From: Eric Biggers <ebiggers@kernel.org>
To: Paul Moore <paul@paul-moore.com>
Cc: "Blaise Boscaccy" <bboscaccy@linux.microsoft.com>,
linux-crypto@vger.kernel.org, "Jonathan Corbet" <corbet@lwn.net>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Dr. David Alan Gilbert" <linux@treblig.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
James.Bottomley@hansenpartnership.com, dhowells@redhat.com,
"Fan Wu" <wufan@kernel.org>,
"Ryan Foster" <foster.ryan.r@gmail.com>,
"Randy Dunlap" <rdunlap@infradead.org>,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
"Song Liu" <song@kernel.org>
Subject: Re: [PATCH v7 00/10] Reintroduce Hornet LSM
Date: Thu, 7 May 2026 21:58:41 +0000 [thread overview]
Message-ID: <20260507215841.GA440717@google.com> (raw)
In-Reply-To: <CAHC9VhR0Abikk+2=DWtVu1cEkcwkudKFRJH51BFOh0Qt01wLJw@mail.gmail.com>
On Thu, May 07, 2026 at 04:57:35PM -0400, Paul Moore wrote:
> On Thu, May 7, 2026 at 3:14 PM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
> >
> > This patch series introduces the next iteration of the Hornet LSM.
> > Hornet’s goal is to provide a secure and extensible in-kernel
> > signature verification mechanism for eBPF programs.
> >
> > Hornet addresses concerns from users who require strict audit trails and
> > verification guarantees for eBPF programs, especially in
> > security-sensitive environments. Many production systems need assurance
> > that only authorized, unmodified eBPF programs are loaded into the
> > kernel. Hornet provides this assurance through cryptographic signature
> > verification.
> >
> > The currently accepted loader-plus-map signature verification scheme,
> > mandated by Alexei and KP, is simple to implement and generally
> > acceptable if users and administrators are satisfied with it. However,
> > verifying both the loader and the maps offers additional benefits
> > beyond verifying the loader alone:
> >
> > 1. Security and Audit Integrity
> >
> > A key advantage is that the LSM hook for authorizing BPF program loads
> > can operate after signature verification. This ensures:
> >
> > * Access control decisions are based on verified signature status.
> > * Accurate system state measurement and logging.
> > * Log entries claiming a verified signature are truthful, avoiding
> > misleading records where only the loader was verified while the actual
> > BPF program verification occurs later without logging.
> >
> > 2. TOCTOU Attack Prevention
> >
> > The current map hash implementation may be vulnerable to a TOCTOU
> > attack because it allows unfrozen maps to cache a previously
> > calculated hash. The accepted “trusted loader” scheme cannot detect
> > this and may permit loading altered maps.
> >
> > 3. Supply Chain Integrity
> >
> > Verify that eBPF programs and their associated map data have not been
> > modified since they were built and signed, in the kernel proper, may
> > aid in protecting against supply chain attacks.
> >
> > This approach addresses concerns from users who require strict audit
> > trails and verification guarantees, especially in security-sensitive
> > environments. Map hashes for extended verification are passed via the
> > existing PKCS#7 UAPI and verified by the crypto subsystem. Hornet then
> > calculates the program’s verification state. Hornet itself does not
> > enforce a policy on whether unsigned or partially signed programs
> > should be rejected. It delegates that decision to downstream LSMs
> > hook, making it a composable building block in a larger security
> > architecture.
>
> [NOTE: trimmed changelog for brevity]
>
> > Blaise Boscaccy (6):
> > lsm: security: Add additional enum values for bpf integrity checks
> > security: Hornet LSM
> > hornet: Introduce gen_sig
> > hornet: Add a light skeleton data extractor scripts
> > selftests/hornet: Add a selftest for the Hornet LSM
> > ipe: Add BPF program load policy enforcement via Hornet integration
> >
> > James Bottomley (3):
> > crypto: pkcs7: add flag for validated trust on a signed info block
> > crypto: pkcs7: add ability to extract signed attributes by OID
> > crypto: pkcs7: add tests for pkcs7_get_authattr
> >
> > Paul Moore (1):
> > lsm: framework for BPF integrity verification
> >
> > Documentation/admin-guide/LSM/Hornet.rst | 323 +++++++++++++++
> > Documentation/admin-guide/LSM/index.rst | 1 +
> > Documentation/admin-guide/LSM/ipe.rst | 162 +++++++-
> > Documentation/security/ipe.rst | 68 ++++
> > MAINTAINERS | 9 +
> > certs/system_keyring.c | 1 +
> > crypto/asymmetric_keys/Makefile | 4 +-
> > crypto/asymmetric_keys/pkcs7_aa.asn1 | 18 +
> > crypto/asymmetric_keys/pkcs7_key_type.c | 44 +-
> > crypto/asymmetric_keys/pkcs7_parser.c | 81 ++++
> > crypto/asymmetric_keys/pkcs7_parser.h | 1 +
> > crypto/asymmetric_keys/pkcs7_trust.c | 1 +
> > include/crypto/pkcs7.h | 4 +
> > include/linux/lsm_hook_defs.h | 5 +
> > include/linux/oid_registry.h | 3 +
> > include/linux/security.h | 28 ++
> > include/uapi/linux/lsm.h | 1 +
> > scripts/Makefile | 1 +
> > scripts/hornet/Makefile | 5 +
> > scripts/hornet/extract-insn.sh | 27 ++
> > scripts/hornet/extract-map.sh | 27 ++
> > scripts/hornet/extract-skel.sh | 27 ++
> > scripts/hornet/gen_sig.c | 401 +++++++++++++++++++
> > scripts/hornet/write-sig.sh | 27 ++
> > security/Kconfig | 3 +-
> > security/Makefile | 1 +
> > security/hornet/Kconfig | 13 +
> > security/hornet/Makefile | 7 +
> > security/hornet/hornet.asn1 | 12 +
> > security/hornet/hornet_lsm.c | 352 ++++++++++++++++
> > security/ipe/Kconfig | 15 +
> > security/ipe/audit.c | 15 +
> > security/ipe/eval.c | 93 ++++-
> > security/ipe/eval.h | 11 +
> > security/ipe/hooks.c | 63 +++
> > security/ipe/hooks.h | 15 +
> > security/ipe/ipe.c | 14 +
> > security/ipe/ipe.h | 3 +
> > security/ipe/policy.h | 14 +
> > security/ipe/policy_parser.c | 27 ++
> > security/security.c | 75 +++-
> > tools/testing/selftests/Makefile | 1 +
> > tools/testing/selftests/hornet/Makefile | 63 +++
> > tools/testing/selftests/hornet/loader.c | 21 +
> > tools/testing/selftests/hornet/trivial.bpf.c | 33 ++
> > 45 files changed, 2112 insertions(+), 8 deletions(-)
> > create mode 100644 Documentation/admin-guide/LSM/Hornet.rst
> > create mode 100644 crypto/asymmetric_keys/pkcs7_aa.asn1
> > create mode 100644 scripts/hornet/Makefile
> > create mode 100755 scripts/hornet/extract-insn.sh
> > create mode 100755 scripts/hornet/extract-map.sh
> > create mode 100755 scripts/hornet/extract-skel.sh
> > create mode 100644 scripts/hornet/gen_sig.c
> > create mode 100755 scripts/hornet/write-sig.sh
> > create mode 100644 security/hornet/Kconfig
> > create mode 100644 security/hornet/Makefile
> > create mode 100644 security/hornet/hornet.asn1
> > create mode 100644 security/hornet/hornet_lsm.c
> > create mode 100644 tools/testing/selftests/hornet/Makefile
> > create mode 100644 tools/testing/selftests/hornet/loader.c
> > create mode 100644 tools/testing/selftests/hornet/trivial.bpf.c
>
> [NOTE: added the linux-crypto list to the To/CC lines]
>
> Hi crypto folks,
>
> You'll notice there are three patches from James Bottomley in this
> patchset that touch crypto code and I'd appreciate it if you could
> take a look and either ACK the patches or let James and Blaise know
> what you would like changed. James did send these patches to you for
> review some time ago, so they aren't necessarily new, but I wanted to
> make sure you saw them again.
>
> Unfortunately, it doesn't look like the crypto list was CC'd on this
> patchset, so here is a lore link to the patchset as a whole:
>
> https://lore.kernel.org/linux-security-module/20260507191416.2984054-1-bboscaccy@linux.microsoft.com
>
> ... and here are lore links to the three crypto patches:
We discussed before how the actual signature check seemed to have been
overlooked in some cases, due to the complexities of PKCS#7
(https://lore.kernel.org/r/20260305185016.GC2796@quark/). Looks like
that was fixed. It is really hard to do any meaningful review of a
PKCS#7 based system, though. And it sounds like this one is proceeding
anyway due to some requirement to be compatible with an existing PKCS#7
based system. So I'm not sure what you're looking for.
- Eric
next prev parent reply other threads:[~2026-05-07 21:58 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 19:13 [PATCH v7 00/10] Reintroduce Hornet LSM Blaise Boscaccy
2026-05-07 19:13 ` [PATCH v7 01/10] crypto: pkcs7: add flag for validated trust on a signed info block Blaise Boscaccy
2026-05-07 23:51 ` sashiko-bot
2026-05-13 18:36 ` [PATCH v7 1/10] " Paul Moore
2026-05-07 19:13 ` [PATCH v7 02/10] crypto: pkcs7: add ability to extract signed attributes by OID Blaise Boscaccy
2026-05-08 0:14 ` sashiko-bot
2026-05-13 18:36 ` [PATCH v7 2/10] " Paul Moore
2026-05-07 19:13 ` [PATCH v7 03/10] crypto: pkcs7: add tests for pkcs7_get_authattr Blaise Boscaccy
2026-05-08 0:35 ` sashiko-bot
2026-05-13 18:36 ` [PATCH v7 3/10] " Paul Moore
2026-05-07 19:13 ` [PATCH v7 04/10] lsm: framework for BPF integrity verification Blaise Boscaccy
2026-05-08 1:09 ` sashiko-bot
2026-05-13 18:36 ` [PATCH v7 4/10] " Paul Moore
2026-05-07 19:13 ` [PATCH v7 05/10] lsm: security: Add additional enum values for bpf integrity checks Blaise Boscaccy
2026-05-13 18:36 ` [PATCH v7 5/10] " Paul Moore
2026-05-07 19:14 ` [PATCH v7 06/10] security: Hornet LSM Blaise Boscaccy
2026-05-08 2:07 ` sashiko-bot
2026-05-13 18:36 ` [PATCH v7 6/10] " Paul Moore
2026-05-07 19:14 ` [PATCH v7 07/10] hornet: Introduce gen_sig Blaise Boscaccy
2026-05-08 2:22 ` sashiko-bot
2026-05-13 18:36 ` [PATCH v7 7/10] " Paul Moore
2026-05-07 19:14 ` [PATCH v7 08/10] hornet: Add a light skeleton data extractor scripts Blaise Boscaccy
2026-05-08 2:35 ` sashiko-bot
2026-05-13 18:36 ` [PATCH v7 8/10] " Paul Moore
2026-05-07 19:14 ` [PATCH v7 09/10] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2026-05-08 2:58 ` sashiko-bot
2026-05-13 18:36 ` [PATCH v7 9/10] " Paul Moore
2026-05-07 19:14 ` [PATCH v7 10/10] ipe: Add BPF program load policy enforcement via Hornet integration Blaise Boscaccy
2026-05-08 4:21 ` sashiko-bot
2026-05-08 18:40 ` Fan Wu
2026-05-13 18:36 ` Paul Moore
2026-05-07 20:57 ` [PATCH v7 00/10] Reintroduce Hornet LSM Paul Moore
2026-05-07 21:58 ` Eric Biggers [this message]
2026-05-07 22:22 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260507215841.GA440717@google.com \
--to=ebiggers@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=foster.ryan.r@gmail.com \
--cc=gnoack@google.com \
--cc=jmorris@namei.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@treblig.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=rdunlap@infradead.org \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
--cc=wufan@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.