From: Ryan Foster <foster.ryan.r@gmail.com>
To: bboscaccy@linux.microsoft.com
Cc: James.Bottomley@HansenPartnership.com, akpm@linux-foundation.org,
bpf@vger.kernel.org, corbet@lwn.net, dhowells@redhat.com,
gnoack@google.com, jmorris@namei.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux@treblig.org,
mic@digikod.net, paul@paul-moore.com, serge@hallyn.com,
Ryan <foster.ryan.r@gmail.com>
Subject: Re: [RFC 00/11] Reintroduce Hornet LSM
Date: Mon, 15 Dec 2025 09:45:50 -0800 [thread overview]
Message-ID: <20251215174550.19519-1-foster.ryan.r@gmail.com> (raw)
In-Reply-To: <20251211021257.1208712-1-bboscaccy@linux.microsoft.com>
From: Ryan <foster.ryan.r@gmail.com>
Hi all,
I want to confirm I understand the current semantics, and specific issues this series is addressing.
In the signed BPF two step flow, the LSM makes decisions using what is known at the time of run hooks. At load time, the only clear fact is "the loader is signed". However, if we really want integrity for "the final program that will execute after relocation, and any inputs as part of the contract, matches what was signed". The fact exists after loader runs, so the kernel could end up allowing and auditing based on the signed loader, even though it cannot yet truthfully say the runnable payload has been verified.
If this is the right understanding, perhaps we could consider a design that moves enforcement to the moment the program becomes effective. E.g. Load can create a program object, but it is inert by default. The kernel should only allow attach or link creation if the kernel has already recorded a verified record of the final relocated instruction stream plus referenced state for inputs, is included in the "integrity contract".
If the referenced state is mutable, then either state must be frozen before the contract is verified, or any mutation must invalidate verified and force re-verification and a new policy decision. Otherwise the state is susceptible to TOCTOU issues.
Is this the semantic goal Hornet is aiming for, and is attach or link creation the intended enforcement point for the "cannot become effective until verified" rule, instead of trying to make a load time hook represent final payload verification?
Thanks,
Ryan
prev parent reply other threads:[~2025-12-15 17:45 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-11 2:11 [RFC 00/11] Reintroduce Hornet LSM Blaise Boscaccy
2025-12-11 2:11 ` [RFC 01/11] lsm: framework for BPF integrity verification Blaise Boscaccy
2025-12-11 2:11 ` [RFC 02/11] oid_registry: allow arbitrary size OIDs Blaise Boscaccy
2025-12-11 2:11 ` [RFC 03/11] certs: break out pkcs7 check into its own function Blaise Boscaccy
2025-12-11 2:11 ` [RFC 04/11] crypto: pkcs7: add flag for validated trust on a signed info block Blaise Boscaccy
2025-12-11 2:12 ` [RFC 05/11] crypto: pkcs7: allow pkcs7_digest() to be called from pkcs7_trust Blaise Boscaccy
2025-12-11 2:12 ` [RFC 06/11] crypto: pkcs7: add ability to extract signed attributes by OID Blaise Boscaccy
2025-12-11 16:44 ` Randy Dunlap
2025-12-11 2:12 ` [RFC 07/11] crypto: pkcs7: add tests for pkcs7_get_authattr Blaise Boscaccy
2025-12-11 2:12 ` [RFC 08/11] security: Hornet LSM Blaise Boscaccy
2025-12-11 20:07 ` Randy Dunlap
2025-12-12 21:00 ` Fan Wu
2025-12-11 2:12 ` [RFC 09/11] hornet: Introduce gen_sig Blaise Boscaccy
2025-12-11 2:12 ` [RFC 10/11] hornet: Add a light skeleton data extractor scripts Blaise Boscaccy
2025-12-11 2:12 ` [RFC 11/11] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2025-12-12 9:45 ` [RFC 04/11] crypto: pkcs7: add flag for validated trust on a signed info block David Howells
2025-12-13 5:50 ` James Bottomley
2025-12-15 17:45 ` Ryan Foster [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251215174550.19519-1-foster.ryan.r@gmail.com \
--to=foster.ryan.r@gmail.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=akpm@linux-foundation.org \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=gnoack@google.com \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@treblig.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).