lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <874iz96jxz.fsf@microsoft.com>
Date: Mon, 31 Mar 2025 13:09:44 -0700
From: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>
To: Jonathan Corbet <corbet@....net>, David Howells <dhowells@...hat.com>,
 Herbert Xu <herbert@...dor.apana.org.au>, "David S.
 Miller" <davem@...emloft.net>, Paul Moore <paul@...l-moore.com>, James
 Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Masahiro
 Yamada <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>,
 Nicolas Schier <nicolas@...sle.eu>, Shuah Khan <shuah@...nel.org>,
 Mickaël Salaün <mic@...ikod.net>, Günther Noack <gnoack@...gle.com>, Nick
 Desaulniers <nick.desaulniers+lkml@...il.com>, Bill Wendling
 <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>, Jarkko Sakkinen
 <jarkko@...nel.org>, Jan
 Stancek <jstancek@...hat.com>, Neal Gompa <neal@...pa.dev>,
 linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
 keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
 linux-security-module@...r.kernel.org, linux-kbuild@...r.kernel.org,
 linux-kselftest@...r.kernel.org, bpf@...r.kernel.org,
 llvm@...ts.linux.dev, nkapron@...gle.com, teknoraver@...a.com,
 roberto.sassu@...wei.com, xiyou.wangcong@...il.com
Subject: Re: [RFC PATCH security-next 1/4] security: Hornet LSM

Jonathan Corbet <corbet@....net> writes:

> Blaise Boscaccy <bboscaccy@...ux.microsoft.com> writes:
>
>> This adds the Hornet Linux Security Module which provides signature
>> verification of eBPF programs.
>>
>> Hornet uses a similar signature verification scheme similar to that of
>> kernel modules. A pkcs#7 signature is appended to the end of an
>> executable file. During an invocation of bpf_prog_load, the signature
>> is fetched from the current task's executable file. That signature is
>> used to verify the integrity of the bpf instructions and maps which
>> where passed into the kernel. Additionally, Hornet implicitly trusts any
>> programs which where loaded from inside kernel rather than userspace,
>> which allows BPF_PRELOAD programs along with outputs for BPF_SYSCALL
>> programs to run.
>>
>> Hornet allows users to continue to maintain an invariant that all code
>> running inside of the kernel has been signed and works well with
>> light-skeleton based loaders, or any statically generated program that
>> doesn't require userspace instruction rewriting.
>>
>> Signed-off-by: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>
>> ---
>>  Documentation/admin-guide/LSM/Hornet.rst |  51 +++++
>
> You will need to add that file to .../index.rst, or it won't be included
> in the docs build.
>
> Thanks,
>
> jon

Good catch, will get that fixed. Thanks Jon.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ