> From: Roberto Sassu > Sent: Monday, February 28, 2022 10:08 AM > > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > > Sent: Friday, February 25, 2022 8:11 PM > > On Fri, 2022-02-25 at 08:41 +0000, Roberto Sassu wrote: > > > > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > > > > Sent: Friday, February 25, 2022 1:22 AM > > > > Hi Roberto, > > > > > > > > On Tue, 2022-02-15 at 13:40 +0100, Roberto Sassu wrote: > > > > > Extend the interoperability with IMA, to give wider flexibility for the > > > > > implementation of integrity-focused LSMs based on eBPF. > > > > > > > > I've previously requested adding eBPF module measurements and signature > > > > verification support in IMA. There seemed to be some interest, but > > > > nothing has been posted. > > > > > > Hi Mimi > > > > > > for my use case, DIGLIM eBPF, IMA integrity verification is > > > needed until the binary carrying the eBPF program is executed > > > as the init process. I've been thinking to use an appended > > > signature to overcome the limitation of lack of xattrs in the > > > initial ram disk. > > > > I would still like to see xattrs supported in the initial ram disk. > > Assuming you're still interested in pursuing it, someone would need to > > review and upstream it. Greg? > > I could revise this work. However, since appended signatures > would work too, I would propose to extend this appraisal > mode to executables, if it is fine for you. Regarding this patch set, I kindly ask if you could accept it, after I make the changes suggested. The changes are simple, and waiting another kernel cycle seems too long. Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua > > > At that point, the LSM is attached and it can enforce an > > > execution policy, allowing or denying execution and mmap > > > of files depending on the digest lists (reference values) read > > > by the user space side. > > > > > > After the LSM is attached, IMA's job would be just to calculate > > > the file digests (currently, I'm using an audit policy to ensure > > > that the digest is available when the eBPF program calls > > > bpf_ima_inode_hash()). > > > > > > The main benefit of this patch set is that the audit policy > > > would not be required and digests are calculated only when > > > requested by the eBPF program. > > > > Roberto, there's an existing eBPF integrity gap that needs to be > > closed, perhaps not for your usecase, but in general. Is that > > something you can look into? > > It could be possible I look into it. > > Roberto > > HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 > Managing Director: Li Peng, Zhong Ronghua
