On Fri, Mar 21, 2025 at 12:45 PM Blaise Boscaccy <bboscaccy@xxxxxxxxxxxxxxxxxxx> wrote: > > This patch series introduces the Hornet LSM. > > Hornet takes a simple approach to light-skeleton-based eBPF signature > verification. Signature data can be easily generated for the binary > data that is generated via bpftool gen -L. This signature can be > appended to a skeleton executable via scripts/sign-ebpf. Hornet checks > the signature against a binary buffer containing the lskel > instructions that the loader maps use. Maps are frozen to prevent > TOCTOU bugs where a sufficiently privileged user could rewrite map > data between the calls to BPF_PROG_LOAD and > BPF_PROG_RUN. Additionally, both sparse-array-based and > fd_array_cnt-based map fd arrays are supported for signature > verification. > > Blaise Boscaccy (4): > security: Hornet LSM > hornet: Introduce sign-ebpf > hornet: Add an example lskel data extactor script > selftests/hornet: Add a selftest for the hornet LSM Thanks Blaise, I noticed a few minor things, but nothing critical. As I understand it, you'll be presenting Hornet at LSFMMBPF next week? Assuming that's the case, I'm going to hold off on reviewing this until we hear how that went next week; please report back after the conference. However, to be clear, the Hornet LSM proposed here seems very reasonable to me and I would have no conceptual objections to merging it upstream. Based on off-list discussions I believe there is a lot of demand for something like this, and I believe many people will be happy to have BPF signature verification in-tree. -- paul-moore.com
