[PATCH bpf-next 1/2] bpf: Add hash chain signature support for arbitrary maps
Quentin Monnet
qmo at kernel.org
Mon Sep 29 09:25:54 UTC 2025
2025-09-26 13:30 UTC-0700 ~ Blaise Boscaccy <bboscaccy at linux.microsoft.com>
> This patch introduces hash chain support for signature verification of
> arbitrary bpf map objects which was described here:
> https://lore.kernel.org/linux-security-module/20250721211958.1881379-1-kpsingh@kernel.org/
>
> The UAPI is extended to allow for in-kernel checking of maps passed in
> via the fd_array. A hash chain is constructed from the maps, in order
> specified by the signature_maps field. The hash chain is terminated
> with the hash of the program itself.
>
> Signed-off-by: Blaise Boscaccy <bboscaccy at linux.microsoft.com>
> ---
> include/uapi/linux/bpf.h | 6 ++
> kernel/bpf/syscall.c | 73 ++++++++++++++++++-
> .../bpf/bpftool/Documentation/bpftool-gen.rst | 7 +-
> tools/bpf/bpftool/gen.c | 27 ++++++-
> tools/bpf/bpftool/main.c | 9 ++-
> tools/bpf/bpftool/main.h | 1 +
> tools/bpf/bpftool/sign.c | 17 ++++-
> tools/include/uapi/linux/bpf.h | 6 ++
> tools/lib/bpf/libbpf.h | 3 +-
> tools/lib/bpf/skel_internal.h | 6 +-
> 10 files changed, 143 insertions(+), 12 deletions(-)
>
[...]
> diff --git a/tools/bpf/bpftool/Documentation/bpftool-gen.rst b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
> index d0a36f442db72..b632ab87adf20 100644
> --- a/tools/bpf/bpftool/Documentation/bpftool-gen.rst
> +++ b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
> @@ -16,7 +16,7 @@ SYNOPSIS
>
> **bpftool** [*OPTIONS*] **gen** *COMMAND*
>
> -*OPTIONS* := { |COMMON_OPTIONS| | { **-L** | **--use-loader** } | [ { **-S** | **--sign** } {**-k** <private_key.pem>} **-i** <certificate.x509> ] }
> +*OPTIONS* := { |COMMON_OPTIONS| | { **-L** | **--use-loader** } | [ { **-S** | **--sign** } { **-M** | **--sign-maps** } {**-k** <private_key.pem>} **-i** <certificate.x509> ] }
>
> *COMMAND* := { **object** | **skeleton** | **help** }
>
> @@ -190,6 +190,11 @@ OPTIONS
> For skeletons, generate a signed skeleton. This option must be used with
> **-k** and **-i**. Using this flag implicitly enables **--use-loader**.
>
> +-M --sign-maps
> + For skeletons, generate a signed skeleton that includes a hash chain for the
> + skeletons maps. This option must be used with **-k** and **-i**. Using this
> + flag implicitly enables **--use-loader** and **--sign**.
> +
Hi! Pardon my ignorance, I haven't followed all the details of the
discussions around signing. Is there a use case for signing the programs
only (using -S) without signing the maps (using -M)? Or should we
consider collapsing maps signing under the existing -S option?
If you do keep the new option, would you mind updating the bash
completion file, please? Simply adding the long form like this:
------
diff --git i/tools/bpf/bpftool/bash-completion/bpftool w/tools/bpf/bpftool/bash-completion/bpftool
index 53bcfeb1a76e..f8c217f09989 100644
--- i/tools/bpf/bpftool/bash-completion/bpftool
+++ w/tools/bpf/bpftool/bash-completion/bpftool
@@ -262,7 +262,7 @@ _bpftool()
# Deal with options
if [[ ${words[cword]} == -* ]]; then
local c='--version --json --pretty --bpffs --mapcompat --debug \
- --use-loader --base-btf --sign -i -k'
+ --use-loader --base-btf --sign --sign-maps -i -k'
COMPREPLY=( $( compgen -W "$c" -- "$cur" ) )
return 0
fi
------
Other than that, the changes for bpftool look OK from my side. I'd
probably split the patch further into kernel/libbpf/bpftool changes, but
that's your call.
Thanks,
Quentin
More information about the Linux-security-module-archive
mailing list