Overview
Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Explore a flexible and low-overhead solution for binary authorization using BPF_LSM and fsverity in this Linux Plumbers Conference talk. Learn about a security approach that allows only securely authorized binaries to perform risky operations, such as binding specific ports or writing to critical raw block devices. Discover how this method combines fs-verity for file integrity checksums, a secure binary signing service, xattrs for storing fs-verity root hash signatures, and BPF_LSM for enforcing access control. Understand the design components, including the user space daemon for managing keyrings and BPF_LSM programs. Gain insights into the required kernel work, including new kfuncs like bpf_fsverity_get_digest() and bpf_vfs_getxattr(). Hear about the upcoming patchset and proof of concept for this innovative security solution that aims to provide fine-grained control with minimal overhead.
Syllabus
BPF_LSM + fsverity for Binary Authorization - Song Liu, Boris Burkov
Taught by
Linux Plumbers Conference