Microsoft’s newest open-source contribution to the Linux kernel being proposed is… Hornet, a Linux security module (LSM) for providing signature verification of eBPF programs.
Microsoft has been a longtime proponent of eBPF for running custom programs within the Linux kernel safely and efficiently. There have been eBPF programs providing much value around networking, security, tracing, and more. Microsoft even brought eBPF to Windows and was one of the founders of the eBPF Foundation. Microsoft’s been embracing eBPF for years and now their latest is Hornet for helping with verification around eBPF programs.
The Hornet Linux Security Module is self-described as:
“Hornet uses a similar signature verification scheme similar to that of kernel modules. A pkcs#7 signature is appended to the end of an executable file. During an invocation of bpf_prog_load, the signature is fetched from the current task’s executable file. That signature is used to verify the integrity of the bpf instructions and maps which where passed into the kernel. Additionally, Hornet implicitly trusts any programs which where loaded from inside kernel rather than userspace, which allows BPF_PRELOAD programs along with outputs for BPF_SYSCALL programs to run.
Hornet allows users to continue to maintain an invariant that all code running inside of the kernel has been signed and works well with light-skeleton based loaders, or any statically generated program that doesn’t require userspace instruction rewriting.”
In addition to the Hornet LSM itself that is gated by the “SECURITY_HORNET” Kconfig option, the patch series also proposes sign-ebpf as a new tool within the Linux kernel source tree for signing eBPF programs.
Those interested in the initial Microsoft Hornet LSM patches for Linux can see the RFC patch series for all the details.
