From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Matteo Croce <technoboy85@gmail.com>
Cc: "Jonathan Corbet" <corbet@lwn.net>,
"David Howells" <dhowells@redhat.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Nicolas Schier" <nicolas@fjasle.eu>,
"Shuah Khan" <shuah@kernel.org>,
"Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Nick Desaulniers" <nick.desaulniers+lkml@gmail.com>,
"Bill Wendling" <morbo@google.com>,
"Justin Stitt" <justinstitt@google.com>,
"Jarkko Sakkinen" <jarkko@kernel.org>,
"Jan Stancek" <jstancek@redhat.com>,
"Neal Gompa" <neal@gompa.dev>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
keyrings@vger.kernel.org,
"Linux Crypto Mailing List" <linux-crypto@vger.kernel.org>,
"LSM List" <linux-security-module@vger.kernel.org>,
"Linux Kbuild mailing list" <linux-kbuild@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>, bpf <bpf@vger.kernel.org>,
clang-built-linux <llvm@lists.linux.dev>,
nkapron@google.com, "Matteo Croce" <teknoraver@meta.com>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Cong Wang" <xiyou.wangcong@gmail.com>
Subject: Re: [PATCH v2 security-next 1/4] security: Hornet LSM
Date: Sat, 12 Apr 2025 07:11:01 -0700 [thread overview]
Message-ID: <87plhhjwqy.fsf@microsoft.com> (raw)
In-Reply-To: <CAADnVQJ5VaXVN=L+0ygEWJkMtPZnqAVEoeFiLBvikntX0zD49w@mail.gmail.com>
Alexei Starovoitov <alexei.starovoitov@gmail.com> writes:
> On Fri, Apr 11, 2025 at 5:30 PM Matteo Croce <technoboy85@gmail.com> wrote:
>>
>> Il giorno sab 12 apr 2025 alle ore 02:19 Alexei Starovoitov
>> <alexei.starovoitov@gmail.com> ha scritto:
>>
>> Similar to what I proposed here?
>>
>> https://lore.kernel.org/bpf/20211203191844.69709-2-mcroce@linux.microsoft.com/
> ...
>> @@ -1346,6 +1346,8 @@ union bpf_attr {
>> __aligned_u64 fd_array; /* array of FDs */
>> __aligned_u64 core_relos;
>> __u32 core_relo_rec_size; /* sizeof(struct bpf_core_relo) */
>> + __aligned_u64 signature; /* instruction's signature */
>> + __u32 sig_len; /* signature size */
>
> Well, yeah, two fields are obvious.
> But not like that link from 2021.
> KP proposed them a year later in 2022 on top of lskel
> which was much closer to be acceptable.
> We need to think it through and complete the work,
> since there are various ways to do it.
> For example, lskel has a map and a prog.
> A signature in a prog may cover both, but
> not necessary it's a good design.
> A signature for the map plus a signature for the prog
> that is tied to a map might be a better option.
> At map creation time the contents can be checked,
> the map is frozen, and then the verifier can proceed
> with prog's signature checking.
> lskel doesn't support all the bpf feature yet, so we need
> to make sure that the signature verification process
> is extensible when lskel gains new features.
>
> Attaching was also brought up at lsfmm.
> Without checking the attach point the whole thing is quite
> questionable from security pov.
That statement is quite questionable. Yes, IIRC you brought that up. And
again, runtime policy enforcement has nothing to do with proving code
provenance. They are completely independent concerns.
That would be akin to saying that having locks on a door is questionable
without having surveillance cameras installed.
next prev parent reply other threads:[~2025-04-12 14:11 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-04 21:54 [PATCH v2 security-next 0/4] Introducing Hornet LSM Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 1/4] security: " Blaise Boscaccy
2025-04-06 4:27 ` kernel test robot
2025-04-06 20:42 ` kernel test robot
2025-04-11 19:09 ` Tyler Hicks
2025-04-14 20:11 ` Blaise Boscaccy
2025-04-11 23:16 ` [PATCH v2 " Paul Moore
2025-04-14 20:46 ` Blaise Boscaccy
2025-04-15 1:37 ` Paul Moore
2025-04-12 0:09 ` [PATCH v2 security-next " Alexei Starovoitov
2025-04-12 0:29 ` Matteo Croce
2025-04-12 0:57 ` Alexei Starovoitov
2025-04-12 14:11 ` Blaise Boscaccy [this message]
2025-04-12 13:57 ` Blaise Boscaccy
2025-04-14 16:08 ` Paul Moore
2025-04-14 20:56 ` Alexei Starovoitov
2025-04-15 0:32 ` Blaise Boscaccy
2025-04-15 1:38 ` Alexei Starovoitov
2025-04-15 15:45 ` Blaise Boscaccy
2025-04-15 19:08 ` Blaise Boscaccy
2025-04-19 16:21 ` Paul Moore
2025-04-15 21:48 ` Alexei Starovoitov
2025-04-16 17:31 ` Blaise Boscaccy
2025-04-21 20:12 ` Alexei Starovoitov
2025-04-21 22:03 ` Paul Moore
2025-04-21 23:48 ` Alexei Starovoitov
2025-04-22 2:38 ` Paul Moore
2025-04-23 14:12 ` James Bottomley
2025-04-23 15:10 ` Paul Moore
2025-04-24 23:41 ` Alexei Starovoitov
2025-04-25 14:06 ` James Bottomley
2025-04-25 21:44 ` Blaise Boscaccy
2025-04-19 18:43 ` James Bottomley
2025-04-21 18:52 ` Paul Moore
2025-04-21 19:03 ` James Bottomley
2025-04-04 21:54 ` [PATCH v2 security-next 2/4] hornet: Introduce sign-ebpf Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 3/4] hornet: Add a light skeleton data extractor script Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 4/4] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87plhhjwqy.fsf@microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=gnoack@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=jstancek@redhat.com \
--cc=justinstitt@google.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=mic@digikod.net \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=neal@gompa.dev \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas@fjasle.eu \
--cc=nkapron@google.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=technoboy85@gmail.com \
--cc=teknoraver@meta.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).