[PATCH 02/12] bpf: Update the bpf_prog_calc_tag to use SHA256

Alexei Starovoitov alexei.starovoitov at gmail.com
Mon Jun 9 17:46:09 UTC 2025 

On Fri, Jun 6, 2025 at 4:29 PM KP Singh <kpsingh at kernel.org> wrote:
>
> Exclusive maps restrict map access to specific programs using a hash.
> The current hash used for this is SHA1, which is prone to collisions.
> This patch uses SHA256, which  is more resilient against
> collisions. This new hash is stored in bpf_prog and used by the verifier
> to determine if a program can access a given exclusive map.
>
> The original 64-bit tags are kept, as they are used by users as a short,
> possibly colliding program identifier for non-security purposes.
>
> Signed-off-by: KP Singh <kpsingh at kernel.org>
> ---
>  include/linux/bpf.h    |  8 ++++++-
>  include/linux/filter.h |  6 ------
>  kernel/bpf/core.c      | 49 ++++++------------------------------------
>  3 files changed, 14 insertions(+), 49 deletions(-)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index d5ae43b36e68..77d62c74a4e7 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -31,6 +31,7 @@
>  #include <linux/memcontrol.h>
>  #include <linux/cfi.h>
>  #include <asm/rqspinlock.h>
> +#include <crypto/sha2.h>
>
>  struct bpf_verifier_env;
>  struct bpf_verifier_log;
> @@ -1669,7 +1670,12 @@ struct bpf_prog {
>         enum bpf_attach_type    expected_attach_type; /* For some prog types */
>         u32                     len;            /* Number of filter blocks */
>         u32                     jited_len;      /* Size of jited insns in bytes */
> -       u8                      tag[BPF_TAG_SIZE];
> +       union {
> +               u8 digest[SHA256_DIGEST_SIZE];
> +               struct {
> +                       u8 tag[BPF_TAG_SIZE];
> +               };
> +       };

Why extra anon struct ?
union {
  u8 digest[SHA256_DIGEST_SIZE];
  u8 tag[BPF_TAG_SIZE];
};
should work ?

>         struct bpf_prog_stats __percpu *stats;
>         int __percpu            *active;
>         unsigned int            (*bpf_func)(const void *ctx,
> diff --git a/include/linux/filter.h b/include/linux/filter.h
> index f5cf4d35d83e..3aa33e904a4e 100644
> --- a/include/linux/filter.h
> +++ b/include/linux/filter.h
> @@ -997,12 +997,6 @@ static inline u32 bpf_prog_insn_size(const struct bpf_prog *prog)
>         return prog->len * sizeof(struct bpf_insn);
>  }
>
> -static inline u32 bpf_prog_tag_scratch_size(const struct bpf_prog *prog)
> -{
> -       return round_up(bpf_prog_insn_size(prog) +
> -                       sizeof(__be64) + 1, SHA1_BLOCK_SIZE);
> -}

Nice that we don't need this roundup anymore.

More information about the Linux-security-module-archive mailing list