Add proposal for adding a hash to the PE image #4768
Conversation
Alan-Jowett
requested review from
LakshK98,
dthaler,
matthewige,
mikeagun,
mtfriesen,
poornagmsft,
saxena-anurag and
shankarseal
as code owners
Alan-Jowett
force-pushed
the
issue4758_proposal
branch
from
7416b4d to
937fee1
Compare
- Fix netsh command syntax to use optional tags: [filename=]<path> - Clarify ELF hash embedding context - only present if compiled with hash embedding - Fix size discrepancy: 64 bytes for SHA256 hex representation (not 32) - Fix bash code blocks to PowerShell (Get-FileHash is PowerShell, not bash) - Remove implementation details section as requested by reviewer
There was a problem hiding this comment.
Pull request overview
This PR introduces a proposal document that describes a new feature for embedding SHA-256 hashes of ELF files into generated PE images during eBPF compilation. The proposal aims to provide traceability and integrity verification capabilities for the eBPF for Windows ecosystem.
Key Changes
- Comprehensive proposal document covering hash embedding in PE images, a new API for hash extraction, and a NetSh command-line interface
- Documentation includes technical implementation details, use cases, testing strategy, and security considerations
- Provides examples of command usage and expected outputs for hash verification workflows
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
- Fix netsh command syntax to use optional tags: [filename=]<path> - Clarify ELF hash embedding context - only present if compiled with hash embedding - Fix size discrepancy: 64 bytes for SHA256 hex representation (not 32) - Fix bash code blocks to PowerShell (Get-FileHash is PowerShell, not bash) - Remove implementation details section as requested by reviewer
Alan-Jowett
force-pushed
the
issue4758_proposal
branch
from
748f9af to
b2cc513
Compare
Signed-off-by: GitHub Copilot <copilot@github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| **Technical Implementation:** | ||
| ```cpp | ||
| #pragma const_seg(push, "hash") | ||
| const uint8_t _elf_hash[] = { /* hash bytes */ }; |
There was a problem hiding this comment.
The code example shows hash bytes as "/* hash bytes */" which is a placeholder comment, but the example output in lines 70-72 shows the hash formatted with spaces grouping bytes. Consider clarifying in the Technical Implementation section whether the actual generated code will include the full 32-byte array literal (e.g., "0xa1, 0xb2, 0xc3, ...") or if this is intentionally left as a placeholder for the documentation.
| const uint8_t _elf_hash[] = { /* hash bytes */ }; | |
| // bpf2c generates a full 32-byte SHA-256 array here; the values below are an example. | |
| const uint8_t _elf_hash[] = { | |
| 0xa1, 0xb2, 0xc3, 0xd4, 0xe5, 0xf6, 0x07, 0x18, | |
| 0x29, 0x3a, 0x4b, 0x5c, 0x6d, 0x7e, 0x8f, 0x90, | |
| 0x01, 0x12, 0x23, 0x34, 0x45, 0x56, 0x67, 0x78, | |
| 0x89, 0x9a, 0xab, 0xbc, 0xcd, 0xde, 0xef, 0xf0, | |
| }; |
| Without `hashonly` flag: | ||
| ``` | ||
| Hash for example.sys: | ||
| Size: 32 bytes | ||
| Data: a1b2c3d4e5f6789a bcdef012345678ab cdef0123456789ab cdef0123456789ab | ||
| ``` | ||
|
|
||
| With `hashonly` flag: | ||
| ``` | ||
| A1B2C3D4E5F6789ABCDEF012345678ABCDEF0123456789ABCDEF0123456789AB | ||
| ``` |
There was a problem hiding this comment.
The example output shows inconsistent hash formatting between the two examples. In the "Without hashonly flag" example (lines 70-72), the hash is shown in lowercase with spaces separating groups of bytes. In the "With hashonly flag" example (line 76), it's shown in uppercase without spaces. While this might reflect the actual output format, it would be helpful to explicitly document this formatting difference or ensure the byte representation in line 71 accurately reflects what the actual command outputs (the hash appears to be split into 4 groups of 8 bytes each, which totals to 32 bytes as stated).
|
|
||
| **Parameters:** | ||
| - `filename`: Required path to the PE file | ||
| - `hashonly`: Optional flag to output only the hash value (compatible with PowerShell Get-FileHash format) |
There was a problem hiding this comment.
The parameter description for "hashonly" states it's "compatible with PowerShell Get-FileHash format", but the example shows the hash output in uppercase without any PowerShell property formatting (like "Algorithm : SHA256" or "Hash : ..."). While the hash value itself matches Get-FileHash's format, clarifying that only the hash value is compatible (not the full output format) would make this more precise.
| - `hashonly`: Optional flag to output only the hash value (compatible with PowerShell Get-FileHash format) | |
| - `hashonly`: Optional flag to output only the hash value as a hexadecimal string (compatible with the `Hash` value from PowerShell `Get-FileHash`, but not its full formatted output) |
3 participants
Description
Document the proposal for providing a SHA256 hash of the ELF file used to generate a PE image (dll or sys file).
Testing
N/A
Documentation
Yes
Installation
No
Issue Link
Related to #4758.