[PATCH v2 08/13] bpf: Implement signature verification for BPF programs

Thu Jul 24 17:22:35 UTC 2025

On Wed, Jul 23, 2025 at 7:11 PM James Bottomley
<James.Bottomley at hansenpartnership.com> wrote:
>
> On Mon, 2025-07-21 at 23:19 +0200, KP Singh wrote:
> [...]
>
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index fd3b895ebebf..b42c3740e053 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > @@ -1607,6 +1607,16 @@ union bpf_attr {
> >                * continuous.
> >                */
> >               __u32           fd_array_cnt;
> > +             /* Pointer to a buffer containing the signature of
> > the BPF
> > +              * program.
> > +              */
> > +             __aligned_u64   signature;
> > +             /* Size of the signature buffer in bytes. */
> > +             __u32           signature_size;
> > +             /* ID of the kernel keyring to be used for signature
> > +              * verification.
> > +              */
> > +             __u32           keyring_id;
>
> This should become __s32 to match the value passed in to
> bpf_lookup_user_key().
>
> [...]
> > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> > index 22fda92ab7ce..111f91a99166 100644
> > --- a/kernel/bpf/syscall.c
> > +++ b/kernel/bpf/syscall.c
> > @@ -2779,8 +2779,41 @@ static bool is_perfmon_prog_type(enum
> > bpf_prog_type prog_type)
> >       }
> >  }
> >
> > +static noinline int bpf_prog_verify_signature(struct bpf_prog *prog,
> > +                                           union bpf_attr *attr,
> > +                                           bool is_kernel)
> > +{
> > +     bpfptr_t usig = make_bpfptr(attr->signature, is_kernel);
> > +     struct bpf_dynptr_kern sig_ptr, insns_ptr;
> > +     struct bpf_key *key = NULL;
> > +     void *sig;
> > +     int err = 0;
> > +
> > +     key = bpf_lookup_user_key(attr->keyring_id, 0);
> > +     if (!key)
> > +             return -ENOKEY;
>
> This still only checks against user keyrings and not system trusted
> keyrings as was pointed out in v1.  Since user keyrings are negative
> and user key serials begin at 3 or more, there's no overlap with the
> system keyring specifiers and you can just overload attr->keyring_id,
> like the below.
>
> Regards,
>
> James
>
> ---
>
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 111f91a99166..10fd3ea5d91f 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -13,6 +13,7 @@
>  #include <linux/slab.h>
>  #include <linux/sched/signal.h>
>  #include <linux/vmalloc.h>
> +#include <linux/verification.h>
>  #include <linux/mmzone.h>
>  #include <linux/anon_inodes.h>
>  #include <linux/fdtable.h>
> @@ -2789,7 +2790,10 @@ static noinline int bpf_prog_verify_signature(struct bpf_prog *prog,
>         void *sig;
>         int err = 0;
>
> -       key = bpf_lookup_user_key(attr->keyring_id, 0);
> +       if (system_keyring_id_check(attr->keyring_id) == 0)
> +               key = bpf_lookup_system_key(attr->keyring_id);
> +       else
> +               key = bpf_lookup_user_key(attr->keyring_id, 0);
>         if (!key)
>                 return -ENOKEY;
>

Thanks James, updated.

- KP

>