From: Roberto Sassu <roberto.sassu@huawei.com>
To: "lsf-pc@lists.linux-foundation.org" <lsf-pc@lists.linux-foundation.org>
Cc: "bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>
Subject: [LSF/MM/BPF TOPIC] DIGLIM eBPF
Date: Wed, 9 Mar 2022 16:46:27 +0000 [thread overview]
Message-ID: <4d6932e96d774227b42721d9f645ba51@huawei.com> (raw)
Dear PC
I would like to propose a topic for the upcoming LSF/MM/BPF
summit in May:
DIGLIM eBPF: secure boot at application level with minimal changes to distros
The recent addition in the kernel of the bpf LSM made it
much easier to propose new LSMs targeting a specific
use case, without requiring modification of existing LSMs
in the security subsystem.
Integrity Measurement Architecture (IMA) and Extended
Verification Module (EVM) have become the de-facto
standard choice for providing kernel-based integrity
services.
However, while IMA and EVM operate at file granularity,
requiring each file to be signed to pass appraisal, Digest
Lists Integrity Module (DIGLIM) takes a different approach.
It builds a pool of reference values for file/metadata digests
and grants access to a file if the calculated digest is found
in the pool.
The main advantage of this approach is that it is not
constrained by a specific data format, as the pool can
be built from any data format, as long as the corresponding
parser is supported. DIGLIM can take reference values
from unmodified Linux distributions to make its security
decisions.
An alternative of supporting the new approach in IMA,
which would be still possible, has been to rewrite DIGLIM
as an eBPF program, to operate in a similar way as IMA
does.
Although it has yet to be seen if the performance of the
eBPF implementation matches the one aiming to be
integrated in the kernel, at least from the functionality
point of view, eBPF proved to be more than sufficient
and even better than the kernel counterpart.
Since the data structures and the primitives to manage
the pool of reference values are already implemented by
eBPF (e.g. hash map), DIGLIM had only to declare and
use those data structures from the relevant LSM hooks.
The developed eBPF program [1] of ~250 LOC is capable
of verifying the code executed in the unmodified
Fedora 36 [2] and openSUSE Tumbleweed [3] up to the
GNOME desktop (yet, without any verification of the
data source, or the eBPF program itself, to be done as
future work).
Thanks
Roberto
[1] https://github.com/robertosassu/diglim-ebpf/blob/master/ebpf/diglim_kern.c
[2] https://copr.fedorainfracloud.org/coprs/robertosassu/DIGLIM-eBPF/repo/fedora-36/robertosassu-DIGLIM-eBPF-fedora-36.repo
[3] https://download.opensuse.org/repositories/home:/roberto.sassu:/branches:/openSUSE:/Factory/openSUSE_Tumbleweed/
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
reply other threads:[~2022-03-09 16:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4d6932e96d774227b42721d9f645ba51@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=bpf@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).