lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251229171402.1491979-1-foster.ryan.r@gmail.com>
Date: Mon, 29 Dec 2025 09:12:48 -0800
From: Ryan Foster <foster.ryan.r@...il.com>
To: bboscaccy@...ux.microsoft.com
Cc: James.Bottomley@...senpartnership.com,
	akpm@...ux-foundation.org,
	bpf@...r.kernel.org,
	corbet@....net,
	dhowells@...hat.com,
	foster.ryan.r@...il.com,
	gnoack@...gle.com,
	jmorris@...ei.org,
	linux-doc@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux@...blig.org,
	mic@...ikod.net,
	paul@...l-moore.com,
	serge@...lyn.com
Subject: Re: [RFC 00/11] Reintroduce Hornet LSM

Hi all,

I am considering how to reconcile the TOCTOU concern with the "don't touch BPF internals" feedback, I think a very small API might help:

Minimal API draft: BPF integrity measurement

Goal: kernel-generated measurement of the final relocated program + declared inputs, so attach/link can be enforced without poking internals.

1) New BPF cmd
- BPF_MEASURE_PROG (or BPF_PROG_MEASURE)
- Input: prog_fd
- Output: opaque measurement blob + metadata

struct bpf_prog_measure_opts {
        __u32 size;
        __u32 flags;
        __u32 sig_len;
        __u64 sig_ptr;
        __u64 prog_id;
        __u64 meas_id;
};

Semantics
- Kernel computes measurement over final relocated insns + inputs explicitly in the integrity contract (e.g., sealed maps).
- Measurement is kernel-owned and stable for a program state.

2) Per-prog integrity state

enum lsm_integrity_verdict {
        LSM_INT_VERDICT_UNSIGNED,
        LSM_INT_VERDICT_PARTIAL,
        LSM_INT_VERDICT_OK,
        LSM_INT_VERDICT_BADSIG,
};

struct bpf_prog_integrity {
        __u64 meas_id;
        enum lsm_integrity_verdict v;
};

- Attach/link allowed only if policy verdict passes.
- Any input mutation invalidates meas_id and resets verdict.

3) Input immutability
- Only sealed/frozen maps can be measured.
- Any write to a measured map invalidates the measurement.

4) LSM integration
- Hornet (or another integrity LSM) consumes the measurement blob, verifies signatures, stores verdict.
- SELinux/IPE/BPF LSMs can gate attach/link based on verdict.

Why this helps
- TOCTOU: verification tied to final relocated program + frozen inputs; mutations invalidate.
- No BPF internals: LSMs use a stable syscall API, not map internals.
- Minimal blast radius: one syscall + small per-prog state.

A thought for future iterations, happy to help refine if this seems useful.

Thanks,
Ryan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ