[PATCH v2 02/13] bpf: Implement exclusive map creation

KP Singh kpsingh at kernel.org
Mon Aug 11 22:48:30 UTC 2025 

On Wed, Jul 30, 2025 at 12:59 AM Fan Wu <wufan at kernel.org> wrote:
>
> On Mon, Jul 21, 2025 at 2:35 PM KP Singh <kpsingh at kernel.org> wrote:
> >
> > Exclusive maps allow maps to only be accessed by program with a
> > program with a matching hash which is specified in the excl_prog_hash
> > attr.
> >
> > For the signing use-case, this allows the trusted loader program
> > to load the map and verify the integrity
> >
> > Signed-off-by: KP Singh <kpsingh at kernel.org>
> > ---
> >  include/linux/bpf.h            |  1 +
> >  include/uapi/linux/bpf.h       |  2 ++
> >  kernel/bpf/syscall.c           | 32 ++++++++++++++++++++++++++++----
> >  kernel/bpf/verifier.c          |  6 ++++++
> >  tools/include/uapi/linux/bpf.h |  2 ++
> >  5 files changed, 39 insertions(+), 4 deletions(-)
> >
>
> ...
>
> > -static int map_create(union bpf_attr *attr, bool kernel)
> > +static int map_create(union bpf_attr *attr, bpfptr_t uattr)
> >  {
> >         const struct bpf_map_ops *ops;
> >         struct bpf_token *token = NULL;
> > @@ -1527,7 +1528,30 @@ static int map_create(union bpf_attr *attr, bool kernel)
> >                         attr->btf_vmlinux_value_type_id;
> >         }
> >
> > -       err = security_bpf_map_create(map, attr, token, kernel);
> > +       if (attr->excl_prog_hash) {
> > +               bpfptr_t uprog_hash = make_bpfptr(attr->excl_prog_hash, uattr.is_kernel);
> > +
> > +               map->excl_prog_sha = kzalloc(SHA256_DIGEST_SIZE, GFP_KERNEL);
> > +               if (!map->excl_prog_sha) {
> > +                       err = -ENOMEM;
> > +                       goto free_map;
> > +               }
> > +
> > +               if (attr->excl_prog_hash_size != SHA256_DIGEST_SIZE) {
> > +                       err = -EINVAL;
> > +                       goto free_map;
> > +               }
>
> Nit: Maybe check the size first to avoid unncessary kzalloc?

Thanks, fixed.

- KP
>
> -Fan
>
> > +
> > +               if (copy_from_bpfptr(map->excl_prog_sha, uprog_hash,
> > +                                    SHA256_DIGEST_SIZE)) {
> > +                       err = -EFAULT;
> > +                       goto free_map;
> > +               }
> > +       } else if (attr->excl_prog_hash_size) {
> > +               return -EINVAL;
> > +       }
> > +
> > +       err = security_bpf_map_create(map, attr, token, uattr.is_kernel);
> >         if (err)
> >                 goto free_map_sec;
> >

More information about the Linux-security-module-archive mailing list