The Kernel Lockdown feature is designed to prevent both direct
and indirect access to a running kernel image, attempting to
protect against unauthorized modification of the kernel image and
to prevent access to security and cryptographic data located in
kernel memory, whilst still permitting driver modules to be
loaded.
eBPF does not require loading additional kernel modules, perhaps you were
thinking of systemtap?,
nor does it need to modify the kernel image.)
To verify this works on current stable, you can try:
# hostnamectl | rg -i cpe
CPE OS Name: cpe:/o:fedoraproject:fedora:35
# bootctl | rg -i secure.*boot
systemd-boot not installed in ESP.
Secure Boot: enabled
# cat /sys/kernel/security/lockdown
none [integrity] confidentiality
# rpm -q bcc-tools
bcc-tools-0.21.0-1.fc35.x86_64
# rpm -ql bcc-tools | rg bitesize
/usr/share/bcc/tools/bitesize
/usr/share/bcc/tools/doc/bitesize_example.txt
/usr/share/man/man8/bcc-bitesize.8.gz
# /usr/share/bcc/tools/bitesize
Tracing block I/O... Hit Ctrl-C to end.
^C
Process Name = dmcrypt_write/2
Kbytes : count distribution
0 -> 1 : 0 |
|
2 -> 3 : 0 |
|
4 -> 7 : 195 |**********
|
8 -> 15 : 42 |**
|
16 -> 31 : 756
|****************************************|
32 -> 63 : 166 |********
|
64 -> 127 : 24 |*
|
128 -> 255 : 5 |
|
256 -> 511 : 99 |*****
|
...
The bcc-tools package is a collection of eBPF programs (
https://github.com/iovisor/bcc).
Alternatively, the much simpler
https://gist.github.com/lizrice/47ad44a15cce912502f8667a403f5649#file-hello_world-py
(requires python3-bcc):
# cat << 'EOF' > hi.py
#!/usr/bin/python
from bcc import BPF
prog = """
int hello(void *ctx) {
bpf_trace_printk("Hello world\\n");
return 0;
}
"""
b = BPF(text=prog)
clone = b.get_syscall_fnname("clone")
b.attach_kprobe(event=clone, fn_name="hello")
b.trace_print()
> EOF
# strace -e bpf ./hi.py
Hope that helps.
On Fri, Feb 18, 2022 at 6:50 PM Fabio Valentini <decathorpe@xxxxxxxxx>
wrote:
> On Fri, Feb 18, 2022 at 4:27 PM Roberto Sassu via devel
> <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > Hi everyone
> >
> > I have very exciting news to share.
> >
> > Given the difficulty to have the DIGLIM kernel patches
> > accepted, I checked if I could achieve the same goals
> > with an eBPF program.
> >
> > I focused only on the functionality side, it is probably
> > required some support from the kernel to have the
> > same security guarantees of an LSM integrated in the
> > kernel.
> >
> > But, at least for the functionality part, I would say that
> > thanks to the very extensive support from eBPF, I managed
> > to almost match what I provided with the kernel patches
> > (at least for appraisal, not for measurement).
> >
> > This is the repo with the code:
> >
> > https://github.com/robertosassu/diglim-ebpf
> >
> > and the Copr project with binary packages:
> >
> > https://copr.fedorainfracloud.org/coprs/robertosassu/DIGLIM-eBPF/
> >
> > Unfortunately, due to a feature introduced only recently
> > (allow sleepable programs to use the inode map), it will
> > work only with Fedora 36. Probably, commit 0fe4b381a59e
> > ("bpf: Allow bpf_local_storage to be used by sleepable programs)
> > applied to the kernel 5.16 would be sufficient to use
> > DIGLIM eBPF also in Fedora 35.
> >
> > Unlike the previous version of DIGLIM, this one does not
> > have any dependency (I just had to add rpmplugin.h in
> > the rpm-devel package).
> >
> > It can be configured with two simple commands (please
> > do it in a testing VM):
> >
> > # dnf copr enable robertosassu/DIGLIM-eBPF
> > # diglim_setup.sh install --default
> >
> > After reboot, the kernel will refuse to execute anything
> > that is not in a package. Updating a package or installing
> > new ones is supported, DIGLIM eBPF takes care of loading
> > the new reference values.
> >
> > Adding custom software is also possible, as shown with the
> > following commands:
> >
> > # ./script.sh
> > -bash: ./script.sh: /bin/bash: bad interpreter: Operation not permitted
> > # compact_gen -d /etc/digest_lists -i script.sh
> > # diglim_user_client -o add -p
> /etc/digest_lists/0-file_list-compact-script.sh
> > Digest list command successful
> > # ./script.sh
> > Hello world!
> >
> > I know it is too late for Fedora 36, but I hope you could
> > consider this version for Fedora 37. In the meantime, I will
> > work on the security guarantees (signature verification of
> > the digest lists, avoid unplugging of the LSM).
> >
> > Any comment or suggestion is very appreciated!
> >
> > Thanks
> >
> > Roberto
>
> I seem to remember discussions about eBPF programs having certain
> limitations (related to kernel Lockdown patches and Secure Boot).
> Has this changed? Is running eBPF programs in stock Fedora (with
> Secure Boot enabled) possible now?
>
> Fabio
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
--000000000000e8351305d866ea51
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>(Secure Boot is concerned only with verifying the tru=
stworthiness of the bootloader.</div><div></div><div>From <a href=3D"https:=
//man7.org/linux/man-pages/man7/kernel_lockdown.7.html">https://man7.org/li=
nux/man-pages/man7/kernel_lockdown.7.html</a>:</div><div></div><div><pre>Th=
e Kernel Lockdown feature is designed to prevent both direct
and indirect access to a running kernel image, attempting to
protect against unauthorized modification of the kernel image and
to prevent access to security and cryptographic data located in
kernel memory, whilst still permitting driver modules to be
loaded.</pre></div><div></div><div>eBPF does not require loading additional=
kernel modules, perhaps you were thinking of systemtap?,</div><div>nor doe=
s it need to modify the kernel image.)<br></div><div><br></div><div>To veri=
fy this works on current stable, you can try:</div><div><br></div><div><spa=
n style=3D"font-family:monospace"># hostnamectl | rg -i cpe<br>=C2=A0 =C2=
=A0 =C2=A0CPE OS Name: cpe:/o:fedoraproject:fedora:35</span></div><div><spa=
n style=3D"font-family:monospace"><br></span></div><div><span style=3D"font=
-family:monospace"># bootctl | rg -i secure.*boot<br>systemd-boot not insta=
lled in ESP.<br>=C2=A0 Secure Boot: enabled</span></div><div><span style=3D=
"font-family:monospace"><br></span></div><div><span style=3D"font-family:mo=
nospace"># cat /sys/kernel/security/lockdown <br>none [integrity] confident=
iality</span></div><div><span style=3D"font-family:monospace"><br></span></=
div><div><span style=3D"font-family:monospace"># rpm -q bcc-tools<br>bcc-to=
ols-0.21.0-1.fc35.x86_64</span></div><div><span style=3D"font-family:monosp=
ace"><br></span></div><div><span style=3D"font-family:monospace"># rpm -ql =
bcc-tools | rg bitesize<br>/usr/share/bcc/tools/bitesize<br>/usr/share/bcc/=
tools/doc/bitesize_example.txt<br>/usr/share/man/man8/bcc-bitesize.8.gz</sp=
an></div><div><span style=3D"font-family:monospace"><br></span></div><div><=
span style=3D"font-family:monospace"># /usr/share/bcc/tools/bitesize<br>Tra=
cing block I/O... Hit Ctrl-C to end.<br>^C<br>Process Name =3D dmcrypt_writ=
e/2=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0 <br>=C2=A0=
=C2=A0 =C2=A0Kbytes =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: coun=
t =C2=A0 =C2=A0 distribution=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 <br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00 -> 1 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0: 0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|<br>=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A02 -> 3 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: 0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0| =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0|<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A04 -> 7 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0: 195 =C2=A0 =C2=A0 =C2=A0|********** =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0|<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A08 -> 15 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 : 42 =C2=A0 =C2=A0 =C2=A0 |** =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 16 -> 31=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 : 756 =C2=A0 =C2=A0 =C2=A0|*******************=
*********************|=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0=C2=A0 <br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 32 -> 63 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 : 166 =C2=A0 =C2=A0 =C2=A0|******** =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0|=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0 <br>=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 64 -> 127 =C2=A0 =C2=A0 =C2=A0 =C2=A0: 24 =
=C2=A0 =C2=A0 =C2=A0 |* =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 |<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0128 -> 255 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0: 5 =C2=A0 =C2=A0 =C2=A0 =C2=A0| =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0256 ->=
511 =C2=A0 =C2=A0 =C2=A0 =C2=A0: 99 =C2=A0 =C2=A0 =C2=A0 |***** =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |</span></div><div>...<br></div><div><br=
></div><div>The bcc-tools package is a collection of eBPF programs (<a href=
=3D"https://github.com/iovisor/bcc";>https://github.com/iovisor/bcc</a>).<br=
></div><div><br></div><div>Alternatively, the much simpler <a href=3D"https=
://gist.github.com/lizrice/47ad44a15cce912502f8667a403f5649#file-hello_worl=
d-py">https://gist.github.com/lizrice/47ad44a15cce912502f8667a403f5649#file=
-hello_world-py</a><br></div><div>(requires python3-bcc):</div><div><br></d=
iv><div><span style=3D"font-family:monospace"># cat << 'EOF' =
> hi.py<br>#!/usr/bin/python<br>from bcc import BPF<br><br>prog =3D &quo=
t;""<br>int hello(void *ctx) {<br>=C2=A0 =C2=A0 bpf_trace_printk(=
"Hello world\\n");<br>=C2=A0 =C2=A0 return 0;<br>}<br>""=
;"<br><br>b =3D BPF(text=3Dprog)<br>clone =3D b.get_syscall_fnname(&qu=
ot;clone")<br>b.attach_kprobe(event=3Dclone, fn_name=3D"hello&quo=
t;)<br>b.trace_print()<br>> EOF<br></span></div><div><span style=3D"font=
-family:monospace"><br></span></div><div><span style=3D"font-family:monospa=
ce"># strace -e bpf ./hi.py</span><br></div><div><br></div><div>Hope that h=
elps.</div><div><br></div><div><br></div></div><br><div class=3D"gmail_quot=
e"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Feb 18, 2022 at 6:50 PM Fa=
bio Valentini <<a href=3D"mailto:decathorpe@xxxxxxxxx";>decathorpe@gmail.=
com</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"marg=
in:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1e=
x">On Fri, Feb 18, 2022 at 4:27 PM Roberto Sassu via devel<br>
<<a href=3D"mailto:devel@xxxxxxxxxxxxxxxxxxxxxxx"; target=3D"_blank">deve=
l@xxxxxxxxxxxxxxxxxxxxxxx</a>> wrote:<br>
><br>
> Hi everyone<br>
><br>
> I have very exciting news to share.<br>
><br>
> Given the difficulty to have the DIGLIM kernel patches<br>
> accepted, I checked if I could achieve the same goals<br>
> with an eBPF program.<br>
><br>
> I focused only on the functionality side, it is probably<br>
> required some support from the kernel to have the<br>
> same security guarantees of an LSM integrated in the<br>
> kernel.<br>
><br>
> But, at least for the functionality part, I would say that<br>
> thanks to the very extensive support from eBPF, I managed<br>
> to almost match what I provided with the kernel patches<br>
> (at least for appraisal, not for measurement).<br>
><br>
> This is the repo with the code:<br>
><br>
> <a href=3D"https://github.com/robertosassu/diglim-ebpf"; rel=3D"norefer=
rer" target=3D"_blank">https://github.com/robertosassu/diglim-ebpf</a><br>
><br>
> and the Copr project with binary packages:<br>
><br>
> <a href=3D"https://copr.fedorainfracloud.org/coprs/robertosassu/DIGLIM=
-eBPF/" rel=3D"noreferrer" target=3D"_blank">https://copr.fedorainfracloud.=
org/coprs/robertosassu/DIGLIM-eBPF/</a><br>
><br>
> Unfortunately, due to a feature introduced only recently<br>
> (allow sleepable programs to use the inode map), it will<br>
> work only with Fedora 36. Probably, commit 0fe4b381a59e<br>
> ("bpf: Allow bpf_local_storage to be used by sleepable programs)<=
br>
> applied to the kernel 5.16 would be sufficient to use<br>
> DIGLIM eBPF also in Fedora 35.<br>
><br>
> Unlike the previous version of DIGLIM, this one does not<br>
> have any dependency (I just had to add rpmplugin.h in<br>
> the rpm-devel package).<br>
><br>
> It can be configured with two simple commands (please<br>
> do it in a testing VM):<br>
><br>
> # dnf copr enable robertosassu/DIGLIM-eBPF<br>
> # diglim_setup.sh install --default<br>
><br>
> After reboot, the kernel will refuse to execute anything<br>
> that is not in a package. Updating a package or installing<br>
> new ones is supported, DIGLIM eBPF takes care of loading<br>
> the new reference values.<br>
><br>
> Adding custom software is also possible, as shown with the<br>
> following commands:<br>
><br>
> # ./script.sh<br>
> -bash: ./script.sh: /bin/bash: bad interpreter: Operation not permitte=
d<br>
> # compact_gen -d /etc/digest_lists -i script.sh<br>
> # diglim_user_client -o add -p /etc/digest_lists/0-file_list-compact-s=
cript.sh<br>
> Digest list command successful<br>
> # ./script.sh<br>
> Hello world!<br>
><br>
> I know it is too late for Fedora 36, but I hope you could<br>
> consider this version for Fedora 37. In the meantime, I will<br>
> work on the security guarantees (signature verification of<br>
> the digest lists, avoid unplugging of the LSM).<br>
><br>
> Any comment or suggestion is very appreciated!<br>
><br>
> Thanks<br>
><br>
> Roberto<br>
<br>
I seem to remember discussions about eBPF programs having certain<br>
limitations (related to kernel Lockdown patches and Secure Boot).<br>
Has this changed? Is running eBPF programs in stock Fedora (with<br>
Secure Boot enabled) possible now?<br>
<br>
Fabio<br>
_______________________________________________<br>
devel mailing list -- <a href=3D"mailto:devel@xxxxxxxxxxxxxxxxxxxxxxx"; targ=
et=3D"_blank">devel@xxxxxxxxxxxxxxxxxxxxxxx</a><br>
To unsubscribe send an email to <a href=3D"mailto:devel-leave@lists.fedorap=
roject.org" target=3D"_blank">devel-leave@xxxxxxxxxxxxxxxxxxxxxxx</a><br>
Fedora Code of Conduct: <a href=3D"https://docs.fedoraproject.org/en-US/pro=
ject/code-of-conduct/" rel=3D"noreferrer" target=3D"_blank">https://docs.fe=
doraproject.org/en-US/project/code-of-conduct/</a><br>
List Guidelines: <a href=3D"https://fedoraproject.org/wiki/Mailing_list_gui=
delines" rel=3D"noreferrer" target=3D"_blank">https://fedoraproject.org/wik=
i/Mailing_list_guidelines</a><br>
List Archives: <a href=3D"https://lists.fedoraproject.org/archives/list/dev=
el@xxxxxxxxxxxxxxxxxxxxxxx" rel=3D"noreferrer" target=3D"_blank">https://li=
sts.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx</a><br>
Do not reply to spam on the list, report it: <a href=3D"https://pagure.io/f=
edora-infrastructure" rel=3D"noreferrer" target=3D"_blank">https://pagure.i=
o/fedora-infrastructure</a><br>
</blockquote></div>
--000000000000e8351305d866ea51--
--===============6166592828664580849==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZGV2ZWwgbWFp
bGluZyBsaXN0IC0tIGRldmVsQGxpc3RzLmZlZG9yYXByb2plY3Qub3JnClRvIHVuc3Vic2NyaWJl
IHNlbmQgYW4gZW1haWwgdG8gZGV2ZWwtbGVhdmVAbGlzdHMuZmVkb3JhcHJvamVjdC5vcmcKRmVk
b3JhIENvZGUgb2YgQ29uZHVjdDogaHR0cHM6Ly9kb2NzLmZlZG9yYXByb2plY3Qub3JnL2VuLVVT
L3Byb2plY3QvY29kZS1vZi1jb25kdWN0LwpMaXN0IEd1aWRlbGluZXM6IGh0dHBzOi8vZmVkb3Jh
cHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lcwpMaXN0IEFyY2hpdmVzOiBo
dHRwczovL2xpc3RzLmZlZG9yYXByb2plY3Qub3JnL2FyY2hpdmVzL2xpc3QvZGV2ZWxAbGlzdHMu
ZmVkb3JhcHJvamVjdC5vcmcKRG8gbm90IHJlcGx5IHRvIHNwYW0gb24gdGhlIGxpc3QsIHJlcG9y
dCBpdDogaHR0cHM6Ly9wYWd1cmUuaW8vZmVkb3JhLWluZnJhc3RydWN0dXJlCg==
--===============6166592828664580849==--
