[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250502184421.1424368-1-bboscaccy@linux.microsoft.com>
Date: Fri, 2 May 2025 11:44:06 -0700
From: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>
To: Jonathan Corbet <corbet@....net>,
David Howells <dhowells@...hat.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Masahiro Yamada <masahiroy@...nel.org>,
Nathan Chancellor <nathan@...nel.org>,
Nicolas Schier <nicolas@...sle.eu>,
Shuah Khan <shuah@...nel.org>,
Mickaël Salaün <mic@...ikod.net>,
Günther Noack <gnoack@...gle.com>,
Nick Desaulniers <nick.desaulniers+lkml@...il.com>,
Bill Wendling <morbo@...gle.com>,
Justin Stitt <justinstitt@...gle.com>,
Blaise Boscaccy <bboscaccy@...ux.microsoft.com>,
Jarkko Sakkinen <jarkko@...nel.org>,
Jan Stancek <jstancek@...hat.com>,
Neal Gompa <neal@...pa.dev>,
linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org,
keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-kbuild@...r.kernel.org,
linux-kselftest@...r.kernel.org,
bpf@...r.kernel.org,
llvm@...ts.linux.dev,
nkapron@...gle.com,
teknoraver@...a.com,
roberto.sassu@...wei.com,
xiyou.wangcong@...il.com,
Tyler Hicks <code@...icks.com>,
James Bottomley <James.Bottomley@...senpartnership.com>
Subject: [PATCH v3 0/4] Introducing Hornet LSM
This patch series introduces the Hornet LSM. The goal of Hornet is to
provide a signature verification mechanism for eBPF programs.
eBPF has similar requirements to that of modules when it comes to
loading: find symbol addresses, fix up ELF relocations, some struct
field offset handling stuff called CO-RE (compile-once run-anywhere),
and some other miscellaneous bookkeeping. During eBPF program
compilation, pseudo-values get written to the immediate operands of
instructions. During loading, those pseudo-values get rewritten with
concrete addresses or data applicable to the currently running system,
e.g., a kallsyms address or an fd for a map. This needs to happen
before the instructions for a bpf program are loaded into the kernel
via the bpf() syscall. Unlike modules, an in-kernel loader
unfortunately doesn't exist. Typically, the instruction rewriting is
done dynamically in userspace via libbpf. Since the relocations and
instruction modifications are happening in userspace, and their values
may change depending upon the running system, this breaks known
signature verification mechanisms.
Light skeleton programs were introduced in order to support early
loading of eBPF programs along with user-mode drivers. They utilize a
separate eBPF program that can load a target eBPF program and perform
all necessary relocations in-kernel without needing a working
userspace. Light skeletons were mentioned as a possible path forward
for signature verification.
Hornet takes a simple approach to light-skeleton-based eBPF signature
verification. A PKCS#7 signature of a data buffer containing the raw
instructions of an eBPF program, followed by the initial values of any
maps used by the program is used. A utility script is provided to
parse and extract the contents of autogenerated header files created
via bpftool. That payload can then be signed and appended to the light
skeleton executable.
Maps are checked that they are frozen to prevent TOCTOU bugs where a
sufficiently privileged user could rewrite map data between the calls
to BPF_PROG_LOAD and BPF_PROG_RUN. Additionally, both
sparse-array-based and fd_array_cnt-based map fd arrays are supported
for signature verification.
References:
[1] https://lore.kernel.org/bpf/20220209054315.73833-1-alexei.starovoitov@gmail.com/
[2] https://lore.kernel.org/bpf/CAADnVQ+wPK1KKZhCgb-Nnf0Xfjk8M1UpX5fnXC=cBzdEYbv_kg@mail.gmail.com/
Change list:
- v2 -> v3
- Remove any and all usage of proprietary bpf APIs
- Add optional systemd/pid1 whitelisting
- Minor Makefile cleanup
- Fixed buffer leak
- Handled null current task
- Made magic number required
- Defensive checks against invalid buffer signature reads
- v1 -> v2
- Jargon clarification, maintainer entry and a few cosmetic fixes
Revisions:
- v1
https://lore.kernel.org/bpf/20250321164537.16719-1-bboscaccy@linux.microsoft.com
- v2
https://lore.kernel.org/linux-security-module/20250404215527.1563146-1-bboscaccy@linux.microsoft.com
Blaise Boscaccy (4):
security: Hornet LSM
hornet: Introduce sign-ebpf
hornet: Add a light skeleton data extractor script
selftests/hornet: Add a selftest for the Hornet LSM
Documentation/admin-guide/LSM/Hornet.rst | 65 +++
Documentation/admin-guide/LSM/index.rst | 1 +
MAINTAINERS | 9 +
crypto/asymmetric_keys/pkcs7_verify.c | 10 +
include/linux/kernel_read_file.h | 1 +
include/linux/verification.h | 1 +
include/uapi/linux/lsm.h | 1 +
scripts/Makefile | 1 +
scripts/hornet/Makefile | 5 +
scripts/hornet/extract-skel.sh | 29 ++
scripts/hornet/sign-ebpf.c | 411 ++++++++++++++++++
security/Kconfig | 3 +-
security/Makefile | 1 +
security/hornet/Kconfig | 24 +
security/hornet/Makefile | 4 +
security/hornet/hornet_lsm.c | 250 +++++++++++
security/selinux/hooks.c | 12 +-
security/selinux/include/classmap.h | 2 +-
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/hornet/Makefile | 58 +++
tools/testing/selftests/hornet/fail_loader.sh | 3 +
tools/testing/selftests/hornet/frozen_skel.h | 393 +++++++++++++++++
tools/testing/selftests/hornet/loader.c | 22 +
tools/testing/selftests/hornet/trivial.bpf.c | 33 ++
24 files changed, 1336 insertions(+), 4 deletions(-)
create mode 100644 Documentation/admin-guide/LSM/Hornet.rst
create mode 100644 scripts/hornet/Makefile
create mode 100755 scripts/hornet/extract-skel.sh
create mode 100644 scripts/hornet/sign-ebpf.c
create mode 100644 security/hornet/Kconfig
create mode 100644 security/hornet/Makefile
create mode 100644 security/hornet/hornet_lsm.c
create mode 100644 tools/testing/selftests/hornet/Makefile
create mode 100755 tools/testing/selftests/hornet/fail_loader.sh
create mode 100644 tools/testing/selftests/hornet/frozen_skel.h
create mode 100644 tools/testing/selftests/hornet/loader.c
create mode 100644 tools/testing/selftests/hornet/trivial.bpf.c
--
2.48.1
Powered by blists - more mailing lists