Do Son 
Microsoft has unveiled Hornet—a new Linux Security Module (LSM) designed to verify the signatures of eBPF programs. This marks yet another contribution by the company to the advancement of Linux and open-source security technologies.
For some time now, Microsoft has been an active proponent of eBPF, a powerful technology that allows user-defined programs to execute safely and efficiently within the Linux kernel. eBPF is leveraged for a range of purposes, from optimizing network performance to enhancing observability and security. Microsoft not only ported eBPF to Windows but also became a founding member of the eBPF Foundation, underscoring its strong commitment to the technology.
With the introduction of Hornet, Microsoft aims to strengthen the security posture of eBPF programs. Hornet verifies the signatures of executable eBPF binaries using a scheme akin to that employed for validating Linux kernel module signatures. A pkcs#7 signature is appended to the end of the executable, and upon program load via the bpf_prog_load system call, Hornet extracts the signature from the invoking process’s file. This signature is then used to ensure the integrity of both eBPF instructions and associated data structures being introduced into the kernel.
What sets Hornet apart is its inherent trust of programs loaded directly from within the Linux kernel, rather than from user space. This design ensures compatibility with programs preloaded through the BPF_PRELOAD mechanism and guarantees proper handling of statically generated eBPF programs that require no additional user-space manipulation.
In addition to the Hornet module itself (enabled via the SECURITY_HORNET kernel configuration option), Microsoft has also introduced a complementary tool called sign-ebpf, specifically crafted for signing eBPF programs. This utility is directly integrated into the Linux source tree.
At present, the proposal remains under active discussion, and interested parties can explore its technical nuances by reviewing the Hornet RFC patches published in the official Linux repository.
