13–15 Nov 2023
America/New_York timezone

BPF_LSM + fsverity for Binary Authorization

13 Nov 2023, 15:00
30m
"James River Salon C" (Omni Richmond Hotel)

"James River Salon C"

Omni Richmond Hotel

225
eBPF & Networking Track eBPF & Networking

Speakers

Song Liu (Meta) Boris Burkov (Meta)

Description

Overview

Binary authorization is a common security requirement for modern systems. Fundamentally, only securely authorized binaries are allowed to perform certain risky operations. For example, only an authenticated sshd binary is allowed to bind port 22, or only limited authorized binaries should write to raw block devices with critical data. Many proposals have sought to solve this problem, namely, fsverity, IMA, etc. However, existing solutions often fail to provide enough flexibility and fine granular control with reasonably low overhead. In this talk, we present a flexible and low overhead solution based on BPF_LSM and fsverity.

Design

In this solution, we use:

  • fs-verity for file integrity checksums
  • Secure binary signing service
    to compute and sign fs-verity hashes
  • Xattrs to store fs-verity root
    hash signatures
  • BPF_LSM to enforce access control
  • User space daemon
    to manage keyrings and BPF_LSM programs

Kernel Work

We will need the following kfuncs to enable this work:
bpf_fsverity_get_digest() to get fsverity root hash;
bpf_vfs_getxattr() to get xattr, which contains the signature.

Note: We will have a patchset and/or a PoC for review before LPC 2023.

Primary authors

Presentation materials

Diamond Sponsors
Platinum Sponsor
Gold Sponsors
Silver Sponsors
Catchbox Sponsor
Livestream Sponsors
T-Shirt Sponsor
Conference Services Provided by