[PATCH 1/3] bpf: Add bpf_check_signature
kernel test robot
lkp at intel.com
Thu May 29 07:39:19 UTC 2025
Hi Blaise,
kernel test robot noticed the following build errors:
[auto build test ERROR on bpf-next/net]
[also build test ERROR on bpf/master v6.15]
[cannot apply to bpf-next/master linus/master next-20250528]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Blaise-Boscaccy/bpf-Add-bpf_check_signature/20250529-055248
base: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git net
patch link: https://lore.kernel.org/r/20250528215037.2081066-2-bboscaccy%40linux.microsoft.com
patch subject: [PATCH 1/3] bpf: Add bpf_check_signature
config: arc-randconfig-002-20250529 (https://download.01.org/0day-ci/archive/20250529/202505291545.Or5jFXUA-lkp@intel.com/config)
compiler: arc-linux-gcc (GCC) 13.3.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250529/202505291545.Or5jFXUA-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp at intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202505291545.Or5jFXUA-lkp@intel.com/
All errors (new ones prefixed by >>):
kernel/bpf/syscall.c: In function 'bpf_check_signature':
>> kernel/bpf/syscall.c:2797:23: error: implicit declaration of function 'verify_pkcs7_signature'; did you mean 'verify_signature'? [-Werror=implicit-function-declaration]
2797 | err = verify_pkcs7_signature(hash, sizeof(hash), signature, attr->signature_size,
| ^~~~~~~~~~~~~~~~~~~~~~
| verify_signature
cc1: some warnings being treated as errors
vim +2797 kernel/bpf/syscall.c
2766
2767 static int bpf_check_signature(struct bpf_prog *prog, union bpf_attr *attr, bpfptr_t uattr,
2768 __u32 uattr_size)
2769 {
2770 u64 hash[4];
2771 u64 buffer[8];
2772 int err;
2773 char *signature;
2774 int *used_maps;
2775 int n;
2776 int map_fd;
2777 struct bpf_map *map;
2778
2779 if (!attr->signature)
2780 return 0;
2781
2782 signature = kmalloc(attr->signature_size, GFP_KERNEL);
2783 if (!signature) {
2784 err = -ENOMEM;
2785 goto out;
2786 }
2787
2788 if (copy_from_bpfptr(signature,
2789 make_bpfptr(attr->signature, uattr.is_kernel),
2790 attr->signature_size) != 0) {
2791 err = -EINVAL;
2792 goto free_sig;
2793 }
2794
2795 if (!attr->signature_maps_size) {
2796 sha256((u8 *)prog->insnsi, prog->len * sizeof(struct bpf_insn), (u8 *)&hash);
> 2797 err = verify_pkcs7_signature(hash, sizeof(hash), signature, attr->signature_size,
2798 VERIFY_USE_SECONDARY_KEYRING,
2799 VERIFYING_EBPF_SIGNATURE,
2800 NULL, NULL);
2801 } else {
2802 used_maps = kmalloc_array(attr->signature_maps_size,
2803 sizeof(*used_maps), GFP_KERNEL);
2804 if (!used_maps) {
2805 err = -ENOMEM;
2806 goto free_sig;
2807 }
2808 n = attr->signature_maps_size;
2809 n--;
2810
2811 err = copy_from_bpfptr_offset(&map_fd, make_bpfptr(attr->fd_array, uattr.is_kernel),
2812 used_maps[n] * sizeof(map_fd),
2813 sizeof(map_fd));
2814 if (err < 0)
2815 goto free_maps;
2816
2817 /* calculate the terminal hash */
2818 CLASS(fd, f)(map_fd);
2819 map = __bpf_map_get(f);
2820 if (IS_ERR(map)) {
2821 err = PTR_ERR(map);
2822 goto free_maps;
2823 }
2824 if (__map_get_hash(map, (u8 *)hash)) {
2825 err = -EINVAL;
2826 goto free_maps;
2827 }
2828
2829 n--;
2830 /* calculate a link in the hash chain */
2831 while (n >= 0) {
2832 memcpy(buffer, hash, sizeof(hash));
2833 err = copy_from_bpfptr_offset(&map_fd,
2834 make_bpfptr(attr->fd_array, uattr.is_kernel),
2835 used_maps[n] * sizeof(map_fd),
2836 sizeof(map_fd));
2837 if (err < 0)
2838 goto free_maps;
2839
2840 CLASS(fd, f)(map_fd);
2841 map = __bpf_map_get(f);
2842 if (!map) {
2843 err = -EINVAL;
2844 goto free_maps;
2845 }
2846 if (__map_get_hash(map, (u8 *)buffer+4)) {
2847 err = -EINVAL;
2848 goto free_maps;
2849 }
2850 sha256((u8 *)buffer, sizeof(buffer), (u8 *)&hash);
2851 n--;
2852 }
2853 /* calculate the root hash and verify it's signature */
2854 sha256((u8 *)prog->insnsi, prog->len * sizeof(struct bpf_insn), (u8 *)&buffer);
2855 memcpy(buffer+4, hash, sizeof(hash));
2856 sha256((u8 *)buffer, sizeof(buffer), (u8 *)&hash);
2857 err = verify_pkcs7_signature(hash, sizeof(hash), signature, attr->signature_size,
2858 VERIFY_USE_SECONDARY_KEYRING,
2859 VERIFYING_EBPF_SIGNATURE,
2860 NULL, NULL);
2861 free_maps:
2862 kfree(used_maps);
2863 }
2864
2865 free_sig:
2866 kfree(signature);
2867 out:
2868 prog->aux->signature_verified = !err;
2869 return err;
2870 }
2871
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
More information about the Linux-security-module-archive
mailing list