lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <f7e997ac-2312-4d18-96d7-d6abb190a5c3@infradead.org>
Date: Thu, 11 Dec 2025 12:07:16 -0800
From: Randy Dunlap <rdunlap@...radead.org>
To: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>,
 Jonathan Corbet <corbet@....net>, Paul Moore <paul@...l-moore.com>,
 James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>,
 Mickaël Salaün <mic@...ikod.net>,
 Günther Noack <gnoack@...gle.com>,
 "Dr. David Alan Gilbert" <linux@...blig.org>,
 Andrew Morton <akpm@...ux-foundation.org>,
 James.Bottomley@...senPartnership.com, dhowells@...hat.com,
 linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org,
 linux-kernel@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [RFC 08/11] security: Hornet LSM



On 12/10/25 6:12 PM, Blaise Boscaccy wrote:
> diff --git a/Documentation/admin-guide/LSM/Hornet.rst b/Documentation/admin-guide/LSM/Hornet.rst
> new file mode 100644
> index 0000000000000..0fb5920e9b68f
> --- /dev/null
> +++ b/Documentation/admin-guide/LSM/Hornet.rst
> @@ -0,0 +1,38 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +======
> +Hornet
> +======
> +
> +Hornet is a Linux Security Module that provides extensible signature
> +verification for eBPF programs. This is selectable at build-time with
> +``CONFIG_SECURITY_HORNET``.
> +
> +Overview
> +========
> +
> +Hornet addresses concerns from users who require strict audit
> +trails and verification guarantees, especially in security-sensitive
> +environments. Map hashes for extended verification are passed in via
> +the existing PKCS#7 uapi and verifified by the crypto

                                verified
and preferably         UAPI

> +subsystem. Hornet then calculates the verification state of the
> +program (full, partial, bad, etc) and then invokes a new downstream

                                etc.)

> +LSM hook to delegate policy decisions.
> +
> +Tooling
> +=======
> +
> +Some tooling is provided to aid with the development of signed eBPF
> +light-skeletons.
> +
> +extract-skel.sh
> +---------------
> +
> +This shell script extracts the instructions and map data used by the
> +light skeleton from the autogenerated header file created by bpftool.
> +
> +gen_sig
> +---------
> +
> +gen_sig creates a pkcs#7 signature of a data payload. Additionally it
> +appends a signed attribute containing a set of hashes.

-- 
~Randy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ