[RFC 08/11] security: Hornet LSM

Fan Wu wufan at kernel.org
Fri Dec 12 21:00:01 UTC 2025 

On Wed, Dec 10, 2025 at 6:18 PM Blaise Boscaccy
<bboscaccy at linux.microsoft.com> wrote:
>
> This adds the Hornet Linux Security Module which provides enhanced
> signature verification and data validation for eBPF programs. This
> allows users to continue to maintain an invariant that all code
> running inside of the kernel has actually been signed and verified, by
> the kernel.
>
> This effort builds upon the currently excepted upstream solution. It
> further hardens it by providing deterministic, in-kernel checking of
> map hashes to solidify auditing along with preventing TOCTOU attacks
> against lskel map hashes.
>
> Target map hashes are passed in via PKCS#7 signed attributes. Hornet
> determines the extent which the eBFP program is signed and defers to
> other LSMs for policy decisions.
>
> Signed-off-by: Blaise Boscaccy <bboscaccy at linux.microsoft.com>
> ---
...
> +
> +int hornet_next_map(void *context, size_t hdrlen,
> +                    unsigned char tag,
> +                    const void *value, size_t vlen)
> +{
> +       struct hornet_parse_context *ctx = (struct hornet_parse_context *)value;

I think you wanted to cast context instead?

> +
> +       ctx->hash_count++;
> +       return 0;
> +}
> +
> +
> +int hornet_map_index(void *context, size_t hdrlen,
> +                    unsigned char tag,
> +                    const void *value, size_t vlen)
> +{
> +       struct hornet_parse_context *ctx = (struct hornet_parse_context *)value;

Same above.

> +
> +       ctx->hashes[ctx->hash_count] = *(int *)value;
> +       return 0;
> +}
> +
> +int hornet_map_hash(void *context, size_t hdrlen,
> +                   unsigned char tag,
> +                   const void *value, size_t vlen)
> +
> +{
> +       struct hornet_parse_context *ctx = (struct hornet_parse_context *)value;

Same above.

-Fan

> +
> +       if (vlen != SHA256_DIGEST_SIZE && vlen != 0)
> +               return -EINVAL;
> +
> +       if (vlen != 0) {
> +               ctx->skips[ctx->hash_count] = false;
> +               memcpy(&ctx->hashes[ctx->hash_count * SHA256_DIGEST_SIZE], value, vlen);
> +       } else
> +               ctx->skips[ctx->hash_count] = true;
> +
> +       return 0;
> +}
> +

More information about the Linux-security-module-archive mailing list