On Fri, Sep 9, 2022 at 1:09 PM Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> wrote: > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Add the bpf_verify_pkcs7_signature() kfunc, to give eBPF security modules > the ability to check the validity of a signature against supplied data, by > using user-provided or system-provided keys as trust anchor. > > The new kfunc makes it possible to enforce mandatory policies, as eBPF > programs might be allowed to make security decisions only based on data > sources the system administrator approves. > > The caller should provide the data to be verified and the signature as eBPF > dynamic pointers (to minimize the number of parameters) and a bpf_key > structure containing a reference to the keyring with keys trusted for > signature verification, obtained from bpf_lookup_user_key() or > bpf_lookup_system_key(). > > For bpf_key structures obtained from the former lookup function, > bpf_verify_pkcs7_signature() completes the permission check deferred by > that function by calling key_validate(). key_task_permission() is already > called by the PKCS#7 code. > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > Acked-by: KP Singh <kpsingh@xxxxxxxxxx> Acked-by: Song Liu <song@xxxxxxxxxx> [...]