[PATCH v2 13/13] selftests/bpf: Add test for signed programs

Mon Jul 21 21:19:58 UTC 2025

This is a basic test that checks of bpf_prog_verify_signature is called
and returns a success for a valid program by loading a program that
captures the return value of bpf_prog_verify_signature and then loading
a signed skeleton

Signed-off-by: KP Singh <kpsingh at kernel.org>
---
 .../selftests/bpf/prog_tests/signing.c        | 36 +++++++++++++++++++
 tools/testing/selftests/bpf/progs/signing.c   | 16 +++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/signing.c
 create mode 100644 tools/testing/selftests/bpf/progs/signing.c

diff --git a/tools/testing/selftests/bpf/prog_tests/signing.c b/tools/testing/selftests/bpf/prog_tests/signing.c
new file mode 100644
index 000000000000..0c4fca8cd86f
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/signing.c
@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2025 Google */
+#include <test_progs.h>
+#include "signing.skel.h"
+#include "fentry_test.lskel.h"
+
+void test_signing(void)
+{
+	struct signing *skel = NULL;
+	struct fentry_test_lskel *lskel = NULL;
+	int err;
+
+	/* load a program that verifies the result of signing */
+	skel = signing__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "signing_skel_load"))
+		goto close_prog;
+
+	err = signing__attach(skel);
+	if (!ASSERT_OK(err, "signing_attach"))
+		goto close_prog;
+
+	/* Load a signed light skeleton */
+	lskel = fentry_test_lskel__open_and_load();
+	if (!ASSERT_OK_PTR(lskel, "signing_skel_load"))
+		goto close_prog;
+
+	err = fentry_test_lskel__attach(lskel);
+	if (!ASSERT_OK(err, "signing_attach"))
+		goto close_prog;
+
+	ASSERT_OK(skel->data->sig_verify_retval, "bpf_prog_verify_signature");
+
+close_prog:
+	signing__destroy(skel);
+	fentry_test_lskel__destroy(lskel);
+}
diff --git a/tools/testing/selftests/bpf/progs/signing.c b/tools/testing/selftests/bpf/progs/signing.c
new file mode 100644
index 000000000000..cc03f6363975
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/signing.c
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2025 Google */
+#include "vmlinux.h"
+#include <limits.h>
+#include <bpf/bpf_tracing.h>
+
+char _license[] SEC("license") = "GPL";
+
+__u64 sig_verify_retval = -INT_MAX;
+
+SEC("fexit/bpf_prog_verify_signature")
+int BPF_PROG(bpf_sign, struct bpf_prog *prog, union bpf_attr *attr, bool is_kernel, int ret)
+{
+	sig_verify_retval = ret;
+	return 0;
+}
-- 
2.43.0


