From: Mimi Zohar [mailto:zohar@linux.ibm.com] Sent: Friday, February 25, 2022 1:22 AM Hi Roberto,
On Tue, 2022-02-15 at 13:40 +0100, Roberto Sassu wrote:
Extend the interoperability with IMA, to give wider flexibility for the implementation of integrity-focused LSMs based on eBPF.
I've previously requested adding eBPF module measurements and signature verification support in IMA. There seemed to be some interest, but nothing has been posted.
Hi Mimi
for my use case, DIGLIM eBPF, IMA integrity verification is needed until the binary carrying the eBPF program is executed as the init process. I've been thinking to use an appended signature to overcome the limitation of lack of xattrs in the initial ram disk.
At that point, the LSM is attached and it can enforce an execution policy, allowing or denying execution and mmap of files depending on the digest lists (reference values) read by the user space side.
After the LSM is attached, IMA's job would be just to calculate the file digests (currently, I'm using an audit policy to ensure that the digest is available when the eBPF program calls bpf_ima_inode_hash()).
The main benefit of this patch set is that the audit policy would not be required and digests are calculated only when requested by the eBPF program.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua