[PATCH 1/3] bpf: Add bpf_check_signature

James Bottomley James.Bottomley at HansenPartnership.com
Thu May 29 19:36:14 UTC 2025


On Thu, 2025-05-29 at 21:31 +0200, Lukas Wunner wrote:
> On Thu, May 29, 2025 at 08:32:43AM -0700, Blaise Boscaccy wrote:
> > Lukas Wunner <lukas at wunner.de> writes:
> > > Constraining oneself to sha256 doesn't seem future-proof.
> > 
> > Definitely not a bad idea, curious, how would you envision that
> > looking from an UAPI perspective?
> 
> If possible, extend the anonymous struct used by BPF_PROG_LOAD
> command with an additional parameter to select the hash algorithm.
> 
> Alternatively, create a new command to set the hash algorithm for
> subsequent BPF_PROG_LOAD commands.

Both of those look like less than good ideas.  There's not much point
having a hash that's different from the hash used in the signature
(which is currently sha256), so we could simply extract the hash from
the PKCS7 bundle and use that.  We can also get bonus points this way
for not modifying any internal APIs ...

Regards,

James




More information about the Linux-security-module-archive mailing list