Jonathan Corbet <corbet@xxxxxxx> writes: > Blaise Boscaccy <bboscaccy@xxxxxxxxxxxxxxxxxxx> writes: > >> This adds the Hornet Linux Security Module which provides signature >> verification of eBPF programs. >> >> Hornet uses a similar signature verification scheme similar to that of >> kernel modules. A pkcs#7 signature is appended to the end of an >> executable file. During an invocation of bpf_prog_load, the signature >> is fetched from the current task's executable file. That signature is >> used to verify the integrity of the bpf instructions and maps which >> where passed into the kernel. Additionally, Hornet implicitly trusts any >> programs which where loaded from inside kernel rather than userspace, >> which allows BPF_PRELOAD programs along with outputs for BPF_SYSCALL >> programs to run. >> >> Hornet allows users to continue to maintain an invariant that all code >> running inside of the kernel has been signed and works well with >> light-skeleton based loaders, or any statically generated program that >> doesn't require userspace instruction rewriting. >> >> Signed-off-by: Blaise Boscaccy <bboscaccy@xxxxxxxxxxxxxxxxxxx> >> --- >> Documentation/admin-guide/LSM/Hornet.rst | 51 +++++ > > You will need to add that file to .../index.rst, or it won't be included > in the docs build. > > Thanks, > > jon Good catch, will get that fixed. Thanks Jon.
