[PATCH 12/12] selftests/bpf: Enable signature verification for all lskel tests
Alexei Starovoitov
alexei.starovoitov at gmail.com
Tue Jun 10 00:45:27 UTC 2025
On Fri, Jun 6, 2025 at 4:29 PM KP Singh <kpsingh at kernel.org> wrote:
>
> Convert the kernel's generated verification certificate into a C header
> file using xxd. Finally, update the main test runner to load this
> certificate into the session keyring via the add_key() syscall before
> executing any tests.
>
> The kernel's module signing verification certificate is converted to a
> headerfile and loaded as a session key and all light skeleton tests are
> updated to be signed.
>
> Signed-off-by: KP Singh <kpsingh at kernel.org>
> ---
> tools/testing/selftests/bpf/.gitignore | 1 +
> tools/testing/selftests/bpf/Makefile | 13 +++++++++++--
> tools/testing/selftests/bpf/test_progs.c | 13 +++++++++++++
> 3 files changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore
> index e2a2c46c008b..5ab96f8ab1c9 100644
> --- a/tools/testing/selftests/bpf/.gitignore
> +++ b/tools/testing/selftests/bpf/.gitignore
> @@ -45,3 +45,4 @@ xdp_redirect_multi
> xdp_synproxy
> xdp_hw_metadata
> xdp_features
> +verification_cert.h
> diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
> index cf5ed3bee573..778b54be7ef4 100644
> --- a/tools/testing/selftests/bpf/Makefile
> +++ b/tools/testing/selftests/bpf/Makefile
> @@ -7,6 +7,7 @@ CXX ?= $(CROSS_COMPILE)g++
>
> CURDIR := $(abspath .)
> TOOLSDIR := $(abspath ../../..)
> +CERTSDIR := $(abspath ../../../../certs)
> LIBDIR := $(TOOLSDIR)/lib
> BPFDIR := $(LIBDIR)/bpf
> TOOLSINCDIR := $(TOOLSDIR)/include
> @@ -534,7 +535,7 @@ HEADERS_FOR_BPF_OBJS := $(wildcard $(BPFDIR)/*.bpf.h) \
> # $1 - test runner base binary name (e.g., test_progs)
> # $2 - test runner extra "flavor" (e.g., no_alu32, cpuv4, bpf_gcc, etc)
> define DEFINE_TEST_RUNNER
> -
> +LSKEL_SIGN := -S -k $(CERTSDIR)/signing_key.pem -i $(CERTSDIR)/signing_key.x509
Can we do a fallback for setups without CONFIG_MODULE_SIG ?
Reuse setup() helper from verify_sig_setup.sh ?
Doesn't have to be right away. It can be a follow up.
More information about the Linux-security-module-archive
mailing list