[PATCH v2 08/13] bpf: Implement signature verification for BPF programs
James Bottomley
James.Bottomley at HansenPartnership.com
Wed Jul 23 17:11:13 UTC 2025
On Mon, 2025-07-21 at 23:19 +0200, KP Singh wrote:
[...]
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index fd3b895ebebf..b42c3740e053 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -1607,6 +1607,16 @@ union bpf_attr {
> * continuous.
> */
> __u32 fd_array_cnt;
> + /* Pointer to a buffer containing the signature of
> the BPF
> + * program.
> + */
> + __aligned_u64 signature;
> + /* Size of the signature buffer in bytes. */
> + __u32 signature_size;
> + /* ID of the kernel keyring to be used for signature
> + * verification.
> + */
> + __u32 keyring_id;
This should become __s32 to match the value passed in to
bpf_lookup_user_key().
[...]
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 22fda92ab7ce..111f91a99166 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -2779,8 +2779,41 @@ static bool is_perfmon_prog_type(enum
> bpf_prog_type prog_type)
> }
> }
>
> +static noinline int bpf_prog_verify_signature(struct bpf_prog *prog,
> + union bpf_attr *attr,
> + bool is_kernel)
> +{
> + bpfptr_t usig = make_bpfptr(attr->signature, is_kernel);
> + struct bpf_dynptr_kern sig_ptr, insns_ptr;
> + struct bpf_key *key = NULL;
> + void *sig;
> + int err = 0;
> +
> + key = bpf_lookup_user_key(attr->keyring_id, 0);
> + if (!key)
> + return -ENOKEY;
This still only checks against user keyrings and not system trusted
keyrings as was pointed out in v1. Since user keyrings are negative
and user key serials begin at 3 or more, there's no overlap with the
system keyring specifiers and you can just overload attr->keyring_id,
like the below.
Regards,
James
---
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 111f91a99166..10fd3ea5d91f 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -13,6 +13,7 @@
#include <linux/slab.h>
#include <linux/sched/signal.h>
#include <linux/vmalloc.h>
+#include <linux/verification.h>
#include <linux/mmzone.h>
#include <linux/anon_inodes.h>
#include <linux/fdtable.h>
@@ -2789,7 +2790,10 @@ static noinline int bpf_prog_verify_signature(struct bpf_prog *prog,
void *sig;
int err = 0;
- key = bpf_lookup_user_key(attr->keyring_id, 0);
+ if (system_keyring_id_check(attr->keyring_id) == 0)
+ key = bpf_lookup_system_key(attr->keyring_id);
+ else
+ key = bpf_lookup_user_key(attr->keyring_id, 0);
if (!key)
return -ENOKEY;
More information about the Linux-security-module-archive
mailing list