[PATCH bpf-next v7 4/5] bpftool: Add support for signing BPF programs
Quentin Monnet
qmo at kernel.org
Tue Sep 23 08:39:03 UTC 2025
2025-09-22 19:31 UTC-0700 ~ Alexei Starovoitov
<alexei.starovoitov at gmail.com>
> On Mon, Sep 22, 2025 at 4:24 AM Quentin Monnet <qmo at kernel.org> wrote:
>>
>> 2025-09-21 18:01 UTC+0200 ~ KP Singh <kpsingh at kernel.org>
>>> Two modes of operation being added:
>>>
>>> Add two modes of operation:
>>>
>>> * For prog load, allow signing a program immediately before loading. This
>>> is essential for command-line testing and administration.
>>>
>>> bpftool prog load -S -k <private_key> -i <identity_cert> fentry_test.bpf.o
>>>
>>> * For gen skeleton, embed a pre-generated signature into the C skeleton
>>> file. This supports the use of signed programs in compiled applications.
>>>
>>> bpftool gen skeleton -S -k <private_key> -i <identity_cert> fentry_test.bpf.o
>>>
>>> Generation of the loader program and its metadata map is implemented in
>>> libbpf (bpf_obj__gen_loader). bpftool generates a skeleton that loads
>>> the program and automates the required steps: freezing the map, creating
>>> an exclusive map, loading, and running. Users can use standard libbpf
>>> APIs directly or integrate loader program generation into their own
>>> toolchains.
>>>
>>> Signed-off-by: KP Singh <kpsingh at kernel.org>
>>
>>
>> Acked-by: Quentin Monnet <qmo at kernel.org>
>>
>> Thanks a lot!
>>
>>
>>> ---
>>> .../bpf/bpftool/Documentation/bpftool-gen.rst | 13 +-
>>> .../bpftool/Documentation/bpftool-prog.rst | 14 +-
>>> tools/bpf/bpftool/Makefile | 6 +-
>>> tools/bpf/bpftool/cgroup.c | 4 +
>>> tools/bpf/bpftool/gen.c | 68 +++++-
>>> tools/bpf/bpftool/main.c | 26 ++-
>>> tools/bpf/bpftool/main.h | 11 +
>>> tools/bpf/bpftool/prog.c | 29 ++-
>>> tools/bpf/bpftool/sign.c | 212 ++++++++++++++++++
>>> 9 files changed, 372 insertions(+), 11 deletions(-)
>>> create mode 100644 tools/bpf/bpftool/sign.c
>>>
>>> diff --git a/tools/bpf/bpftool/Documentation/bpftool-gen.rst b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
>>> index ca860fd97d8d..d0a36f442db7 100644
>>> --- a/tools/bpf/bpftool/Documentation/bpftool-gen.rst
>>> +++ b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
>>> @@ -16,7 +16,7 @@ SYNOPSIS
>>>
>>> **bpftool** [*OPTIONS*] **gen** *COMMAND*
>>>
>>> -*OPTIONS* := { |COMMON_OPTIONS| | { **-L** | **--use-loader** } }
>>> +*OPTIONS* := { |COMMON_OPTIONS| | { **-L** | **--use-loader** } | [ { **-S** | **--sign** } {**-k** <private_key.pem>} **-i** <certificate.x509> ] }
>>>
>>> *COMMAND* := { **object** | **skeleton** | **help** }
>>>
>>> @@ -186,6 +186,17 @@ OPTIONS
>>> skeleton). A light skeleton contains a loader eBPF program. It does not use
>>> the majority of the libbpf infrastructure, and does not need libelf.
>>>
>>> +-S, --sign
>>> + For skeletons, generate a signed skeleton. This option must be used with
>>> + **-k** and **-i**. Using this flag implicitly enables **--use-loader**.
>>> +
>>> +-k <private_key.pem>
>>> + Path to the private key file in PEM format, required for signing.
>>> +
>>> +-i <certificate.x509>
>>> + Path to the X.509 certificate file in PEM or DER format, required for
>>> + signing.
>>> +
>>> EXAMPLES
>>> ========
>>> **$ cat example1.bpf.c**
>>> diff --git a/tools/bpf/bpftool/Documentation/bpftool-prog.rst b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
>>> index f69fd92df8d8..009633294b09 100644
>>> --- a/tools/bpf/bpftool/Documentation/bpftool-prog.rst
>>> +++ b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
>>> @@ -18,7 +18,7 @@ SYNOPSIS
>>>
>>> *OPTIONS* := { |COMMON_OPTIONS| |
>>> { **-f** | **--bpffs** } | { **-m** | **--mapcompat** } | { **-n** | **--nomount** } |
>>> -{ **-L** | **--use-loader** } }
>>> +{ **-L** | **--use-loader** } | [ { **-S** | **--sign** } **-k** <private_key.pem> **-i** <certificate.x509> ] }
>>
>>
>> Perfect, thank you!
>>
>>
>>>
>>> *COMMANDS* :=
>>> { **show** | **list** | **dump xlated** | **dump jited** | **pin** | **load** |
>>> @@ -248,6 +248,18 @@ OPTIONS
>>> creating the maps, and loading the programs (see **bpftool prog tracelog**
>>> as a way to dump those messages).
>>>
>>> +-S, --sign
>>> + Enable signing of the BPF program before loading. This option must be
>>> + used with **-k** and **-i**. Using this flag implicitly enables
>>> + **--use-loader**.
>>> +
>>> +-k <private_key.pem>
>>> + Path to the private key file in PEM format, required when signing.
>>> +
>>> +-i <certificate.x509>
>>> + Path to the X.509 certificate file in PEM or DER format, required when
>>> + signing.
>>> +
>>> EXAMPLES
>>> ========
>>> **# bpftool prog show**
>>> diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
>>> index 9e9a5f006cd2..586d1b2595d1 100644
>>> --- a/tools/bpf/bpftool/Makefile
>>> +++ b/tools/bpf/bpftool/Makefile
>>> @@ -130,8 +130,8 @@ include $(FEATURES_DUMP)
>>> endif
>>> endif
>>>
>>> -LIBS = $(LIBBPF) -lelf -lz
>>> -LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz
>>> +LIBS = $(LIBBPF) -lelf -lz -lcrypto
>>> +LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz -lcrypto
>>>
>>> ifeq ($(feature-libelf-zstd),1)
>>> LIBS += -lzstd
>>> @@ -194,7 +194,7 @@ endif
>>>
>>> BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
>>>
>>> -BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o)
>>> +BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
>>> $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
>>>
>>> OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o
>>> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
>>> index 944ebe21a216..ec356deb27c9 100644
>>> --- a/tools/bpf/bpftool/cgroup.c
>>> +++ b/tools/bpf/bpftool/cgroup.c
>>> @@ -2,6 +2,10 @@
>>> // Copyright (C) 2017 Facebook
>>> // Author: Roman Gushchin <guro at fb.com>
>>>
>>> +#undef GCC_VERSION
>>> +#ifndef _GNU_SOURCE
>>> +#define _GNU_SOURCE
>>> +#endif
>>> #define _XOPEN_SOURCE 500
>>> #include <errno.h>
>>> #include <fcntl.h>
>>> diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
>>> index 67a60114368f..993c7d9484a4 100644
>>> --- a/tools/bpf/bpftool/gen.c
>>> +++ b/tools/bpf/bpftool/gen.c
>>
>>> @@ -1930,7 +1990,7 @@ static int do_help(int argc, char **argv)
>>> " %1$s %2$s help\n"
>>> "\n"
>>> " " HELP_SPEC_OPTIONS " |\n"
>>> - " {-L|--use-loader} }\n"
>>> + " {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ]}\n"
>>
>>
>> With regards to our discussion on v4 - Sorry, I had not realised
>> removing the braces would make the sync test fail. ACK for keeping them
>> until this is resolved in the test.
>>
>> As for the bash completion, I agree this should not block this series.
>> Please make sure to follow-up with it. I think it should be as follows:
>
> Quentin,
> since you wrote the patch can you send it ?
>
Sure, I will
More information about the Linux-security-module-archive
mailing list