[PATCH v3 06/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD

Fri Sep 12 13:36:16 UTC 2025

On Thu, Aug 14, 2025 at 8:46 PM Andrii Nakryiko
<andrii.nakryiko at gmail.com> wrote:
>
> On Wed, Aug 13, 2025 at 1:55 PM KP Singh <kpsingh at kernel.org> wrote:
> >
> > Currently only array maps are supported, but the implementation can be
> > extended for other maps and objects. The hash is memoized only for
> > exclusive and frozen maps as their content is stable until the exclusive
> > program modifies the map.
> >
> > This is required  for BPF signing, enabling a trusted loader program to
> > verify a map's integrity. The loader retrieves
> > the map's runtime hash from the kernel and compares it against an
> > expected hash computed at build time.
> >
> > Signed-off-by: KP Singh <kpsingh at kernel.org>
> > ---
> >  include/linux/bpf.h                           |  3 +++
> >  include/uapi/linux/bpf.h                      |  2 ++
> >  kernel/bpf/arraymap.c                         | 13 +++++++++++
> >  kernel/bpf/syscall.c                          | 23 +++++++++++++++++++
> >  tools/include/uapi/linux/bpf.h                |  2 ++
> >  .../selftests/bpf/progs/verifier_map_ptr.c    |  7 ++++--
> >  6 files changed, 48 insertions(+), 2 deletions(-)
> >
>
> [...]
>
> >  struct bpf_btf_info {
> > diff --git a/tools/testing/selftests/bpf/progs/verifier_map_ptr.c b/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> > index 11a079145966..e2767d27d8aa 100644
> > --- a/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> > +++ b/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> > @@ -70,10 +70,13 @@ __naked void bpf_map_ptr_write_rejected(void)
> >         : __clobber_all);
> >  }
> >
> > +/* The first element of struct bpf_map is a SHA256 hash of 32 bytes, accessing
> > + * into this array is valid. The opts field is now at offset 33.
> > + */
>
> Does hash have to be at the beginning of struct bpf_map? why not just
> put it at the end and not have to adjust any tests?.. (which now will
> fail on older kernel for no good reason, unless I miss something)

It has to be on the top, see the explanation / the code we generate
for verifying the hash it reads from the const_ptr_to_map.

-  KP

>
>
> >  SEC("socket")
> >  __description("bpf_map_ptr: read non-existent field rejected")
> >  __failure
> > -__msg("cannot access ptr member ops with moff 0 in struct bpf_map with off 1 size 4")
> > +__msg("cannot access ptr member ops with moff 32 in struct bpf_map with off 33 size 4")
> >  __failure_unpriv
> >  __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN")
> >  __flag(BPF_F_ANY_ALIGNMENT)
> > @@ -82,7 +85,7 @@ __naked void read_non_existent_field_rejected(void)
> >         asm volatile ("                                 \
> >         r6 = 0;                                         \
> >         r1 = %[map_array_48b] ll;                       \
> > -       r6 = *(u32*)(r1 + 1);                           \
> > +       r6 = *(u32*)(r1 + 33);                          \
> >         r0 = 1;                                         \
> >         exit;                                           \
> >  "      :
> > --
> > 2.43.0
> >