used_map(maps, insn[0].imm);
>> +				if (err < 0)
>> +					return err;
>> +				break;
>> +			default:
>> +				break;
>> +			}
>> +		}
>> +	}
>> +	/* Sort the spare-array indices. This should match the map ordering used during
>> +	 * signature generation
>> +	 */
>> +	sort(maps->used_idx, maps->used_map_cnt, sizeof(*maps->used_idx),
>> +	     cmp_idx, NULL);
>> +
>> +	return 0;
>> +}
>> +
>> +static int hornet_populate_fd_array(struct hornet_maps *maps, u32 fd_array_cnt)
>> +{
>> +	int i;
>> +
>> +	if (fd_array_cnt > MAX_USED_MAPS)
>> +		return -E2BIG;
>> +
>> +	for (i = 0; i < fd_array_cnt; i++)
>> +		maps->used_idx[i] = i;
>> +
>> +	maps->used_map_cnt = fd_array_cnt;
>> +	return 0;
>> +}
>> +
>> +/* kern_sys_bpf is declared as an EXPORT_SYMBOL in kernel/bpf/syscall.c, however no definition is
>> + * provided in any bpf header files. If/when this function has a proper definition provided
>> + * somewhere this declaration should be removed
>> + */
>> +int kern_sys_bpf(int cmd, union bpf_attr *attr, unsigned int size);
>> +
>> +static int hornet_verify_lskel(struct bpf_prog *prog, struct hornet_maps *maps,
>> +			       void *sig, size_t sig_len)
>> +{
>> +	int fd;
>> +	u32 i;
>> +	void *buf;
>> +	void *new;
>> +	size_t buf_sz;
>> +	struct bpf_map *map;
>> +	int err = 0;
>> +	int key = 0;
>> +	union bpf_attr attr = {0};
>> +
>> +	buf = kmalloc_array(prog->len, sizeof(struct bpf_insn), GFP_KERNEL);
>> +	if (!buf)
>> +		return -ENOMEM;
>> +	buf_sz = prog->len * sizeof(struct bpf_insn);
>> +	memcpy(buf, prog->insnsi, buf_sz);
>> +
>> +	for (i = 0; i < maps->used_map_cnt; i++) {
>> +		err = copy_from_bpfptr_offset(&fd, maps->fd_array,
>> +					      maps->used_idx[i] * sizeof(fd),
>> +					      sizeof(fd));
>> +		if (err < 0)
>> +			continue;
>> +		if (fd < 1)
>> +			continue;
>> +
>> +		map = bpf_map_get(fd);
>> +		if (IS_ERR(map))
>> +			continue;
>> +
>> +		/* don't allow userspace to change map data used for signature verification */
>> +		if (!map->frozen) {
>> +			attr.map_fd = fd;
>> +			err = kern_sys_bpf(BPF_MAP_FREEZE, &attr, sizeof(attr));
>> +			if (err < 0)
>> +				goto out;
>> +		}
>> +
>> +		new = krealloc(buf, buf_sz + map->value_size, GFP_KERNEL);
>> +		if (!new) {
>> +			err = -ENOMEM;
>> +			goto out;
>> +		}
>> +		buf = new;
>> +		new = map->ops->map_lookup_elem(map, &key);
>> +		if (!new) {
>> +			err = -ENOENT;
>> +			goto out;
>> +		}
>> +		memcpy(buf + buf_sz, new, map->value_size);
>> +		buf_sz += map->value_size;
>> +	}
>> +
>> +	err = verify_pkcs7_signature(buf, buf_sz, sig, sig_len,
>> +				     VERIFY_USE_SECONDARY_KEYRING,
>> +				     VERIFYING_EBPF_SIGNATURE,
>> +				     NULL, NULL);
>> +out:
>> +	kfree(buf);
>> +	return err;
>> +}
>> +
>> +static int hornet_check_binary(struct bpf_prog *prog, union bpf_attr *attr,
>> +			       struct hornet_maps *maps)
>> +{
>> +	struct file *file = get_task_exe_file(current);
>> +	const unsigned long markerlen = sizeof(EBPF_SIG_STRING) - 1;
>> +	void *buf = NULL;
>> +	size_t sz = 0, sig_len, prog_len, buf_sz;
>> +	int err = 0;
>> +	struct module_signature sig;
>> +
>> +	buf_sz = kernel_read_file(file, 0, &buf, INT_MAX, &sz, READING_EBPF);
>> +	fput(file);
>> +	if (!buf_sz)
>> +		return -1;
>> +
>> +	prog_len = buf_sz;
>> +
>> +	if (prog_len > markerlen &&
>> +	    memcmp(buf + prog_len - markerlen, EBPF_SIG_STRING, markerlen) == 0)
>> +		prog_len -= markerlen;
>> +
>> +	memcpy(&sig, buf + (prog_len - sizeof(sig)), sizeof(sig));
>> +	sig_len = be32_to_cpu(sig.sig_len);
>> +	prog_len -= sig_len + sizeof(sig);
>> +
>> +	err = mod_check_sig(&sig, prog->len * sizeof(struct bpf_insn), "ebpf");
>> +	if (err)
>> +		return err;
>> +	return hornet_verify_lskel(prog, maps, buf + prog_len, sig_len);
>> +}
>> +
>> +static int hornet_check_signature(struct bpf_prog *prog, union bpf_attr *attr,
>> +				  struct bpf_token *token, bool is_kernel)
>
> It's a little confusing that you are passing is_kernel in here, when the
> only caller will always pass in true.  Is there a good reason not to
> drop the arg here and pass 'true' in to make_bpfptr().  Of course, then
> people will ask why not define an IS_KERNEL to true as passing true to
> second argument is cryptic...  Maybe you just can't win here :)
>

Initially during development churn, this code was using a bpfptr_t that
ended up becoming a boolean flag in the LSM hooks and this appears to be a
relic of that. I think I'll remove the boolean param to
hornet_check_signature since this code is only interested in checking
stuff that originiated in userspace.  

>> +{
>> +	struct hornet_maps maps = {0};
>> +	int err;
>> +
>> +	/* support both sparse arrays and explicit continuous arrays of map fds */
>> +	if (attr->fd_array_cnt)
>> +		err = hornet_populate_fd_array(&maps, attr->fd_array_cnt);
>> +	else
>> +		err = hornet_find_maps(prog, &maps);
>> +
>> +	if (err < 0)
>> +		return err;
>> +
>> +	maps.fd_array = make_bpfptr(attr->fd_array, is_kernel);
>> +	return hornet_check_binary(prog, attr, &maps);
>> +}
>> +
>> +static int hornet_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
>> +				struct bpf_token *token, bool is_kernel)
>> +{
>> +	if (is_kernel)
>> +		return 0;
>> +	return hornet_check_signature(prog, attr, token, is_kernel);
>> +}
>> +
>> +static struct security_hook_list hornet_hooks[] __ro_after_init = {
>> +	LSM_HOOK_INIT(bpf_prog_load, hornet_bpf_prog_load),
>> +};
>> +
>> +static const struct lsm_id hornet_lsmid = {
>> +	.name = "hornet",
>> +	.id = LSM_ID_HORNET,
>> +};
>> +
>> +static int __init hornet_init(void)
>> +{
>> +	pr_info("Hornet: eBPF signature verification enabled\n");
>> +	security_add_hooks(hornet_hooks, ARRAY_SIZE(hornet_hooks), &hornet_lsmid);
>> +	return 0;
>> +}
>> +
>> +DEFINE_LSM(hornet) = {
>> +	.name = "hornet",
>> +	.init = hornet_init,
>> +};
>> -- 
>> 2.48.1
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ