Security: Add artifact integrity validation in eBPF VM verifier workflow #80
Description
Security Issue: Missing Artifact Integrity Validation
Problem
The eBPF VM verifier workflow (ebpf-vm-verifier-tests.yml) downloads BPF artifacts without integrity verification, which poses a security risk.
Location: .github/workflows/ebpf-vm-verifier-tests.yml lines 83-88
- name: Download BPF artifacts
uses: actions/download-artifact@v4
with:
name: bpf-programs
path: bpf-programs/Security Risk
- Artifacts are downloaded and executed without checksum verification
- No signature validation to ensure artifacts haven't been tampered with
- Could allow malicious code execution if artifacts are compromised
Recommended Solutions
-
Add checksum verification:
- Generate checksums during artifact upload
- Verify checksums after download
- Fail the workflow if checksums don't match
-
Implement artifact signing:
- Sign artifacts during build process
- Verify signatures before execution
- Use GitHub's artifact attestation features if available
-
Use secure artifact storage:
- Consider using GitHub's artifact attestation API
- Implement content-based verification
Example Implementation
- name: Download BPF artifacts
uses: actions/download-artifact@v4
with:
name: bpf-programs
path: bpf-programs/
- name: Verify artifact integrity
run: |
# Download expected checksums
# Verify artifact checksums
sha256sum -c bpf-programs/checksums.txtPriority
Medium - Security improvement for CI/CD pipeline integrity
Related
This issue was identified during comprehensive PR review of kernel integration testing infrastructure (PR #78).