linux-doc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Randy Dunlap <rdunlap@infradead.org>
To: "Blaise Boscaccy" <bboscaccy@linux.microsoft.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Paul Moore" <paul@paul-moore.com>,
	"James Morris" <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	"Mickaël Salaün" <mic@digikod.net>,
	"Günther Noack" <gnoack@google.com>,
	"Dr. David Alan Gilbert" <linux@treblig.org>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	James.Bottomley@HansenPartnership.com, dhowells@redhat.com,
	linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: [RFC 08/11] security: Hornet LSM
Date: Thu, 11 Dec 2025 12:07:16 -0800	[thread overview]
Message-ID: <f7e997ac-2312-4d18-96d7-d6abb190a5c3@infradead.org> (raw)
In-Reply-To: <20251211021257.1208712-9-bboscaccy@linux.microsoft.com>



On 12/10/25 6:12 PM, Blaise Boscaccy wrote:
> diff --git a/Documentation/admin-guide/LSM/Hornet.rst b/Documentation/admin-guide/LSM/Hornet.rst
> new file mode 100644
> index 0000000000000..0fb5920e9b68f
> --- /dev/null
> +++ b/Documentation/admin-guide/LSM/Hornet.rst
> @@ -0,0 +1,38 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +======
> +Hornet
> +======
> +
> +Hornet is a Linux Security Module that provides extensible signature
> +verification for eBPF programs. This is selectable at build-time with
> +``CONFIG_SECURITY_HORNET``.
> +
> +Overview
> +========
> +
> +Hornet addresses concerns from users who require strict audit
> +trails and verification guarantees, especially in security-sensitive
> +environments. Map hashes for extended verification are passed in via
> +the existing PKCS#7 uapi and verifified by the crypto

                                verified
and preferably         UAPI

> +subsystem. Hornet then calculates the verification state of the
> +program (full, partial, bad, etc) and then invokes a new downstream

                                etc.)

> +LSM hook to delegate policy decisions.
> +
> +Tooling
> +=======
> +
> +Some tooling is provided to aid with the development of signed eBPF
> +light-skeletons.
> +
> +extract-skel.sh
> +---------------
> +
> +This shell script extracts the instructions and map data used by the
> +light skeleton from the autogenerated header file created by bpftool.
> +
> +gen_sig
> +---------
> +
> +gen_sig creates a pkcs#7 signature of a data payload. Additionally it
> +appends a signed attribute containing a set of hashes.

-- 
~Randy


  reply	other threads:[~2025-12-11 20:07 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-11  2:11 [RFC 00/11] Reintroduce Hornet LSM Blaise Boscaccy
2025-12-11  2:11 ` [RFC 01/11] lsm: framework for BPF integrity verification Blaise Boscaccy
2025-12-11  2:11 ` [RFC 02/11] oid_registry: allow arbitrary size OIDs Blaise Boscaccy
2025-12-11  2:11 ` [RFC 03/11] certs: break out pkcs7 check into its own function Blaise Boscaccy
2025-12-11  2:11 ` [RFC 04/11] crypto: pkcs7: add flag for validated trust on a signed info block Blaise Boscaccy
2025-12-11  2:12 ` [RFC 05/11] crypto: pkcs7: allow pkcs7_digest() to be called from pkcs7_trust Blaise Boscaccy
2025-12-11  2:12 ` [RFC 06/11] crypto: pkcs7: add ability to extract signed attributes by OID Blaise Boscaccy
2025-12-11 16:44   ` Randy Dunlap
2025-12-11  2:12 ` [RFC 07/11] crypto: pkcs7: add tests for pkcs7_get_authattr Blaise Boscaccy
2025-12-11  2:12 ` [RFC 08/11] security: Hornet LSM Blaise Boscaccy
2025-12-11 20:07   ` Randy Dunlap [this message]
2025-12-12 21:00   ` Fan Wu
2025-12-11  2:12 ` [RFC 09/11] hornet: Introduce gen_sig Blaise Boscaccy
2025-12-11  2:12 ` [RFC 10/11] hornet: Add a light skeleton data extractor scripts Blaise Boscaccy
2025-12-11  2:12 ` [RFC 11/11] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2025-12-12  9:45 ` [RFC 04/11] crypto: pkcs7: add flag for validated trust on a signed info block David Howells
2025-12-13  5:50   ` James Bottomley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f7e997ac-2312-4d18-96d7-d6abb190a5c3@infradead.org \
    --to=rdunlap@infradead.org \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=akpm@linux-foundation.org \
    --cc=bboscaccy@linux.microsoft.com \
    --cc=bpf@vger.kernel.org \
    --cc=corbet@lwn.net \
    --cc=dhowells@redhat.com \
    --cc=gnoack@google.com \
    --cc=jmorris@namei.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=linux@treblig.org \
    --cc=mic@digikod.net \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).