linux-doc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: KP Singh <kpsingh@kernel.org>
Cc: bboscaccy@linux.microsoft.com,
	James.Bottomley@hansenpartnership.com,  bpf@vger.kernel.org,
	code@tyhicks.com, corbet@lwn.net, davem@davemloft.net,
	 dhowells@redhat.com, gnoack@google.com,
	herbert@gondor.apana.org.au,  jarkko@kernel.org,
	jmorris@namei.org, jstancek@redhat.com,  justinstitt@google.com,
	keyrings@vger.kernel.org,  linux-crypto@vger.kernel.org,
	linux-doc@vger.kernel.org,  linux-kbuild@vger.kernel.org,
	linux-kernel@vger.kernel.org,  linux-kselftest@vger.kernel.org,
	linux-security-module@vger.kernel.org,  llvm@lists.linux.dev,
	masahiroy@kernel.org, mic@digikod.net, morbo@google.com,
	 nathan@kernel.org, neal@gompa.dev,
	nick.desaulniers+lkml@gmail.com,  nicolas@fjasle.eu,
	nkapron@google.com, roberto.sassu@huawei.com,  serge@hallyn.com,
	shuah@kernel.org, teknoraver@meta.com,  xiyou.wangcong@gmail.com,
	kysrinivasan@gmail.com,
	 Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH v3 0/4] Introducing Hornet LSM
Date: Fri, 16 May 2025 15:49:16 -0400	[thread overview]
Message-ID: <CAHC9VhTeFBhdagvw4cT3EvA72EYCfAn6ToptpE9PWipG9YLrFw@mail.gmail.com> (raw)
In-Reply-To: <CACYkzJ4+=3owK+ELD9Nw7Rrm-UajxXEw8kVtOTJJ+SNAXpsOpw@mail.gmail.com>

On Wed, May 14, 2025 at 2:48 PM KP Singh <kpsingh@kernel.org> wrote:
> On Wed, May 14, 2025 at 5:06 AM Paul Moore <paul@paul-moore.com> wrote:
> > On Sat, May 10, 2025 at 10:01 PM KP Singh <kpsingh@kernel.org> wrote:
> > >
> >
> > ...
> >
> > > The signature check in the verifier (during BPF_PROG_LOAD):
> > >
> > >     verify_pkcs7_signature(prog->aux->sha, sizeof(prog->aux->sha),
> > > sig_from_bpf_attr, …);
> >
> > I think we still need to clarify the authorization aspect of your
> > proposed design.
> >
> > Working under the assumption that the core BPF kernel code doesn't
> > want to enforce any restrictions, or at least as few as possible ...
>
> The assumption is not true, I should have clarified it in the original
> design. With the UAPI / bpf_attr the bpf syscall is simply denied if
> the signature does not verify, so we don't need any LSM logic for
> this. There is really no point in continuing as signature verification
> is a part of the API contract when the user passes the sig, keyring in
> the bpf syscall.

I think we need some clarification on a few of these details, it would
be good if you could answer the questions below about the
authorization aspects of your design?

* Is the signature validation code in the BPF verifier *always* going
to be enforced when a signature is passed in from userspace?  In other
words, in your design is there going to be either a kernel build time
or runtime configuration knob that could selectively enable (or
disable) signature verification in the BPF verifier?

* In the case where the signature validation code in the BPF verifier
is active, what happens when a signature is *not* passed in from
userspace?  Will the BPF verifier allow the program load to take
place?  Will the load operation be blocked?  Will the load operation
be subject to a more granular policy, and if so, how do you plan to
incorporate that policy decision into the BPF program load path?

-- 
paul-moore.com

  reply	other threads:[~2025-05-16 19:49 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-02 18:44 [PATCH v3 0/4] Introducing Hornet LSM Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 1/4] security: " Blaise Boscaccy
2025-05-04 15:02   ` Paul Moore
2025-05-02 18:44 ` [PATCH v3 2/4] hornet: Introduce sign-ebpf Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 3/4] hornet: Add a light skeleton data extractor script Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 4/4] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2025-05-02 21:00 ` [PATCH v3 0/4] Introducing " KP Singh
2025-05-04 17:36   ` Paul Moore
2025-05-04 23:25     ` KP Singh
2025-05-05 16:22       ` Paul Moore
2025-05-11  2:01       ` KP Singh
2025-05-14  3:06         ` Paul Moore
2025-05-14 18:48           ` KP Singh
2025-05-16 19:49             ` Paul Moore [this message]
2025-05-16 23:49               ` Alexei Starovoitov
2025-05-17 15:02                 ` Paul Moore
2025-05-17 16:13                   ` Alexei Starovoitov
2025-05-18  5:48                     ` Paul Moore
2025-05-18 15:52                       ` Alexei Starovoitov
2025-05-18 21:34                         ` Paul Moore
2025-05-19 22:20                           ` KP Singh
2025-05-19 22:58                             ` Paul Moore
2025-05-21 22:26                               ` Paul Moore
2025-05-19 23:00                             ` Zvi Effron
2025-05-19 23:42                               ` KP Singh
2025-05-14 15:39         ` James Bottomley
2025-05-14 17:17           ` KP Singh
2025-05-14 17:45             ` James Bottomley
2025-05-14 18:35               ` KP Singh
2025-05-14 18:35                 ` KP Singh
2025-05-14 20:31                 ` James Bottomley
2025-05-14 20:41                   ` KP Singh
2025-05-05  9:22     ` Daniel Borkmann
2025-05-05 17:30   ` Blaise Boscaccy
2025-05-05 20:41     ` KP Singh
2025-05-05 21:04       ` Paul Moore
2025-05-07 17:48       ` James Bottomley
2025-05-07 23:21         ` Paul Moore
2025-05-08 17:44           ` Alexei Starovoitov
2025-05-08 19:23             ` Paul Moore
2025-05-11  2:14               ` KP Singh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHC9VhTeFBhdagvw4cT3EvA72EYCfAn6ToptpE9PWipG9YLrFw@mail.gmail.com \
    --to=paul@paul-moore.com \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=bboscaccy@linux.microsoft.com \
    --cc=bpf@vger.kernel.org \
    --cc=code@tyhicks.com \
    --cc=corbet@lwn.net \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=gnoack@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=jmorris@namei.org \
    --cc=jstancek@redhat.com \
    --cc=justinstitt@google.com \
    --cc=keyrings@vger.kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=kysrinivasan@gmail.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=masahiroy@kernel.org \
    --cc=mic@digikod.net \
    --cc=morbo@google.com \
    --cc=nathan@kernel.org \
    --cc=neal@gompa.dev \
    --cc=nick.desaulniers+lkml@gmail.com \
    --cc=nicolas@fjasle.eu \
    --cc=nkapron@google.com \
    --cc=roberto.sassu@huawei.com \
    --cc=serge@hallyn.com \
    --cc=shuah@kernel.org \
    --cc=teknoraver@meta.com \
    --cc=torvalds@linux-foundation.org \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).