[PATCH bpf-next 0/5] bpf: file verification with LSM and fsverity

public inbox for fsverity@lists.linux.dev
 help / color / mirror / Atom feed

From: Song Liu <song@kernel.org>
To: <bpf@vger.kernel.org>, <fsverity@lists.linux.dev>
Cc: <ast@kernel.org>, <daniel@iogearbox.net>, <andrii@kernel.org>,
	<martin.lau@kernel.org>, <kernel-team@meta.com>,
	<ebiggers@kernel.org>, <tytso@mit.edu>,
	<roberto.sassu@huaweicloud.com>, Song Liu <song@kernel.org>
Subject: [PATCH bpf-next 0/5] bpf: file verification with LSM and fsverity
Date: Fri, 13 Oct 2023 11:26:39 -0700	[thread overview]
Message-ID: <20231013182644.2346458-1-song@kernel.org> (raw)

This set enables file verification with BPF LSM and fsverity.

In this solution, fsverity is used to provide reliable and efficient hash
of files; and BPF LSM is used to implement signature verification (against
asymmetric keys), and to enforce access control.

This solution can be used to implement access control in complicated cases.
For example: only signed python binary and signed python script and access
special files/devices/ports.

Thanks,
Song

Song Liu (5):
  bpf: Add kfunc bpf_get_file_xattr
  bpf, fsverity: Add kfunc bpf_get_fsverity_digest
  selftests/bpf: Sort config in alphabetic order
  selftests/bpf: Add tests for filesystem kfuncs
  selftests/bpf: Add test that use fsverity and xattr to sign a file

 fs/verity/measure.c                           |  66 +++++++
 include/linux/bpf.h                           |  12 ++
 kernel/trace/bpf_trace.c                      |  44 +++++
 tools/testing/selftests/bpf/bpf_kfuncs.h      |  10 ++
 tools/testing/selftests/bpf/config            |   3 +-
 .../selftests/bpf/prog_tests/fs_kfuncs.c      | 132 ++++++++++++++
 .../bpf/prog_tests/verify_pkcs7_sig.c         | 163 +++++++++++++++++-
 .../selftests/bpf/progs/test_fsverity.c       |  46 +++++
 .../selftests/bpf/progs/test_get_xattr.c      |  39 +++++
 .../selftests/bpf/progs/test_sig_in_xattr.c   |  84 +++++++++
 .../bpf/progs/test_verify_pkcs7_sig.c         |   8 +-
 .../testing/selftests/bpf/verify_sig_setup.sh |  25 +++
 12 files changed, 623 insertions(+), 9 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_fsverity.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_get_xattr.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_sig_in_xattr.c

--
2.34.1

next             reply	other threads:[~2023-10-13 18:29 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-13 18:26 Song Liu [this message]
2023-10-13 18:26 ` [PATCH bpf-next 1/5] bpf: Add kfunc bpf_get_file_xattr Song Liu
2023-10-17 18:58   ` Andrii Nakryiko
2023-10-17 20:31     ` Song Liu
2023-10-17 21:52       ` Andrii Nakryiko
2023-10-17 22:16         ` Song Liu
2023-10-17 22:40           ` Andrii Nakryiko
2023-10-17 22:46             ` Song Liu
2023-10-18  1:42       ` Hou Tao
2023-10-17 19:10   ` Alexei Starovoitov
2023-11-02  1:19     ` KP Singh
2023-10-13 18:26 ` [PATCH bpf-next 2/5] bpf, fsverity: Add kfunc bpf_get_fsverity_digest Song Liu
2023-10-15  7:07   ` Eric Biggers
2023-10-16 20:10     ` Song Liu
2023-10-17  3:12       ` Eric Biggers
2023-10-17  5:35         ` Song Liu
2023-10-17  5:46           ` Eric Biggers
2023-10-17 14:16             ` Song Liu
2023-10-17 19:50   ` Andrii Nakryiko
2023-10-13 18:26 ` [PATCH bpf-next 3/5] selftests/bpf: Sort config in alphabetic order Song Liu
2023-10-13 18:26 ` [PATCH bpf-next 4/5] selftests/bpf: Add tests for filesystem kfuncs Song Liu
2023-10-13 18:26 ` [PATCH bpf-next 5/5] selftests/bpf: Add test that use fsverity and xattr to sign a file Song Liu
2023-10-17 19:08   ` Alexei Starovoitov
2023-10-17 20:36     ` Song Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231013182644.2346458-1-song@kernel.org \
    --to=song@kernel.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=ebiggers@kernel.org \
    --cc=fsverity@lists.linux.dev \
    --cc=kernel-team@meta.com \
    --cc=martin.lau@kernel.org \
    --cc=roberto.sassu@huaweicloud.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox