[PATCH 0/3] BPF signature verification

Jarkko Sakkinen jarkko at kernel.org
Wed Jun 4 16:22:04 UTC 2025 

On Wed, May 28, 2025 at 02:49:02PM -0700, Blaise Boscaccy wrote:
> As suggested or mandated by KP Singh
> https://lore.kernel.org/linux-security-module/CACYkzJ6VQUExfyt0=-FmXz46GHJh3d=FXh5j4KfexcEFbHV-vg@mail.gmail.com/,
> this patchset proposes and implements an alternative hash-chain
> algorithm for signature verification of BPF programs.
> 
> This design diverges in two key ways:
> 
> 1. Signature Strategy
> 
> Two different signature strategies are
> implemented. One verifies only the signature of the loader program in
> the kernel, as described in the link above. The other verifies the

Describe "the one" briefly, despite having the link.  Label them A and
B, and also, why there are two strategies. Then you can use those labels
as references later on in this description.

> program’s maps in-kernel via a hash chain.  The original design
> required loader programs to be “self-aborting” and embedded the
> terminal hash verification logic as metaprogramming code generation
> routines inside libbpf. While this patchset supports that scheme, it
> is considered undesirable in certain environments due to the potential
> for supply-chain attack vectors and the lack of visibility for the LSM
> subsystem.  Additionally, it is impossible to verify the code
> performing the signature verification, as it is uniquely regenerated
> for every program.
> 
> 2. Timing of Signature Check
> 
> This patchset moves the signature check to a point before
> security_bpf_prog_load is invoked, due to an unresolved discussion
> here:
> https://lore.kernel.org/linux-security-module/CAHC9VhTj3=ZXgrYMNA+G64zsOyZO+78uDs1g=kh91=GR5KypYg@mail.gmail.com/
> This change allows the LSM subsystem to be informed of the signature
> verification result—if it occurred—and the method used, all without
> introducing a new hook. It improves visibility and auditability,
> reducing the “trust me, friend” aspect of the original design.
> 
> 
> Blaise Boscaccy (3):
>   bpf: Add bpf_check_signature
>   bpf: Support light-skeleton signatures in autogenerated code
>   bpftool: Allow signing of light-skeleton programs
> 
>  include/linux/bpf.h            |   2 +
>  include/linux/verification.h   |   1 +
>  include/uapi/linux/bpf.h       |   4 +
>  kernel/bpf/arraymap.c          |  11 +-
>  kernel/bpf/syscall.c           | 123 +++++++++++++++++++-
>  tools/bpf/bpftool/Makefile     |   4 +-
>  tools/bpf/bpftool/common.c     | 204 +++++++++++++++++++++++++++++++++
>  tools/bpf/bpftool/gen.c        |  66 ++++++++++-
>  tools/bpf/bpftool/main.c       |  24 +++-
>  tools/bpf/bpftool/main.h       |  23 ++++
>  tools/include/uapi/linux/bpf.h |   4 +
>  tools/lib/bpf/libbpf.h         |   4 +
>  tools/lib/bpf/skel_internal.h  |  28 ++++-
>  13 files changed, 491 insertions(+), 7 deletions(-)
> 
> -- 
> 2.48.1
> 

BR, Jarkko

More information about the Linux-security-module-archive mailing list