[PATCH v3 08/12] bpf: Implement signature verification for BPF programs

KP Singh kpsingh at kernel.org
Wed Aug 13 21:37:19 UTC 2025 

On Wed, Aug 13, 2025 at 11:02 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Wed, Aug 13, 2025 at 4:55 PM KP Singh <kpsingh at kernel.org> wrote:
> >
> > This patch extends the BPF_PROG_LOAD command by adding three new fields
> > to `union bpf_attr` in the user-space API:
> >
> >   - signature: A pointer to the signature blob.
> >   - signature_size: The size of the signature blob.
> >   - keyring_id: The serial number of a loaded kernel keyring (e.g.,
> >     the user or session keyring) containing the trusted public keys.
> >
> > When a BPF program is loaded with a signature, the kernel:
> >
> > 1.  Retrieves the trusted keyring using the provided `keyring_id`.
> > 2.  Verifies the supplied signature against the BPF program's
> >     instruction buffer.
> > 3.  If the signature is valid and was generated by a key in the trusted
> >     keyring, the program load proceeds.
> > 4.  If no signature is provided, the load proceeds as before, allowing
> >     for backward compatibility. LSMs can chose to restrict unsigned
> >     programs and implement a security policy.
> > 5.  If signature verification fails for any reason,
> >     the program is not loaded.
> >
> > Signed-off-by: KP Singh <kpsingh at kernel.org>
> > ---
> >  crypto/asymmetric_keys/pkcs7_verify.c |  1 +
> >  include/linux/verification.h          |  1 +
> >  include/uapi/linux/bpf.h              | 10 +++++++
> >  kernel/bpf/helpers.c                  |  2 +-
> >  kernel/bpf/syscall.c                  | 42 ++++++++++++++++++++++++++-
> >  tools/include/uapi/linux/bpf.h        | 10 +++++++
> >  tools/lib/bpf/bpf.c                   |  2 +-
> >  7 files changed, 65 insertions(+), 3 deletions(-)
>
> It's nice to see a v3 revision, but it would be good to see some
> comments on Blaise's reply to your v2 revision.  From what I can see
> it should enable the different use cases and requirements that have
> been posted.

I will defer to Alexei and others here (mostly due to time crunch). It
would however be useful to explain the use-cases in which signed maps
are useful (beyond being a different approach than the current
delegated verification).

>
> https://lore.kernel.org/linux-security-module/87sei58vy3.fsf@microsoft.com


>
> --
> paul-moore.com

More information about the Linux-security-module-archive mailing list