[PATCH 08/12] bpf: Implement signature verification for BPF programs

Mon Jun 9 21:39:39 UTC 2025

On Fri, Jun 6, 2025 at 4:29 PM KP Singh <kpsingh at kernel.org> wrote:
>
> This patch extends the BPF_PROG_LOAD command by adding three new fields
> to `union bpf_attr` in the user-space API:
>
>   - signature: A pointer to the signature blob.
>   - signature_size: The size of the signature blob.
>   - keyring_id: The serial number of a loaded kernel keyring (e.g.,
>     the user or session keyring) containing the trusted public keys.
>
> When a BPF program is loaded with a signature, the kernel:
>
> 1.  Retrieves the trusted keyring using the provided `keyring_id`.
> 2.  Verifies the supplied signature against the BPF program's
>     instruction buffer.
> 3.  If the signature is valid and was generated by a key in the trusted
>     keyring, the program load proceeds.
> 4.  If no signature is provided, the load proceeds as before, allowing
>     for backward compatibility. LSMs can chose to restrict unsigned
>     programs and implement a security policy.
> 5.  If signature verification fails for any reason,
>     the program is not loaded.
>
> Signed-off-by: KP Singh <kpsingh at kernel.org>
> ---
>  include/linux/bpf.h            |  9 +++++++-
>  include/uapi/linux/bpf.h       | 10 +++++++++
>  kernel/bpf/syscall.c           | 39 +++++++++++++++++++++++++++++++++-
>  kernel/trace/bpf_trace.c       |  6 ++++--
>  tools/include/uapi/linux/bpf.h | 10 +++++++++
>  tools/lib/bpf/bpf.c            |  2 +-
>  6 files changed, 71 insertions(+), 5 deletions(-)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 35f1a633d87a..32a41803d61c 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -2778,7 +2778,14 @@ bpf_jit_find_kfunc_model(const struct bpf_prog *prog,
>  int bpf_get_kfunc_addr(const struct bpf_prog *prog, u32 func_id,
>                        u16 btf_fd_idx, u8 **func_addr);
>
> -struct bpf_core_ctx {
> +__bpf_kfunc struct bpf_key *bpf_lookup_user_key(u32 serial, u64 flags);

No need for __bpf_kfunc attribute in prototypes.
It's only meaningful in definition.

> +__bpf_kfunc struct bpf_key *bpf_lookup_system_key(u64 id);
> +__bpf_kfunc void bpf_key_put(struct bpf_key *bkey);
> +__bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p,
> +                                          struct bpf_dynptr *sig_p,
> +                                          struct bpf_key *trusted_keyring);
> +

We probably need to move them to kernel/bpf/helper.c first.
Since kernel/trace/bpf_trace.c depends on:
config BPF_EVENTS
        depends on BPF_SYSCALL
        depends on (KPROBE_EVENTS || UPROBE_EVENTS) && PERF_EVENTS

They will still be guarded by CONFIG_KEYS, of course.

> +       struct bpf_core_ctx {

drop extra tab.

>         struct bpf_verifier_log *log;
>         const struct btf *btf;
>  };