stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
c4b9373bf5d07306bbe1deec688c8c6739d5711d
git.stella-ops.org/docs-archived/product/advisories/16-Feb-2026 - eBPF micro-witness deterministic replay across distros.md
master fb46a927ad save changes
2026-02-17 00:51:35 +02:00

1.6 KiB
Raw Blame History

16-Feb-2026 - eBPF micro-witness deterministic replay across distros

Advisory source

  • Source: user-provided product advisory text (review session, 2026-02-16 UTC).
  • Scope: CO-RE eBPF micro-witnesses replayable and deterministic across kernels, distros, and toolchains, with DSSE + Sigstore bundle portability.

Outcome

  • Result: partially aligned implementation with confirmed contract and implementation gaps.
  • Decision: advisory translated into product/module docs plus an active implementation sprint.

Confirmed gap themes

  • Runtime collector support check is hard-gated on /sys/kernel/btf/vmlinux; split-BTF/external-vmlinux fallback behavior is not implemented as a deterministic recorded contract.
  • Runtime witness payload lacks required deterministic symbolization tuple for cross-distro replay (symbolizer, libc_variant, sysroot, debug/symbol pointers).
  • Runtime witness generation pipeline is interface-defined but not implemented end-to-end in Scanner.
  • DSSE witness support exists, but per-witness Sigstore bundle contract (trace.sigstore.json) is not standardized in witness storage/export/indexing.

Translation artifacts

  • Active sprint: docs/implplan/SPRINT_20260216_001_Signals_ebpf_micro_witness_determinism_profile.md
  • Product update: docs/product/ebpf-micro-witness-determinism.md
  • Module contract: docs/modules/signals/contracts/ebpf-micro-witness-determinism-profile.md

Notes

  • External web fetches: none.
  • Repository verification inputs included runtime and storage code paths under src/Signals/, src/Scanner/, src/RuntimeInstrumentation/, src/Attestor/, and src/EvidenceLocker/.