linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
	Paul Moore <paul@paul-moore.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Alexei Starovoitov <ast@kernel.org>,
	KP Singh <kpsingh@kernel.org>,
	Blaise Boscaccy <bboscaccy@linux.microsoft.com>,
	bpf <bpf@vger.kernel.org>,
	LSM List <linux-security-module@vger.kernel.org>,
	"K. Y. Srinivasan" <kys@microsoft.com>,
	 Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	wufan@linux.microsoft.com, Quentin Monnet <qmo@kernel.org>
Subject: Re: [PATCH bpf-next v2 0/3] BPF signature hash chains
Date: Mon, 20 Oct 2025 19:13:19 -0400	[thread overview]
Message-ID: <bc823ddbaf63e0e177eb46d1cc15076e4e2e689d.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAADnVQLRtfPrH6sffaPVyFP4Aib+e7uVVWLi7bb79d9TrHjHpQ@mail.gmail.com>

On Fri, 2025-10-17 at 11:03 -0700, Alexei Starovoitov wrote:
> On Thu, Oct 16, 2025 at 6:36 PM Paul Moore <paul@paul-moore.com>
> wrote:
> > 
> > On Thu, Oct 16, 2025 at 6:01 PM Alexei Starovoitov
> > <alexei.starovoitov@gmail.com> wrote:
> > > On Thu, Oct 16, 2025 at 1:51 PM Paul Moore <paul@paul-moore.com>
> > > wrote:
> > > > On Sun, Oct 12, 2025 at 10:12 PM Paul Moore
> > > > <paul@paul-moore.com> wrote:
> > > > > On Sat, Oct 11, 2025 at 1:09 PM James Bottomley
> > > > > <James.Bottomley@hansenpartnership.com> wrote:
> > > > > > On Sat, 2025-10-11 at 09:31 -0700, Alexei Starovoitov
> > > > > > wrote:
> > > > > > > On Sat, Oct 11, 2025 at 7:52 AM James Bottomley
> > > > > > > <James.Bottomley@hansenpartnership.com> wrote:
> > > > > > > > 
> > > > > > > > It doesn't need to, once we check both the loader and
> > > > > > > > the map, the integrity is verified and the loader can
> > > > > > > > be trusted to run and relocate the map into the bpf
> > > > > > > > program
> > > > > > > 
> > > > > > > You should read KP's cover letter again and then research
> > > > > > > trusted hash chains. Here is a quote from the first
> > > > > > > googled link:
> > > > > > > 
> > > > > > > "A trusted hash chain is a cryptographic process used to
> > > > > > > verify the integrity and authenticity of data by creating
> > > > > > > a sequence of hash values, where each hash is linked to
> > > > > > > the next".
> > > > > > > 
> > > > > > > In addition KP's algorithm was vetted by various security
> > > > > > > teams. There is nothing novel here. It's a classic
> > > > > > > algorithm used to verify integrity and that's what was
> > > > > > > implemented.
> > > > > > 
> > > > > > Both KP and Blaise's patch sets are implementations of
> > > > > > trusted hash chains.  The security argument isn't about
> > > > > > whether the hash chain algorithm works, it's about where,
> > > > > > in relation to the LSM hook, the hash chain verification
> > > > > > completes.
> > > 
> > > Not true. Blaise's patch is a trusted hash chain denial.
> > 
> > It would be helpful if you could clarify what you mean by "trusted
> > hash chain denial" and how that differs from a "trusted hash
> > chain".
> 
> Paul,
> This is getting ridiculous. You're arguing about the code that you
> don't understand. Stop this broken phone and let Blaise defend his
> code.

That might be my fault: I told Blaise only to respond to technical
issues and arguing about what you want to name an algorithm isn't
really a technical issue with the patch.

The point, for me, is when doing integrity tests both patch sets
produce identical results and correctly detect when integrity of a
light skeleton is compromised (in mathematical terms that means they're
functionally equivalent).  The only difference is that with Blaise's
patch set verification completes before the LSM load hook is called and
with KP's it completes after ... and the security problem with the
latter case is that there's no LSM hook to collect the verification
result.

Regards,

James

  parent reply	other threads:[~2025-10-20 23:13 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-29 21:34 [PATCH bpf-next v2 0/3] BPF signature hash chains Blaise Boscaccy
2025-09-29 21:34 ` [PATCH bpf-next v2 1/3] bpf: Add hash chain signature support for arbitrary maps Blaise Boscaccy
2025-09-29 21:34 ` [PATCH bpf-next v2 2/3] selftests/bpf: Enable map verification for some lskel tests Blaise Boscaccy
2025-09-29 21:34 ` [PATCH bpf-next v2 3/3] bpftool: Add support for signing program and map hash chains Blaise Boscaccy
2025-10-01 21:37 ` [PATCH bpf-next v2 0/3] BPF signature " Paul Moore
2025-10-02 13:48   ` KP Singh
2025-10-02 20:01     ` Blaise Boscaccy
2025-10-03 16:59       ` KP Singh
2025-10-03 18:14         ` Blaise Boscaccy
2025-10-03 19:02           ` KP Singh
2025-10-03  2:35     ` Paul Moore
2025-10-03 16:24       ` KP Singh
2025-10-06  3:08         ` Paul Moore
2025-10-07 13:53           ` KP Singh
2025-10-07 19:59             ` James Bottomley
2025-10-09 20:47             ` Paul Moore
2025-10-10  1:00               ` Alexei Starovoitov
2025-10-10 15:53                 ` James Bottomley
2025-10-10 19:39                   ` Paul Moore
2025-10-10 23:06                   ` Alexei Starovoitov
2025-10-11 14:52                     ` James Bottomley
2025-10-11 16:31                       ` Alexei Starovoitov
2025-10-11 17:09                         ` James Bottomley
2025-10-13  2:12                           ` Paul Moore
2025-10-16 20:51                             ` Paul Moore
2025-10-16 22:00                               ` Alexei Starovoitov
2025-10-17  1:36                                 ` Paul Moore
2025-10-17 18:03                                   ` Alexei Starovoitov
2025-10-17 18:39                                     ` Paul Moore
2025-10-20 23:13                                     ` James Bottomley [this message]
2025-10-21  1:25                                       ` Alexei Starovoitov
2025-10-22 21:10                                         ` James Bottomley
2025-10-23 15:39                                           ` KP Singh
2025-10-23 17:53                                             ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bc823ddbaf63e0e177eb46d1cc15076e4e2e689d.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=alexei.starovoitov@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bboscaccy@linux.microsoft.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=kpsingh@kernel.org \
    --cc=kys@microsoft.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=qmo@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=wufan@linux.microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).