From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
kpsingh@kernel.org, bboscaccy@linux.microsoft.com,
paul@paul-moore.com, kys@microsoft.com, ast@kernel.org,
daniel@iogearbox.net, andrii@kernel.org,
James.Bottomley@hansenpartnership.com, wufan@linux.microsoft.com
Subject: [RFC 0/2] BPF signature hash chains
Date: Tue, 9 Sep 2025 09:20:57 -0700 [thread overview]
Message-ID: <20250909162345.569889-1-bboscaccy@linux.microsoft.com> (raw)
This patchset extends the currently proposed signature verification
patchset
https://lore.kernel.org/linux-security-module/20250813205526.2992911-1-kpsingh@kernel.org/
with hash-chain functionality to verify the contents of arbitrary maps.
The currently proposed loader + map signature verification
scheme—requested by Alexei and KP—is simple to implement and
acceptable if users/admins are satisfied with it. However, verifying
both the loader and the maps offers additional benefits beyond just
verifying the loader:
1. Simplified Loader Logic: The lskel loader becomes simpler since it
doesn’t need to verify program maps—this is already handled by
bpf_check_signature().
2. Security and Audit Integrity: A key advantage is that the LSM
(Linux Security Module) hook for authorizing BPF program loads can
operate after signature verification. This ensures:
* Access control decisions can be based on verified signature status.
* Accurate system state measurement and logging.
* Log events claiming a verified signature are fully truthful,
avoiding misleading entries that only the loader was verified
while the actual BPF program verification happens later without
logging.
This approach addresses concerns from users who require strict audit
trails and verification guarantees, especially in security-sensitive
environments.
A working tree with this patchset is being maintained at
https://github.com/blaiseboscaccy/linux/tree/bpf-hash-chains
Blaise Boscaccy (2):
bpf: Add hash chain signature support for arbitrary maps
libbpf: Add hash chain signing support to light skeletons.
include/uapi/linux/bpf.h | 6 +++
kernel/bpf/syscall.c | 75 ++++++++++++++++++++++++++++++++--
tools/bpf/bpftool/gen.c | 25 ++++++++++++
tools/bpf/bpftool/main.c | 8 +++-
tools/bpf/bpftool/main.h | 1 +
tools/bpf/bpftool/sign.c | 17 ++++++--
tools/include/uapi/linux/bpf.h | 6 +++
tools/lib/bpf/libbpf.h | 3 +-
tools/lib/bpf/skel_internal.h | 6 ++-
9 files changed, 137 insertions(+), 10 deletions(-)
--
2.48.1
next reply other threads:[~2025-09-09 16:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-09 16:20 Blaise Boscaccy [this message]
2025-09-09 16:20 ` [RFC 1/2] bpf: Add hash chain signature support for arbitrary maps Blaise Boscaccy
2025-09-09 16:20 ` [RFC 2/2] libbpf: Add hash chain signing support to light skeletons Blaise Boscaccy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250909162345.569889-1-bboscaccy@linux.microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@kernel.org \
--cc=kys@microsoft.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=wufan@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox