Dear PC I would like to propose a topic for the upcoming LSF/MM/BPF summit in May: DIGLIM eBPF: secure boot at application level with minimal changes to distros The recent addition in the kernel of the bpf LSM made it much easier to propose new LSMs targeting a specific use case, without requiring modification of existing LSMs in the security subsystem. Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) have become the de-facto standard choice for providing kernel-based integrity services. However, while IMA and EVM operate at file granularity, requiring each file to be signed to pass appraisal, Digest Lists Integrity Module (DIGLIM) takes a different approach. It builds a pool of reference values for file/metadata digests and grants access to a file if the calculated digest is found in the pool. The main advantage of this approach is that it is not constrained by a specific data format, as the pool can be built from any data format, as long as the corresponding parser is supported. DIGLIM can take reference values from unmodified Linux distributions to make its security decisions. An alternative of supporting the new approach in IMA, which would be still possible, has been to rewrite DIGLIM as an eBPF program, to operate in a similar way as IMA does. Although it has yet to be seen if the performance of the eBPF implementation matches the one aiming to be integrated in the kernel, at least from the functionality point of view, eBPF proved to be more than sufficient and even better than the kernel counterpart. Since the data structures and the primitives to manage the pool of reference values are already implemented by eBPF (e.g. hash map), DIGLIM had only to declare and use those data structures from the relevant LSM hooks. The developed eBPF program [1] of ~250 LOC is capable of verifying the code executed in the unmodified Fedora 36 [2] and openSUSE Tumbleweed [3] up to the GNOME desktop (yet, without any verification of the data source, or the eBPF program itself, to be done as future work). Thanks Roberto [1] https://github.com/robertosassu/diglim-ebpf/blob/master/ebpf/diglim_kern.c [2] https://copr.fedorainfracloud.org/coprs/robertosassu/DIGLIM-eBPF/repo/fedora-36/robertosassu-DIGLIM-eBPF-fedora-36.repo [3] https://download.opensuse.org/repositories/home:/roberto.sassu:/branches:/openSUSE:/Factory/openSUSE_Tumbleweed/ HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua
