[bpf-next,0/5] bpf: file verification with LSM and fsverity

Message ID	20231013182644.2346458-1-song@kernel.org (mailing list archive)
Headers	show Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE47723751 for <fsverity@lists.linux.dev>; Fri, 13 Oct 2023 18:29:35 +0000 (UTC) From: Song Liu <song@kernel.org> To: <bpf@vger.kernel.org>, <fsverity@lists.linux.dev> CC: <ast@kernel.org>, <daniel@iogearbox.net>, <andrii@kernel.org>, <martin.lau@kernel.org>, <kernel-team@meta.com>, <ebiggers@kernel.org>, <tytso@mit.edu>, <roberto.sassu@huaweicloud.com>, Song Liu <song@kernel.org> Subject: [PATCH bpf-next 0/5] bpf: file verification with LSM and fsverity Date: Fri, 13 Oct 2023 11:26:39 -0700 Message-ID: <20231013182644.2346458-1-song@kernel.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain
Series	bpf: file verification with LSM and fsverity \| expand [bpf-next,0/5] bpf: file verification with LSM and fsverity [bpf-next,1/5] bpf: Add kfunc bpf_get_file_xattr [bpf-next,2/5] bpf, fsverity: Add kfunc bpf_get_fsverity_digest [bpf-next,3/5] selftests/bpf: Sort config in alphabetic order [bpf-next,4/5] selftests/bpf: Add tests for filesystem kfuncs [bpf-next,5/5] selftests/bpf: Add test that use fsverity and xattr to sign a file

Message ID

20231013182644.2346458-1-song@kernel.org (mailing list archive)

Headers

From: Song Liu <song@kernel.org>
To: <bpf@vger.kernel.org>, <fsverity@lists.linux.dev>
CC: <ast@kernel.org>, <daniel@iogearbox.net>, <andrii@kernel.org>,
        <martin.lau@kernel.org>, <kernel-team@meta.com>,
 <ebiggers@kernel.org>,
        <tytso@mit.edu>, <roberto.sassu@huaweicloud.com>,
        Song Liu <song@kernel.org>
Subject: [PATCH bpf-next 0/5] bpf: file verification with LSM and fsverity
Date: Fri, 13 Oct 2023 11:26:39 -0700
Message-ID: <20231013182644.2346458-1-song@kernel.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain

Series

bpf: file verification with LSM and fsverity | expand

Message

Song Liu Oct. 13, 2023, 6:26 p.m. UTC

This set enables file verification with BPF LSM and fsverity.

In this solution, fsverity is used to provide reliable and efficient hash
of files; and BPF LSM is used to implement signature verification (against
asymmetric keys), and to enforce access control.

This solution can be used to implement access control in complicated cases.
For example: only signed python binary and signed python script and access
special files/devices/ports.

Thanks,
Song

Song Liu (5):
  bpf: Add kfunc bpf_get_file_xattr
  bpf, fsverity: Add kfunc bpf_get_fsverity_digest
  selftests/bpf: Sort config in alphabetic order
  selftests/bpf: Add tests for filesystem kfuncs
  selftests/bpf: Add test that use fsverity and xattr to sign a file

 fs/verity/measure.c                           |  66 +++++++
 include/linux/bpf.h                           |  12 ++
 kernel/trace/bpf_trace.c                      |  44 +++++
 tools/testing/selftests/bpf/bpf_kfuncs.h      |  10 ++
 tools/testing/selftests/bpf/config            |   3 +-
 .../selftests/bpf/prog_tests/fs_kfuncs.c      | 132 ++++++++++++++
 .../bpf/prog_tests/verify_pkcs7_sig.c         | 163 +++++++++++++++++-
 .../selftests/bpf/progs/test_fsverity.c       |  46 +++++
 .../selftests/bpf/progs/test_get_xattr.c      |  39 +++++
 .../selftests/bpf/progs/test_sig_in_xattr.c   |  84 +++++++++
 .../bpf/progs/test_verify_pkcs7_sig.c         |   8 +-
 .../testing/selftests/bpf/verify_sig_setup.sh |  25 +++
 12 files changed, 623 insertions(+), 9 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_fsverity.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_get_xattr.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_sig_in_xattr.c

--
2.34.1