Explore a flexible and low-overhead solution for binary authorization using BPF_LSM and fsverity in this Linux Plumbers Conference talk. Learn about a security approach that allows only securely authorized binaries to perform risky operations, such as binding specific ports or writing to critical raw block devices. Discover how this method combines fs-verity for file integrity checksums, a secure binary signing service, xattrs for storing fs-verity root hash signatures, and BPF_LSM for enforcing access control. Understand the design components, including the user space daemon for managing keyrings and BPF_LSM programs. Gain insights into the required kernel work, including new kfuncs like bpf_fsverity_get_digest() and bpf_vfs_getxattr(). Hear about the upcoming patchset and proof of concept for this innovative security solution that aims to provide fine-grained control with minimal overhead.
Overview
Syllabus
BPF_LSM + fsverity for Binary Authorization - Song Liu, Boris Burkov
Taught by
Linux Plumbers Conference
Related Courses
-
IMA Policy Support for fs-verity - A Win-win for Linux Integrity and File System Verification
-
BPF Signing Using FSVerity and LSM Gatekeeper
-
Binary Policy with IMA and AppArmor for Linux Workstations
-
Linux Fundamentals for IT Professionals using Ubuntu 20x
-
Closing the Script Execution Control Gap
-
Landlock Update: File Reparenting and Network Rules Support
