BPF_LSM and fsverity for Binary Authorization

Explore a flexible and low-overhead solution for binary authorization using BPF_LSM and fsverity in this Linux Plumbers Conference talk. Learn about a security approach that allows only securely authorized binaries to perform risky operations, such as binding specific ports or writing to critical raw block devices. Discover how this method combines fs-verity for file integrity checksums, a secure binary signing service, xattrs for storing fs-verity root hash signatures, and BPF_LSM for enforcing access control. Understand the design components, including the user space daemon for managing keyrings and BPF_LSM programs. Gain insights into the required kernel work, including new kfuncs like bpf_fsverity_get_digest() and bpf_vfs_getxattr(). Hear about the upcoming patchset and proof of concept for this innovative security solution that aims to provide fine-grained control with minimal overhead.

BPF_LSM + fsverity for Binary Authorization - Song Liu, Boris Burkov