[PATCH v3 08/12] bpf: Implement signature verification for BPF programs
Paul Moore
paul at paul-moore.com
Wed Aug 13 21:02:05 UTC 2025
On Wed, Aug 13, 2025 at 4:55 PM KP Singh <kpsingh at kernel.org> wrote:
>
> This patch extends the BPF_PROG_LOAD command by adding three new fields
> to `union bpf_attr` in the user-space API:
>
> - signature: A pointer to the signature blob.
> - signature_size: The size of the signature blob.
> - keyring_id: The serial number of a loaded kernel keyring (e.g.,
> the user or session keyring) containing the trusted public keys.
>
> When a BPF program is loaded with a signature, the kernel:
>
> 1. Retrieves the trusted keyring using the provided `keyring_id`.
> 2. Verifies the supplied signature against the BPF program's
> instruction buffer.
> 3. If the signature is valid and was generated by a key in the trusted
> keyring, the program load proceeds.
> 4. If no signature is provided, the load proceeds as before, allowing
> for backward compatibility. LSMs can chose to restrict unsigned
> programs and implement a security policy.
> 5. If signature verification fails for any reason,
> the program is not loaded.
>
> Signed-off-by: KP Singh <kpsingh at kernel.org>
> ---
> crypto/asymmetric_keys/pkcs7_verify.c | 1 +
> include/linux/verification.h | 1 +
> include/uapi/linux/bpf.h | 10 +++++++
> kernel/bpf/helpers.c | 2 +-
> kernel/bpf/syscall.c | 42 ++++++++++++++++++++++++++-
> tools/include/uapi/linux/bpf.h | 10 +++++++
> tools/lib/bpf/bpf.c | 2 +-
> 7 files changed, 65 insertions(+), 3 deletions(-)
It's nice to see a v3 revision, but it would be good to see some
comments on Blaise's reply to your v2 revision. From what I can see
it should enable the different use cases and requirements that have
been posted.
https://lore.kernel.org/linux-security-module/87sei58vy3.fsf@microsoft.com
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list