On Fri, Mar 21, 2025 at 12:45 PM Blaise Boscaccy bboscaccy@linux.microsoft.com wrote:
This patch series introduces the Hornet LSM.
Hornet takes a simple approach to light-skeleton-based eBPF signature verification. Signature data can be easily generated for the binary data that is generated via bpftool gen -L. This signature can be appended to a skeleton executable via scripts/sign-ebpf. Hornet checks the signature against a binary buffer containing the lskel instructions that the loader maps use. Maps are frozen to prevent TOCTOU bugs where a sufficiently privileged user could rewrite map data between the calls to BPF_PROG_LOAD and BPF_PROG_RUN. Additionally, both sparse-array-based and fd_array_cnt-based map fd arrays are supported for signature verification.
Blaise Boscaccy (4): security: Hornet LSM hornet: Introduce sign-ebpf hornet: Add an example lskel data extactor script selftests/hornet: Add a selftest for the hornet LSM
Thanks Blaise, I noticed a few minor things, but nothing critical. As I understand it, you'll be presenting Hornet at LSFMMBPF next week? Assuming that's the case, I'm going to hold off on reviewing this until we hear how that went next week; please report back after the conference.
However, to be clear, the Hornet LSM proposed here seems very reasonable to me and I would have no conceptual objections to merging it upstream. Based on off-list discussions I believe there is a lot of demand for something like this, and I believe many people will be happy to have BPF signature verification in-tree.