Blaise Boscaccy <bboscaccy@xxxxxxxxxxxxxxxxxxx> writes: > This adds the Hornet Linux Security Module which provides signature > verification of eBPF programs. > > Hornet uses a similar signature verification scheme similar to that of > kernel modules. A pkcs#7 signature is appended to the end of an > executable file. During an invocation of bpf_prog_load, the signature > is fetched from the current task's executable file. That signature is > used to verify the integrity of the bpf instructions and maps which > where passed into the kernel. Additionally, Hornet implicitly trusts any > programs which where loaded from inside kernel rather than userspace, > which allows BPF_PRELOAD programs along with outputs for BPF_SYSCALL > programs to run. > > Hornet allows users to continue to maintain an invariant that all code > running inside of the kernel has been signed and works well with > light-skeleton based loaders, or any statically generated program that > doesn't require userspace instruction rewriting. > > Signed-off-by: Blaise Boscaccy <bboscaccy@xxxxxxxxxxxxxxxxxxx> > --- > Documentation/admin-guide/LSM/Hornet.rst | 51 +++++ You will need to add that file to .../index.rst, or it won't be included in the docs build. Thanks, jon
