Skip to content

sinkap/linux

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,445,100 Commits
Documentation
Documentation
 
 
LICENSES
LICENSES
 
 
arch
arch
 
 
block
block
 
 
certs
certs
 
 
crypto
crypto
 
 
drivers
drivers
 
 
fs
fs
 
 
include
include
 
 
init
init
 
 
io_uring
io_uring
 
 
ipc
ipc
 
 
kernel
kernel
 
 
lib
lib
 
 
mm
mm
 
 
net
net
 
 
rust
rust
 
 
samples
samples
 
 
scripts
scripts
 
 
security
security
 
 
sound
sound
 
 
tools
tools
 
 
usr
usr
 
 
virt
virt
 
 
.clang-format
.clang-format
 
 
.clippy.toml
.clippy.toml
 
 
.cocciconfig
.cocciconfig
 
 
.editorconfig
.editorconfig
 
 
.get_maintainer.ignore
.get_maintainer.ignore
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.mailmap
.mailmap
 
 
.pylintrc
.pylintrc
 
 
.rustfmt.toml
.rustfmt.toml
 
 
COPYING
COPYING
 
 
CREDITS
CREDITS
 
 
Kbuild
Kbuild
 
 
Kconfig
Kconfig
 
 
MAINTAINERS
MAINTAINERS
 
 
Makefile
Makefile
 
 
README
README
 
 
README.md
README.md
 
 

Repository files navigation

This series continues the "Signed BPF programs" work and adds the missing pieces needed for an LSM to do policy enforcement and addresses the concerns raised by the developers of Hornet.

One signing scheme, please.

BPF does not need a second signing scheme. It needs a policy framework that consumes the verdict the existing signing pipeline produces. Two parallel signing stacks is harmful UX for Cilium, bpftrace, systemd, distros, and everyone shipping signed lskels. Hornet has been NACK'd repeatedly by the BPF maintainers [1][2] on layering and TOCTOU grounds.

What this series adds

  • prog->aux->sig (verdict + keyring) and prog->aux->is_kernel, populated by the syscall path before security_bpf_prog_load fires.
  • bpf_loader_verify_metadata kfunc -- the metadata check is now kernel C code, not BPF bytecode. The verifier injects the calling prog->aux as an implicit argument via KF_IMPLICIT_ARGS.
  • Loader-side prog BTF with BPF_PSEUDO_KFUNC_CALL_PROG_BTF so the kfunc CALL is reproducible across build hosts and resolved at load time.
  • security_bpf_prog_load_post_integrity LSM hook, fired by the kfunc on a successful metadata check.
  • IPE properties (bpf_signature, bpf_keyring, bpf_kernel) and two ops (BPF_PROG_LOAD, BPF_PROG_LOAD_POST_INTEGRITY).

This series address concerns raised by the Hornet developers:

  • The metadata hash check should be in kernel C, not BPF bytecode -- Blaise Boscaccy [3]:

    The bpf_loader_verify_metadata kfunc moves the hash check from inline BPF instructions into kernel C code.

  • LSMs cannot observe the verification result at hook time -- Paul Moore [4]:

    prog->aux->sig.verdict and sig.keyring are populated before any LSM hook runs. Furthermore, security_bpf_prog_load_post_integrity hook fires after the in-kernel hash check for consumers that want to observe or gate the post-integrity transition.

[1] Alexei Starovoitov, NACK on Hornet (TOCTOU + layering), https://lore.kernel.org/all/CAADnVQJ1CRvTXBU771KaYzrx-vRaWF+k164DcFOqOsCxmuL+ig@mail.gmail.com/ [2] Daniel Borkmann, NACK on Hornet v3, https://lore.kernel.org/all/[email protected]/ [3] Blaise Boscaccy, Hornet v6 (C-side hash verification rationale), https://lore.kernel.org/all/[email protected]/ [4] Paul Moore, push for post-verifier observability, https://lore.kernel.org/all/CACYkzJ4+=3owK+ELD9Nw7Rrm-UajxXEw8kVtOTJJ+SNAXpsOpw@mail.gmail.com/

About

Linux kernel source tree

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

605 tags

Packages

 
 
 

Contributors

Languages

  • C 98.0%
  • Assembly 0.7%
  • Shell 0.4%
  • Rust 0.3%
  • Python 0.3%
  • Makefile 0.2%
  • Other 0.1%