| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87zf7igmy4.fsf@microsoft.com> Date: Tue, 16 Dec 2025 13:02:11 -0800 From: Blaise Boscaccy <bboscaccy@...ux.microsoft.com> To: Randy Dunlap <rdunlap@...radead.org>, Jonathan Corbet <corbet@....net>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Mickaël Salaün <mic@...ikod.net>, Günther Noack <gnoack@...gle.com>, "Dr. David Alan Gilbert" <linux@...blig.org>, Andrew Morton <akpm@...ux-foundation.org>, James.Bottomley@...senPartnership.com, dhowells@...hat.com, linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, bpf@...r.kernel.org Subject: Re: [RFC 08/11] security: Hornet LSM Randy Dunlap <rdunlap@...radead.org> writes: > On 12/10/25 6:12 PM, Blaise Boscaccy wrote: >> diff --git a/Documentation/admin-guide/LSM/Hornet.rst b/Documentation/admin-guide/LSM/Hornet.rst >> new file mode 100644 >> index 0000000000000..0fb5920e9b68f >> --- /dev/null >> +++ b/Documentation/admin-guide/LSM/Hornet.rst >> @@ -0,0 +1,38 @@ >> +.. SPDX-License-Identifier: GPL-2.0 >> + >> +====== >> +Hornet >> +====== >> + >> +Hornet is a Linux Security Module that provides extensible signature >> +verification for eBPF programs. This is selectable at build-time with >> +``CONFIG_SECURITY_HORNET``. >> + >> +Overview >> +======== >> + >> +Hornet addresses concerns from users who require strict audit >> +trails and verification guarantees, especially in security-sensitive >> +environments. Map hashes for extended verification are passed in via >> +the existing PKCS#7 uapi and verifified by the crypto > > verified > and preferably UAPI > >> +subsystem. Hornet then calculates the verification state of the >> +program (full, partial, bad, etc) and then invokes a new downstream > > etc.) > Copy that. Thanks Randy. -blaise >> +LSM hook to delegate policy decisions. >> + >> +Tooling >> +======= >> + >> +Some tooling is provided to aid with the development of signed eBPF >> +light-skeletons. >> + >> +extract-skel.sh >> +--------------- >> + >> +This shell script extracts the instructions and map data used by the >> +light skeleton from the autogenerated header file created by bpftool. >> + >> +gen_sig >> +--------- >> + >> +gen_sig creates a pkcs#7 signature of a data payload. Additionally it >> +appends a signed attribute containing a set of hashes. > > -- > ~Randy
Powered by blists - more mailing lists