The recording of my talk at #lsfmmbpf is now online: https://youtu.be/9p4qviq60z8 I talk about a proof of concept which explores how we could make #ebpf safer without having to rely on signing BPF itself. Uses kfuncs, BPF LSM, #fsverity and IMA under the hood.

Released fsverity-hash 0.0.5, with a CLI interface https://pypi.org/project/fsverity-hash/ #Python #FSVerity
$ fsverity digest spam.txt
sha256:3ed673d5323c9e1c60820f207464b0b858a90ba4ff940b123dd16b425699cebe spam.txt
$ python3 -m fsverity_hash spam.txt
sha256:3ed673d5323c9e1c60820f207464b0b858a90ba4ff940b123dd16b425699cebe spam.txt

Prototype of #python fs-verity hash now goes to 8 billion. A bit more tinkering, then I'll make a package https://gist.github.com/moreati/97895490d7c69d13dde1e6e5114f069d #fsverity

GrapheneOS continues to work on improving verified boot and hardware attestation security significantly beyond the basic system in standard Android 13.

As part of this, our app repository client now supports installing fs-verity metadata with packages:

https://grapheneos.social/@GrapheneOS/109746860952845724

#grapheneos #privacy #security #android #verifiedboot #attestation #measuredboot #fsverity #integrity #auditor