git.maquefel.me Git - linux.git/commit

author	Song Liu <song@kernel.org>
	Wed, 29 Nov 2023 23:44:17 +0000 (15:44 -0800)
committer	Alexei Starovoitov <ast@kernel.org>
	Sat, 2 Dec 2023 00:21:03 +0000 (16:21 -0800)
commit	1030e9154258b54e3c7dc07c39e7b6dcf24bc3d2
tree	0d7e27c7ea846503b8b95abaee14a85242a98347	tree \| snapshot
parent	341f06fdddf72cd60a10945152f69f0f1d614519	commit \| diff

selftests/bpf: Add test that uses fsverity and xattr to sign a file

This selftests shows a proof of concept method to use BPF LSM to enforce
file signature. This test is added to verify_pkcs7_sig, so that some
existing logic can be reused.

This file signature method uses fsverity, which provides reliable and
efficient hash (known as digest) of the file. The file digest is signed
with asymmetic key, and the signature is stored in xattr. At the run time,
BPF LSM reads file digest and the signature, and then checks them against
the public key.

Note that this solution does NOT require FS_VERITY_BUILTIN_SIGNATURES.
fsverity is only used to provide file digest. The signature verification
and access control is all implemented in BPF LSM.

Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20231129234417.856536-7-song@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

tools/testing/selftests/bpf/bpf_kfuncs.h		diff \| blob \| history
tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c		diff \| blob \| history
tools/testing/selftests/bpf/progs/test_sig_in_xattr.c	[new file with mode: 0644]	blob
tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c		diff \| blob \| history
tools/testing/selftests/bpf/verify_sig_setup.sh		diff \| blob \| history