[LSF/MM/BPF TOPIC] DIGLIM eBPF
Roberto Sassu
roberto.sassu at huawei.com
Wed Mar 9 16:46:27 UTC 2022
Dear PC
I would like to propose a topic for the upcoming LSF/MM/BPF
summit in May:
DIGLIM eBPF: secure boot at application level with minimal changes to distros
The recent addition in the kernel of the bpf LSM made it
much easier to propose new LSMs targeting a specific
use case, without requiring modification of existing LSMs
in the security subsystem.
Integrity Measurement Architecture (IMA) and Extended
Verification Module (EVM) have become the de-facto
standard choice for providing kernel-based integrity
services.
However, while IMA and EVM operate at file granularity,
requiring each file to be signed to pass appraisal, Digest
Lists Integrity Module (DIGLIM) takes a different approach.
It builds a pool of reference values for file/metadata digests
and grants access to a file if the calculated digest is found
in the pool.
The main advantage of this approach is that it is not
constrained by a specific data format, as the pool can
be built from any data format, as long as the corresponding
parser is supported. DIGLIM can take reference values
from unmodified Linux distributions to make its security
decisions.
An alternative of supporting the new approach in IMA,
which would be still possible, has been to rewrite DIGLIM
as an eBPF program, to operate in a similar way as IMA
does.
Although it has yet to be seen if the performance of the
eBPF implementation matches the one aiming to be
integrated in the kernel, at least from the functionality
point of view, eBPF proved to be more than sufficient
and even better than the kernel counterpart.
Since the data structures and the primitives to manage
the pool of reference values are already implemented by
eBPF (e.g. hash map), DIGLIM had only to declare and
use those data structures from the relevant LSM hooks.
The developed eBPF program [1] of ~250 LOC is capable
of verifying the code executed in the unmodified
Fedora 36 [2] and openSUSE Tumbleweed [3] up to the
GNOME desktop (yet, without any verification of the
data source, or the eBPF program itself, to be done as
future work).
Thanks
Roberto
[1] https://github.com/robertosassu/diglim-ebpf/blob/master/ebpf/diglim_kern.c
[2] https://copr.fedorainfracloud.org/coprs/robertosassu/DIGLIM-eBPF/repo/fedora-36/robertosassu-DIGLIM-eBPF-fedora-36.repo
[3] https://download.opensuse.org/repositories/home:/roberto.sassu:/branches:/openSUSE:/Factory/openSUSE_Tumbleweed/
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
More information about the Linux-security-module-archive
mailing list