lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87v7i4hpi4.fsf@microsoft.com>
Date: Wed, 17 Dec 2025 11:33:55 -0800
From: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>
To: ryan foster <foster.ryan.r@...il.com>
Cc: James.Bottomley@...senpartnership.com, akpm@...ux-foundation.org,
 bpf@...r.kernel.org, corbet@....net, dhowells@...hat.com,
 gnoack@...gle.com, jmorris@...ei.org, linux-doc@...r.kernel.org,
 linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org,
 linux@...blig.org, mic@...ikod.net, paul@...l-moore.com, serge@...lyn.com
Subject: Re: [RFC 00/11] Reintroduce Hornet LSM

ryan foster <foster.ryan.r@...il.com> writes:

> Hi all,
>

Hi Ryan,

> I want to confirm I understand the current semantics, and specific issues
> this series is addressing.
>
> In the signed BPF two step flow, the LSM makes decisions using what is
> known at the time of run hooks.  At load time, the only clear fact is "the
> loader is signed".  However, if we really want integrity for "the final
> program that will execute after relocation, and any inputs as part of the
> contract, matches what was signed".  The fact exists after loader runs, so
> the kernel could end up allowing and auditing based on the signed loader,
> even though it cannot yet truthfully say the runnable payload has been
> verified.
>

Correct.

> If this is the right understanding, perhaps we could consider a design that
> moves enforcement to the moment the program becomes effective. E.g.  Load
> can create a program object, but it is inert by default.  The kernel should
> only allow attach or link creation if the kernel has already recorded a
> verified record of the final relocated instruction stream plus
> referenced state for inputs, is included in the "integrity contract".
>
> If the referenced state is mutable, then either state must be frozen before
> the contract is verified, or any mutation must invalidate verified and
> force re-verification and a new policy decision. Otherwise the state is
> susceptible to TOCTOU issues.
>
> Is this the semantic goal Hortnet is aiming for, and is attack or link
> creation the intended enforcement point for the "cannot become effective
> until verified" rule, instead of trying to make a load time hook represent
> final payload verification?
>
> Thanks
>
> Regard, Ryan


The semantic goal for Hornet is to validate the provenance and integrity
of all the user-generated inputs when they are loaded into the kernel,
in order to allow users to make intelligent security decisions based
on that. IMO, attaching and linking are orthogonal run-time policy issues
that are seperate from provenance and data integrity concerns.

Allowing or disallowing linking and attaching based on the completeness of
signature validation does make sense. That kind of decision would
probably be handled by selinux, IPE, or a custom BPF LSM program most
likely though. 

-blaise

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ