[PATCH 0/3] hornet: post-TOCTOU-fix cleanup and observability

[PATCH 0/3] hornet: post-TOCTOU-fix cleanup and observability

[Blaise Boscaccy]

This is a small follow-up series tying up loose ends from
commit cf5d6b993a43 ("hornet: fix TOCTOU in signed program
verification").

Patch 1 adds a pr_notice() when hornet_check_prog_maps()
rejects a load due to a map hash mismatch. The denial path
was previously silent; this makes policy denials observable
in the kernel log without changing enforcement behavior.

Patch 2 removes LSM_INT_VERDICT_UNEXPECTED from the
lsm_integrity_verdict enum and from IPE's bpf_signature
property. The TOCTOU fix collapsed the "unexpected map hash"
case into the existing BADSIG path, so UNEXPECTED is no
longer produced by any LSM. Removing the orphan enum value
and its IPE plumbing (audit string, property enum entry,
policy parser token, evaluator case, documentation) keeps
the verdict surface consistent with what providers actually
emit.

Patch 3 updates the signing-workflow documentation in
Documentation/admin-guide/LSM/Hornet.rst. gen_sig no longer
takes per-map indices after the TOCTOU fix, so the example
invocation is corrected to drop the ":0" suffix on --add.

No functional change to enforcement; observability +
cleanup only.

Blaise Boscaccy (3):
  hornet: log map hash check failures in prog map validation
  security, ipe: Remove LSM_INT_VERDICT_UNEXPECTED support
  hornet: update signing workflow documentation

 Documentation/admin-guide/LSM/Hornet.rst | 5 +----
 Documentation/admin-guide/LSM/ipe.rst    | 6 +-----
 Documentation/security/ipe.rst           | 3 +--
 include/linux/security.h                 | 1 -
 security/hornet/hornet_lsm.c             | 1 +
 security/ipe/audit.c                     | 1 -
 security/ipe/eval.c                      | 2 --
 security/ipe/policy.h                    | 1 -
 security/ipe/policy_parser.c             | 2 --
 9 files changed, 4 insertions(+), 18 deletions(-)

--
2.53.0

[PATCH 1/3] hornet: log map hash check failures in prog map validation

[Blaise Boscaccy]

Add a pr_notice() before returning -EPERM when
hornet_check_prog_maps() fails to find a matching map hash.

This makes policy denials observable in kernel logs and improves
triage/debuggability of rejected BPF program loads without changing
enforcement behavior.

Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
---
 security/hornet/hornet_lsm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/hornet/hornet_lsm.c b/security/hornet/hornet_lsm.c
index eeb422db1092d..fe133a0e8a11a 100644
--- a/security/hornet/hornet_lsm.c
+++ b/security/hornet/hornet_lsm.c
@@ -221,6 +221,7 @@ static int hornet_check_prog_maps(struct bpf_prog *prog)
 		}
 		if (!found) {
 			mutex_unlock(&prog->aux->used_maps_mutex);
+			pr_notice("hornet: map hash check failed");
 			return -EPERM;
 		}
 	}
-- 
2.53.0

[PATCH 2/3] security, ipe: Remove LSM_INT_VERDICT_UNEXPECTED support

[Blaise Boscaccy]

After commit cf5d6b993a43 ("hornet: fix TOCTOU in signed program
verification") LSM_INT_VERDICT_UNEXPECTED was no longer being produced
by any LSMs. Remove support for the orphaned enum value from IPE and
the set of possible verdicts.

Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
---
 Documentation/admin-guide/LSM/Hornet.rst | 3 ---
 Documentation/admin-guide/LSM/ipe.rst    | 6 +-----
 Documentation/security/ipe.rst           | 3 +--
 include/linux/security.h                 | 1 -
 security/ipe/audit.c                     | 1 -
 security/ipe/eval.c                      | 2 --
 security/ipe/policy.h                    | 1 -
 security/ipe/policy_parser.c             | 2 --
 8 files changed, 2 insertions(+), 17 deletions(-)

diff --git a/Documentation/admin-guide/LSM/Hornet.rst b/Documentation/admin-guide/LSM/Hornet.rst
index a369bc11408f4..13dcf686ead71 100644
--- a/Documentation/admin-guide/LSM/Hornet.rst
+++ b/Documentation/admin-guide/LSM/Hornet.rst
@@ -47,9 +47,6 @@ make policy decisions based on the verification outcome:
 ``LSM_INT_VERDICT_FAULT``
   A system error occurred during verification.
 
-``LSM_INT_VERDICT_UNEXPECTED``
-  An unexpected map hash value was encountered.
-
 ``LSM_INT_VERDICT_BADSIG``
   The signature or a map hash failed verification.
 
diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst
index d68ba9d98859e..a525b4cbb4f09 100644
--- a/Documentation/admin-guide/LSM/ipe.rst
+++ b/Documentation/admin-guide/LSM/ipe.rst
@@ -736,7 +736,7 @@ bpf_signature
    ``IPE_PROP_BPF_SIGNATURE`` config option.
    The format of this property is::
 
-      bpf_signature=(NONE|OK|UNSIGNED|PARTIALSIG|UNKNOWNKEY|UNEXPECTED|FAULT|BADSIG)
+      bpf_signature=(NONE|OK|UNSIGNED|PARTIALSIG|UNKNOWNKEY|FAULT|BADSIG)
 
    The possible values correspond to the integrity verdicts from Hornet:
 
@@ -762,10 +762,6 @@ bpf_signature
 
          The keyring requested by the user is invalid.
 
-      ``UNEXPECTED``
-
-         An unexpected map hash value was encountered during verification.
-
       ``FAULT``
 
          A system error occurred during signature verification.
diff --git a/Documentation/security/ipe.rst b/Documentation/security/ipe.rst
index c51dcb16a377b..6a8d28a1b6be0 100644
--- a/Documentation/security/ipe.rst
+++ b/Documentation/security/ipe.rst
@@ -439,8 +439,7 @@ The hook flow is:
      ``attr->fd_array``. The function produces one of
      ``LSM_INT_VERDICT_OK``, ``LSM_INT_VERDICT_UNSIGNED``,
      ``LSM_INT_VERDICT_BADSIG``, ``LSM_INT_VERDICT_PARTIALSIG``,
-     ``LSM_INT_VERDICT_UNKNOWNKEY``, ``LSM_INT_VERDICT_UNEXPECTED``, or
-     ``LSM_INT_VERDICT_FAULT``.
+     ``LSM_INT_VERDICT_UNKNOWNKEY``, or ``LSM_INT_VERDICT_FAULT``.
   3. Hornet calls ``security_bpf_prog_load_post_integrity()`` with the
      resulting verdict and its ``lsm_id``. IPE's
      ``ipe_bpf_prog_load_post_integrity`` handler does **not** enforce
diff --git a/include/linux/security.h b/include/linux/security.h
index 598cd2eb1dcd5..2476ece76db73 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -107,7 +107,6 @@ enum lsm_integrity_verdict {
 	LSM_INT_VERDICT_UNSIGNED,
 	LSM_INT_VERDICT_PARTIALSIG,
 	LSM_INT_VERDICT_UNKNOWNKEY,
-	LSM_INT_VERDICT_UNEXPECTED,
 	LSM_INT_VERDICT_FAULT,
 	LSM_INT_VERDICT_BADSIG,
 };
diff --git a/security/ipe/audit.c b/security/ipe/audit.c
index 77bbf04d950bd..a2ae22cbc61ed 100644
--- a/security/ipe/audit.c
+++ b/security/ipe/audit.c
@@ -69,7 +69,6 @@ static const char *const audit_prop_names[__IPE_PROP_MAX] = {
 	"bpf_signature=UNSIGNED",
 	"bpf_signature=PARTIALSIG",
 	"bpf_signature=UNKNOWNKEY",
-	"bpf_signature=UNEXPECTED",
 	"bpf_signature=FAULT",
 	"bpf_signature=BADSIG",
 	"bpf_keyring=BUILTIN",
diff --git a/security/ipe/eval.c b/security/ipe/eval.c
index 23ae1edf896b0..58a168e9ebe2b 100644
--- a/security/ipe/eval.c
+++ b/security/ipe/eval.c
@@ -374,8 +374,6 @@ static bool evaluate_property(const struct ipe_eval_ctx *const ctx,
 		return evaluate_bpf_sig(ctx, LSM_INT_VERDICT_PARTIALSIG);
 	case IPE_PROP_BPF_SIG_UNKNOWNKEY:
 		return evaluate_bpf_sig(ctx, LSM_INT_VERDICT_UNKNOWNKEY);
-	case IPE_PROP_BPF_SIG_UNEXPECTED:
-		return evaluate_bpf_sig(ctx, LSM_INT_VERDICT_UNEXPECTED);
 	case IPE_PROP_BPF_SIG_FAULT:
 		return evaluate_bpf_sig(ctx, LSM_INT_VERDICT_FAULT);
 	case IPE_PROP_BPF_SIG_BADSIG:
diff --git a/security/ipe/policy.h b/security/ipe/policy.h
index 748bea92beb19..ba4f529da7d72 100644
--- a/security/ipe/policy.h
+++ b/security/ipe/policy.h
@@ -45,7 +45,6 @@ enum ipe_prop_type {
 	IPE_PROP_BPF_SIG_UNSIGNED,
 	IPE_PROP_BPF_SIG_PARTIALSIG,
 	IPE_PROP_BPF_SIG_UNKNOWNKEY,
-	IPE_PROP_BPF_SIG_UNEXPECTED,
 	IPE_PROP_BPF_SIG_FAULT,
 	IPE_PROP_BPF_SIG_BADSIG,
 	IPE_PROP_BPF_KEYRING_BUILTIN,
diff --git a/security/ipe/policy_parser.c b/security/ipe/policy_parser.c
index 71f63de56616b..b2b807620d89a 100644
--- a/security/ipe/policy_parser.c
+++ b/security/ipe/policy_parser.c
@@ -287,7 +287,6 @@ static const match_table_t property_tokens = {
 	{IPE_PROP_BPF_SIG_UNSIGNED,	"bpf_signature=UNSIGNED"},
 	{IPE_PROP_BPF_SIG_PARTIALSIG,	"bpf_signature=PARTIALSIG"},
 	{IPE_PROP_BPF_SIG_UNKNOWNKEY,	"bpf_signature=UNKNOWNKEY"},
-	{IPE_PROP_BPF_SIG_UNEXPECTED,	"bpf_signature=UNEXPECTED"},
 	{IPE_PROP_BPF_SIG_FAULT,	"bpf_signature=FAULT"},
 	{IPE_PROP_BPF_SIG_BADSIG,	"bpf_signature=BADSIG"},
 	{IPE_PROP_BPF_KEYRING_BUILTIN,	"bpf_keyring=BUILTIN"},
@@ -350,7 +349,6 @@ static int parse_property(char *t, struct ipe_rule *r)
 	case IPE_PROP_BPF_SIG_UNSIGNED:
 	case IPE_PROP_BPF_SIG_PARTIALSIG:
 	case IPE_PROP_BPF_SIG_UNKNOWNKEY:
-	case IPE_PROP_BPF_SIG_UNEXPECTED:
 	case IPE_PROP_BPF_SIG_FAULT:
 	case IPE_PROP_BPF_SIG_BADSIG:
 	case IPE_PROP_BPF_KEYRING_BUILTIN:
-- 
2.53.0

[PATCH 3/3] hornet: update signing workflow documentation

[Blaise Boscaccy]

After commit cf5d6b993a43 ("hornet: fix TOCTOU in signed program
verification") map indices are no longer passed into gen_sig. Fix the
lingering documentation reference.

Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
---
 Documentation/admin-guide/LSM/Hornet.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Documentation/admin-guide/LSM/Hornet.rst b/Documentation/admin-guide/LSM/Hornet.rst
index 13dcf686ead71..6551134d8fd59 100644
--- a/Documentation/admin-guide/LSM/Hornet.rst
+++ b/Documentation/admin-guide/LSM/Hornet.rst
@@ -290,7 +290,7 @@ A typical workflow for building and signing an eBPF light skeleton is:
        --key signing_key.pem \
        --cert signing_key.x509 \
        --data insn.bin \
-       --add map.bin:0 \
+       --add map.bin \
        --out sig.bin
 
 5. **Embed the signature** back into the header::
-- 
2.53.0