On Mon, May 19, 2025 at 6:58 PM Paul Moore wrote:
>
> When the kernel performs a security relevant operation, such as
> verifying the signature on a BPF program, where the result of the
> operation serves as input to a policy decision, system measurement,
> audit event, etc. the LSM hook needs to
> > > > > > No. New hook is not needed.
[...]
> > > > >
> > > > > It would be good for you to explain how the existing LSM hook is
> > > > > sufficient
> > > > > to authorize the loading of a BPF program using the signature
> > > > > validation
> > > > > state determined in the BPF verifier.
>
On Mon, May 19, 2025 at 3:20 PM KP Singh wrote:
>
> On Sun, May 18, 2025 at 11:34 PM Paul Moore wrote:
> >
> > On Sun, May 18, 2025 at 11:52 AM Alexei Starovoitov
> > wrote:
> > > On Sat, May 17, 2025 at 10:49 PM Paul Moore wrote:
> > > > On May 17, 2025 12:13:50 PM Alexei Starovoitov
> > > >
On Mon, May 19, 2025 at 6:20 PM KP Singh wrote:
> On Sun, May 18, 2025 at 11:34 PM Paul Moore wrote:
> > On Sun, May 18, 2025 at 11:52 AM Alexei Starovoitov
> > wrote:
> > > On Sat, May 17, 2025 at 10:49 PM Paul Moore wrote:
> > > > On May 17, 2025 12:13:50 PM Alexei Starovoitov
> > > > wrote:
On Sun, May 18, 2025 at 11:34 PM Paul Moore wrote:
>
> On Sun, May 18, 2025 at 11:52 AM Alexei Starovoitov
> wrote:
> > On Sat, May 17, 2025 at 10:49 PM Paul Moore wrote:
> > > On May 17, 2025 12:13:50 PM Alexei Starovoitov
> > > wrote:
> > > > On Sat, May 17, 2025 at 8:03 AM Paul Moore wrote:
On Sun, May 18, 2025 at 11:52 AM Alexei Starovoitov
wrote:
> On Sat, May 17, 2025 at 10:49 PM Paul Moore wrote:
> > On May 17, 2025 12:13:50 PM Alexei Starovoitov
> > wrote:
> > > On Sat, May 17, 2025 at 8:03 AM Paul Moore wrote:
> > >> On Fri, May 16, 2025 at 7:49 PM Alexei Starovoitov
> > >>
On Sat, May 17, 2025 at 10:49 PM Paul Moore wrote:
>
> On May 17, 2025 12:13:50 PM Alexei Starovoitov
> wrote:
> > On Sat, May 17, 2025 at 8:03 AM Paul Moore wrote:
> >> On Fri, May 16, 2025 at 7:49 PM Alexei Starovoitov
> >> wrote:
> >>> On Fri, May 16, 2025 at 12:49 PM Paul Moore wrote:
> >>
On May 17, 2025 12:13:50 PM Alexei Starovoitov
wrote:
On Sat, May 17, 2025 at 8:03 AM Paul Moore wrote:
On Fri, May 16, 2025 at 7:49 PM Alexei Starovoitov
wrote:
On Fri, May 16, 2025 at 12:49 PM Paul Moore wrote:
I think we need some clarification on a few of these details, it would
be go
On Sat, May 17, 2025 at 8:03 AM Paul Moore wrote:
>
> On Fri, May 16, 2025 at 7:49 PM Alexei Starovoitov
> wrote:
> > On Fri, May 16, 2025 at 12:49 PM Paul Moore wrote:
> > >
> > > I think we need some clarification on a few of these details, it would
> > > be good if you could answer the questi
On Fri, May 16, 2025 at 7:49 PM Alexei Starovoitov
wrote:
> On Fri, May 16, 2025 at 12:49 PM Paul Moore wrote:
> >
> > I think we need some clarification on a few of these details, it would
> > be good if you could answer the questions below about the
> > authorization aspects of your design?
> >
On Fri, May 16, 2025 at 12:49 PM Paul Moore wrote:
>
> On Wed, May 14, 2025 at 2:48 PM KP Singh wrote:
> > On Wed, May 14, 2025 at 5:06 AM Paul Moore wrote:
> > > On Sat, May 10, 2025 at 10:01 PM KP Singh wrote:
> > > >
> > >
> > > ...
> > >
> > > > The signature check in the verifier (during B
On Wed, May 14, 2025 at 2:48 PM KP Singh wrote:
> On Wed, May 14, 2025 at 5:06 AM Paul Moore wrote:
> > On Sat, May 10, 2025 at 10:01 PM KP Singh wrote:
> > >
> >
> > ...
> >
> > > The signature check in the verifier (during BPF_PROG_LOAD):
> > >
> > > verify_pkcs7_signature(prog->aux->sha,
On Wed, May 14, 2025 at 10:32 PM James Bottomley
wrote:
>
> On Wed, 2025-05-14 at 20:35 +0200, KP Singh wrote:
> > On Wed, May 14, 2025 at 7:45 PM James Bottomley
> > wrote:
> > >
> > > On Wed, 2025-05-14 at 19:17 +0200, KP Singh wrote:
> > > > On Wed, May 14, 2025 at 5:39 PM James Bottomley
> >
On Wed, 2025-05-14 at 20:35 +0200, KP Singh wrote:
> On Wed, May 14, 2025 at 7:45 PM James Bottomley
> wrote:
> >
> > On Wed, 2025-05-14 at 19:17 +0200, KP Singh wrote:
> > > On Wed, May 14, 2025 at 5:39 PM James Bottomley
> > > wrote:
> > > > On Sun, 2025-05-11 at 04:01 +0200, KP Singh wrote:
>
On Wed, May 14, 2025 at 5:06 AM Paul Moore wrote:
>
> On Sat, May 10, 2025 at 10:01 PM KP Singh wrote:
> >
>
> ...
>
> > The signature check in the verifier (during BPF_PROG_LOAD):
> >
> > verify_pkcs7_signature(prog->aux->sha, sizeof(prog->aux->sha),
> > sig_from_bpf_attr, …);
>
> I think we
On Wed, May 14, 2025 at 8:35 PM KP Singh wrote:
>
> On Wed, May 14, 2025 at 7:45 PM James Bottomley
> wrote:
> >
> > On Wed, 2025-05-14 at 19:17 +0200, KP Singh wrote:
> > > On Wed, May 14, 2025 at 5:39 PM James Bottomley
> > > wrote:
> > > > On Sun, 2025-05-11 at 04:01 +0200, KP Singh wrote:
>
On Wed, May 14, 2025 at 7:45 PM James Bottomley
wrote:
>
> On Wed, 2025-05-14 at 19:17 +0200, KP Singh wrote:
> > On Wed, May 14, 2025 at 5:39 PM James Bottomley
> > wrote:
> > > On Sun, 2025-05-11 at 04:01 +0200, KP Singh wrote:
> [...]
> > > > This implicitly makes the payload equivalent to the
On Wed, 2025-05-14 at 19:17 +0200, KP Singh wrote:
> On Wed, May 14, 2025 at 5:39 PM James Bottomley
> wrote:
> > On Sun, 2025-05-11 at 04:01 +0200, KP Singh wrote:
[...]
> > > This implicitly makes the payload equivalent to the signed block
> > > (B_signed)
> > >
> > > I_loader || H_meta
> >
On Wed, May 14, 2025 at 5:39 PM James Bottomley
wrote:
>
> On Sun, 2025-05-11 at 04:01 +0200, KP Singh wrote:
> [...]
> > >
> > For this specific BPF case, we will directly sign a composite of the
> > first message and the hash of the second. Let H_meta = H(M_metadata).
> > The block to be signed
On Sun, 2025-05-11 at 04:01 +0200, KP Singh wrote:
[...]
> >
> For this specific BPF case, we will directly sign a composite of the
> first message and the hash of the second. Let H_meta = H(M_metadata).
> The block to be signed is effectively:
>
> B_signed = I_loader || H_meta
>
> The signa
On Sat, May 10, 2025 at 10:01 PM KP Singh wrote:
>
...
> The signature check in the verifier (during BPF_PROG_LOAD):
>
> verify_pkcs7_signature(prog->aux->sha, sizeof(prog->aux->sha),
> sig_from_bpf_attr, …);
I think we still need to clarify the authorization aspect of your
proposed design.
[...]
> Blaise started this most recent effort by attempting to address the
> concerns brought up in previous efforts, you and others rejected this
> first attempt and directed Blaise towards a light skeleton and LSM
> based approach, which is where he is at with Hornet. Once again, you
> reject
> > I think we need a more detailed explanation of this approach on-list.
> > There has been a lot of vague guidance on BPF signature validation
> > from the BPF community which I believe has partly led us into the
> > situation we are in now. If you are going to require yet another
> > approach,
On Thu, May 8, 2025 at 1:45 PM Alexei Starovoitov
wrote:
> On Wed, May 7, 2025 at 4:24 PM Paul Moore wrote:
> > On Wed, May 7, 2025 at 1:48 PM James Bottomley
> > wrote:
> > >
> > > I'm with Paul on this: if you could share your design ideas more fully
> > > than you have above that would help m
On Wed, May 7, 2025 at 4:24 PM Paul Moore wrote:
>
> On Wed, May 7, 2025 at 1:48 PM James Bottomley
> wrote:
> >
> > I'm with Paul on this: if you could share your design ideas more fully
> > than you have above that would help make this debate way more
> > technical.
>
> I think it would also he
On Wed, May 7, 2025 at 1:48 PM James Bottomley
wrote:
>
> I'm with Paul on this: if you could share your design ideas more fully
> than you have above that would help make this debate way more
> technical.
I think it would also help some of us, at the very least me, put your
objections into conte
On Mon, 2025-05-05 at 22:41 +0200, KP Singh wrote:
> On Mon, May 5, 2025 at 7:30 PM Blaise Boscaccy
> wrote:
> >
> > KP Singh writes:
> >
> > [...]
> >
> > > Now if you really care about the use-case and want to work with
> > > the maintainers and implement signing for the community, here's
>
On Mon, May 5, 2025 at 4:41 PM KP Singh wrote:
> On Mon, May 5, 2025 at 7:30 PM Blaise Boscaccy
> wrote:
> >
> > KP Singh writes:
> >
> > [...]
> >
> > > Now if you really care about the use-case and want to work with the
> > > maintainers
> > > and implement signing for the community, here's h
On Mon, May 5, 2025 at 7:30 PM Blaise Boscaccy
wrote:
>
> KP Singh writes:
>
> [...]
>
> > Now if you really care about the use-case and want to work with the
> > maintainers
> > and implement signing for the community, here's how we think it should be
> > done:
> >
> > * The core signing logic
KP Singh writes:
[...]
> Now if you really care about the use-case and want to work with the
> maintainers
> and implement signing for the community, here's how we think it should be
> done:
>
> * The core signing logic and the tooling stays in BPF, something that the
> users
> are already
On Sun, May 4, 2025 at 7:25 PM KP Singh wrote:
> On Sun, May 4, 2025 at 7:36 PM Paul Moore wrote:
> > On Fri, May 2, 2025 at 5:00 PM KP Singh wrote:
...
> > > ... here's how we think it should be done:
> > >
> > > * The core signing logic and the tooling stays in BPF, something that the
> > >
On 5/4/25 7:36 PM, Paul Moore wrote:
On Fri, May 2, 2025 at 5:00 PM KP Singh wrote:
[...]
From what I've seen in Blaise's efforts to implement BPF signature
validation in the upstream kernel he has been working in good faith
and has been trying to work with the greater BPF community at each
s
On Sun, May 4, 2025 at 7:36 PM Paul Moore wrote:
>
> On Fri, May 2, 2025 at 5:00 PM KP Singh wrote:
> >
> > > This patch series introduces the Hornet LSM. The goal of Hornet is to
> > > provide
> > > a signature verification mechanism for eBPF programs.
> > >
> >
> > [...]
> >
> > >
> > > Refere
On Fri, May 2, 2025 at 5:00 PM KP Singh wrote:
>
> > This patch series introduces the Hornet LSM. The goal of Hornet is to
> > provide
> > a signature verification mechanism for eBPF programs.
> >
>
> [...]
>
> >
> > References: [1]
> > https://lore.kernel.org/bpf/20220209054315.73833-1-alexei.st
> This patch series introduces the Hornet LSM. The goal of Hornet is to provide
> a signature verification mechanism for eBPF programs.
>
[...]
>
> References: [1]
> https://lore.kernel.org/bpf/20220209054315.73833-1-alexei.starovoi...@gmail.com/
> [2]
> https://lore.kernel.org/bpf/CAADnVQ+wPK1KK
This patch series introduces the Hornet LSM. The goal of Hornet is to
provide a signature verification mechanism for eBPF programs.
eBPF has similar requirements to that of modules when it comes to
loading: find symbol addresses, fix up ELF relocations, some struct
field offset handling stuff call
36 matches
Mail list logo
