From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: KP Singh <kpsingh@kernel.org>
Cc: Paul Moore <paul@paul-moore.com>,
bboscaccy@linux.microsoft.com, bpf@vger.kernel.org,
code@tyhicks.com, corbet@lwn.net, davem@davemloft.net,
dhowells@redhat.com, gnoack@google.com,
herbert@gondor.apana.org.au, jarkko@kernel.org,
jmorris@namei.org, jstancek@redhat.com, justinstitt@google.com,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kbuild@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-security-module@vger.kernel.org, llvm@lists.linux.dev,
masahiroy@kernel.org, mic@digikod.net, morbo@google.com,
nathan@kernel.org, neal@gompa.dev,
nick.desaulniers+lkml@gmail.com, nicolas@fjasle.eu,
nkapron@google.com, roberto.sassu@huawei.com, serge@hallyn.com,
shuah@kernel.org, teknoraver@meta.com, xiyou.wangcong@gmail.com,
kysrinivasan@gmail.com,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH v3 0/4] Introducing Hornet LSM
Date: Wed, 14 May 2025 13:45:09 -0400 [thread overview]
Message-ID: <4f92fcfaeffd179ff6ae265822dc79856310d6a3.camel@HansenPartnership.com> (raw)
In-Reply-To: <CACYkzJ5XJOj08+hKheWDcqbPrFAwa+fFvOw+4QPAHBz1u2HgAg@mail.gmail.com>
On Wed, 2025-05-14 at 19:17 +0200, KP Singh wrote:
> On Wed, May 14, 2025 at 5:39 PM James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> > On Sun, 2025-05-11 at 04:01 +0200, KP Singh wrote:
[...]
> > > This implicitly makes the payload equivalent to the signed block
> > > (B_signed)
> > >
> > > I_loader || H_meta
> > >
> > > bpftool then generates the signature of this I_loader payload
> > > (which now contains the expected H_meta) using a key (system or
> > > user) with new flags that work in combination with bpftool -L
> >
> > Could I just push back a bit on this. The theory of hash chains
> > (which I've cut to shorten) is about pure data structures. The
> > reason for that is that the entire hash chain is supposed to be
> > easily independently verifiable in any environment because anything
> > can compute the hashes of the blocks and links. This independent
> > verification of the chain is key to formally proving hash chains to
> > be correct. In your proposal we lose the easy verifiability
> > because the link hash is embedded in the ebpf loader program which
> > has to be disassembled to do the extraction of the hash and verify
> > the loader is actually checking it.
>
> I am not sure I understand your concern. This is something that can
> easily be built into tooling / annotations.
>
> bpftool -S -v <verification_key> <loader> <metadata>
>
> Could you explain what's the use-case for "easy verifiability".
I mean verifiability of the hash chain link. Given a signed program,
(i.e. a .h file which is generated by bpftool) which is a signature
over the loader only how would one use simple cryptographic operations
to verify it?
>
> > I was looking at ways we could use a pure hash chain (i.e.
> > signature over loader and real map hash) and it does strike me that
> > the above ebpf hash verification code is pretty invariant and easy
> > to construct, so it could run as a separate BPF fragment that then
> > jumps to the real loader. In that case, it could be constructed on
> > the fly in a trusted environment, like the kernel, from the link
> > hash in the signature and the signature could just be Sig(loader ||
> > map hash) which can then be
>
> The design I proposed does the same thing:
>
> Sig(loader || H_metadata)
>
> metadata is actually the data (programs, context etc) that's passed
> in the map. The verification just happens in the loader program and
> the loader || H_metadata is implemented elegantly to avoid any
> separate payloads.
OK, so I think this is the crux of the problem: In formal methods
proving the validity of a data based hash link is an easy set of
cryptographic operations. You can assert that's equivalent to a
signature over a program that verifies the hash, but formally proving
it requires a formal analysis of the program to show that 1) it
contains the correct hash and 2) it correctly checks the hash against
the map. That makes the task of someone receiving the .h file
containing the signed skeleton way harder: it's easy to prove the
signature matches the loader instructions, but they still have to prove
the instructions contain and verify the correct map hash.
Regards,
James
next prev parent reply other threads:[~2025-05-14 17:45 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-02 18:44 [PATCH v3 0/4] Introducing Hornet LSM Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 1/4] security: " Blaise Boscaccy
2025-05-04 15:02 ` Paul Moore
2025-05-02 18:44 ` [PATCH v3 2/4] hornet: Introduce sign-ebpf Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 3/4] hornet: Add a light skeleton data extractor script Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 4/4] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2025-05-02 21:00 ` [PATCH v3 0/4] Introducing " KP Singh
2025-05-04 17:36 ` Paul Moore
2025-05-04 23:25 ` KP Singh
2025-05-05 16:22 ` Paul Moore
2025-05-11 2:01 ` KP Singh
2025-05-14 3:06 ` Paul Moore
2025-05-14 18:48 ` KP Singh
2025-05-16 19:49 ` Paul Moore
2025-05-16 23:49 ` Alexei Starovoitov
2025-05-17 15:02 ` Paul Moore
2025-05-17 16:13 ` Alexei Starovoitov
2025-05-18 5:48 ` Paul Moore
2025-05-18 15:52 ` Alexei Starovoitov
2025-05-18 21:34 ` Paul Moore
2025-05-19 22:20 ` KP Singh
2025-05-19 22:58 ` Paul Moore
2025-05-21 22:26 ` Paul Moore
2025-05-19 23:00 ` Zvi Effron
2025-05-19 23:42 ` KP Singh
2025-05-14 15:39 ` James Bottomley
2025-05-14 17:17 ` KP Singh
2025-05-14 17:45 ` James Bottomley [this message]
2025-05-14 18:35 ` KP Singh
2025-05-14 18:35 ` KP Singh
2025-05-14 20:31 ` James Bottomley
2025-05-14 20:41 ` KP Singh
2025-05-05 9:22 ` Daniel Borkmann
2025-05-05 17:30 ` Blaise Boscaccy
2025-05-05 20:41 ` KP Singh
2025-05-05 21:04 ` Paul Moore
2025-05-07 17:48 ` James Bottomley
2025-05-07 23:21 ` Paul Moore
2025-05-08 17:44 ` Alexei Starovoitov
2025-05-08 19:23 ` Paul Moore
2025-05-11 2:14 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4f92fcfaeffd179ff6ae265822dc79856310d6a3.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=code@tyhicks.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=gnoack@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=jstancek@redhat.com \
--cc=justinstitt@google.com \
--cc=keyrings@vger.kernel.org \
--cc=kpsingh@kernel.org \
--cc=kysrinivasan@gmail.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=mic@digikod.net \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=neal@gompa.dev \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas@fjasle.eu \
--cc=nkapron@google.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=teknoraver@meta.com \
--cc=torvalds@linux-foundation.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox