Linux Security Summit Europe 2024

eBPF is now widely used, particularly in monitoring and observability. Sadly, it can modify the system behavior, by using helpers like bpf_override_return() or bpf_send_signal(). It was also the root cause of some CVEs, like CVE-2021-3489 or CVE-2021-3490. Inspektor Gadget is an eBPF tool and systems inspection framework for k8s, containers and linux hosts. eBPF programs run by Inspektor Gadget are packaged as OCI images. This was first done to ease users' lives so they can share and use other's. We also leveraged this to improve eBPF programs' security by signing and verifying them. This presentation will showcase how we make use of cosign to: 1. Sign our OCI images in our CI. 2. Verify them at runtime and deny the execution if the image was not signed with the given public key. Everyone can use Inspektor Gadget to sign and verify their eBPF programs with their own private key. It can then be used to increase overall security of eBPF programs by running only signed ones.