From: KP Singh <kpsingh@kernel.org>
To: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: Paul Moore <paul@paul-moore.com>,
bboscaccy@linux.microsoft.com, bpf@vger.kernel.org,
code@tyhicks.com, corbet@lwn.net, davem@davemloft.net,
dhowells@redhat.com, gnoack@google.com,
herbert@gondor.apana.org.au, jarkko@kernel.org,
jmorris@namei.org, jstancek@redhat.com, justinstitt@google.com,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kbuild@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-security-module@vger.kernel.org, llvm@lists.linux.dev,
masahiroy@kernel.org, mic@digikod.net, morbo@google.com,
nathan@kernel.org, neal@gompa.dev,
nick.desaulniers+lkml@gmail.com, nicolas@fjasle.eu,
nkapron@google.com, roberto.sassu@huawei.com, serge@hallyn.com,
shuah@kernel.org, teknoraver@meta.com, xiyou.wangcong@gmail.com,
kysrinivasan@gmail.com,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH v3 0/4] Introducing Hornet LSM
Date: Wed, 14 May 2025 20:35:52 +0200 [thread overview]
Message-ID: <CACYkzJ6hduH4X1wZywodNa3c13QVV=68CmxbpLK1MonuPwPtqw@mail.gmail.com> (raw)
In-Reply-To: <CACYkzJ7Oh62u7bHwQ_nOLG54qnhyNU9msF5mWV_vFrBXw1oZqw@mail.gmail.com>
On Wed, May 14, 2025 at 8:35 PM KP Singh <kpsingh@kernel.org> wrote:
>
> On Wed, May 14, 2025 at 7:45 PM James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> >
> > On Wed, 2025-05-14 at 19:17 +0200, KP Singh wrote:
> > > On Wed, May 14, 2025 at 5:39 PM James Bottomley
> > > <James.Bottomley@hansenpartnership.com> wrote:
> > > > On Sun, 2025-05-11 at 04:01 +0200, KP Singh wrote:
> > [...]
> > > > > This implicitly makes the payload equivalent to the signed block
> > > > > (B_signed)
> > > > >
> > > > > I_loader || H_meta
> > > > >
> > > > > bpftool then generates the signature of this I_loader payload
> > > > > (which now contains the expected H_meta) using a key (system or
> > > > > user) with new flags that work in combination with bpftool -L
> > > >
> > > > Could I just push back a bit on this. The theory of hash chains
> > > > (which I've cut to shorten) is about pure data structures. The
> > > > reason for that is that the entire hash chain is supposed to be
> > > > easily independently verifiable in any environment because anything
> > > > can compute the hashes of the blocks and links. This independent
> > > > verification of the chain is key to formally proving hash chains to
> > > > be correct. In your proposal we lose the easy verifiability
> > > > because the link hash is embedded in the ebpf loader program which
> > > > has to be disassembled to do the extraction of the hash and verify
> > > > the loader is actually checking it.
> > >
> > > I am not sure I understand your concern. This is something that can
> > > easily be built into tooling / annotations.
> > >
> > > bpftool -S -v <verification_key> <loader> <metadata>
> > >
> > > Could you explain what's the use-case for "easy verifiability".
> >
> > I mean verifiability of the hash chain link. Given a signed program,
> > (i.e. a .h file which is generated by bpftool) which is a signature
> > over the loader only how would one use simple cryptographic operations
> > to verify it?
> >
>
> I literally just said it above the hash can be extracted if you really
> want offline verification. Are you saying this code is hard to write?
> or is the tooling hard to write? Do you have some definition of
> "simple cryptographic operations". All operations use tooling.
>
> >
> > >
> > > > I was looking at ways we could use a pure hash chain (i.e.
> > > > signature over loader and real map hash) and it does strike me that
> > > > the above ebpf hash verification code is pretty invariant and easy
> > > > to construct, so it could run as a separate BPF fragment that then
> > > > jumps to the real loader. In that case, it could be constructed on
> > > > the fly in a trusted environment, like the kernel, from the link
> > > > hash in the signature and the signature could just be Sig(loader ||
> > > > map hash) which can then be
> > >
> > > The design I proposed does the same thing:
> > >
> > > Sig(loader || H_metadata)
> > >
> > > metadata is actually the data (programs, context etc) that's passed
> > > in the map. The verification just happens in the loader program and
> > > the loader || H_metadata is implemented elegantly to avoid any
> > > separate payloads.
> >
> > OK, so I think this is the crux of the problem: In formal methods
> > proving the validity of a data based hash link is an easy set of
> > cryptographic operations. You can assert that's equivalent to a
> > signature over a program that verifies the hash, but formally proving
> > it requires a formal analysis of the program to show that 1) it
> > contains the correct hash and 2) it correctly checks the hash against
> > the map. That makes the task of someone receiving the .h file
> > containing the signed skeleton way harder: it's easy to prove the
> > signature matches the loader instructions, but they still have to prove
> > the instructions contain and verify the correct map hash.
> >
>
> I don't see this as a problem for 2 reasons:
>
> 1. It's not hard
> 2. Your typical user does not want to do formal verification and
> extract signatures etc.
>
> [1] alone is enough.
>
> The key user journey is:
>
> * Build the program and the metadata
> * Sign the blob once (as explained)
> * A simple API to verify the sequence of operations.
>
> The user builds a program and signs the blob, they sign it because it
> contains the hash of the metadata. It seems like you are optimizing
> for the formal researcher but not for the tooling. The user just needs
I meant not for the user.
> good tooling and a simple API which is exactly what was proposed.
>
> - KP
>
> > Regards,
> >
> > James
> >
> >
next prev parent reply other threads:[~2025-05-14 18:36 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-02 18:44 [PATCH v3 0/4] Introducing Hornet LSM Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 1/4] security: " Blaise Boscaccy
2025-05-04 15:02 ` Paul Moore
2025-05-02 18:44 ` [PATCH v3 2/4] hornet: Introduce sign-ebpf Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 3/4] hornet: Add a light skeleton data extractor script Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 4/4] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2025-05-02 21:00 ` [PATCH v3 0/4] Introducing " KP Singh
2025-05-04 17:36 ` Paul Moore
2025-05-04 23:25 ` KP Singh
2025-05-05 16:22 ` Paul Moore
2025-05-11 2:01 ` KP Singh
2025-05-14 3:06 ` Paul Moore
2025-05-14 18:48 ` KP Singh
2025-05-16 19:49 ` Paul Moore
2025-05-16 23:49 ` Alexei Starovoitov
2025-05-17 15:02 ` Paul Moore
2025-05-17 16:13 ` Alexei Starovoitov
2025-05-18 5:48 ` Paul Moore
2025-05-18 15:52 ` Alexei Starovoitov
2025-05-18 21:34 ` Paul Moore
2025-05-19 22:20 ` KP Singh
2025-05-19 22:58 ` Paul Moore
2025-05-21 22:26 ` Paul Moore
2025-05-19 23:00 ` Zvi Effron
2025-05-19 23:42 ` KP Singh
2025-05-14 15:39 ` James Bottomley
2025-05-14 17:17 ` KP Singh
2025-05-14 17:45 ` James Bottomley
2025-05-14 18:35 ` KP Singh
2025-05-14 18:35 ` KP Singh [this message]
2025-05-14 20:31 ` James Bottomley
2025-05-14 20:41 ` KP Singh
2025-05-05 9:22 ` Daniel Borkmann
2025-05-05 17:30 ` Blaise Boscaccy
2025-05-05 20:41 ` KP Singh
2025-05-05 21:04 ` Paul Moore
2025-05-07 17:48 ` James Bottomley
2025-05-07 23:21 ` Paul Moore
2025-05-08 17:44 ` Alexei Starovoitov
2025-05-08 19:23 ` Paul Moore
2025-05-11 2:14 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACYkzJ6hduH4X1wZywodNa3c13QVV=68CmxbpLK1MonuPwPtqw@mail.gmail.com' \
--to=kpsingh@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=code@tyhicks.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=gnoack@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=jstancek@redhat.com \
--cc=justinstitt@google.com \
--cc=keyrings@vger.kernel.org \
--cc=kysrinivasan@gmail.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=mic@digikod.net \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=neal@gompa.dev \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas@fjasle.eu \
--cc=nkapron@google.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=teknoraver@meta.com \
--cc=torvalds@linux-foundation.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).