On Fri, Mar 21, 2025 at 12:46 PM Blaise Boscaccy bboscaccy@linux.microsoft.com wrote:
This adds the Hornet Linux Security Module which provides signature verification of eBPF programs.
Hornet uses a similar signature verification scheme similar to that of kernel modules. A pkcs#7 signature is appended to the end of an executable file. During an invocation of bpf_prog_load, the signature is fetched from the current task's executable file. That signature is used to verify the integrity of the bpf instructions and maps which where passed into the kernel. Additionally, Hornet implicitly trusts any programs which where loaded from inside kernel rather than userspace, which allows BPF_PRELOAD programs along with outputs for BPF_SYSCALL programs to run.
Hornet allows users to continue to maintain an invariant that all code running inside of the kernel has been signed and works well with light-skeleton based loaders, or any statically generated program that doesn't require userspace instruction rewriting.
Signed-off-by: Blaise Boscaccy bboscaccy@linux.microsoft.com
Documentation/admin-guide/LSM/Hornet.rst | 51 +++++ crypto/asymmetric_keys/pkcs7_verify.c | 10 + include/linux/kernel_read_file.h | 1 + include/linux/verification.h | 1 + include/uapi/linux/lsm.h | 1 + security/Kconfig | 3 +- security/Makefile | 1 + security/hornet/Kconfig | 11 ++ security/hornet/Makefile | 4 + security/hornet/hornet_lsm.c | 239 +++++++++++++++++++++++ 10 files changed, 321 insertions(+), 1 deletion(-) create mode 100644 Documentation/admin-guide/LSM/Hornet.rst create mode 100644 security/hornet/Kconfig create mode 100644 security/hornet/Makefile create mode 100644 security/hornet/hornet_lsm.c
A reminder that you'll need to take responsibility for maintaining Hornet and provide a corresponding entry in the MAINTAINERS file too. I'm not nice enough to maintain Hornet for you ;) If you have any questions about any of the fields, let me know.
I believe you've seen this already, but as a general FYI we do have some guidelines for new LSMs:
https://web.git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git/tree/REA...