[RFC PATCH] hornet: adjustments for the updated bpf_map_ops::map_get_hash() API

Tue Jun 2 18:36:59 UTC 2026

Commit c48c3a7e7d5b ("bpf: Drop redundant hash_buf from map_get_hash
operation") changed the map_get_hash() API to only take a single
parameter, the bpf_map instance; this commit updates the Hornet code
accordingly.

Beyond the basic map_get_hash() usage change, this commit also removes
the remaining SHA-256 specific code from Hornet, instead relying on the
size of the bpf_map::sha field to determine the appropriate digest size.
While Hornet remains tied to SHA-256 because it is hardcoded into the
BPF subsystem, the Hornet code itself should now be fairly agile with
respect to hash algorithms.  The only area where Hornet does appear to
hardcode a hash algorithm is in the MAP_DIGEST_SIZE macro where the
bpf_map::sha field is referenced, but that is purely a field name and
if the BPF subsystem changes the name to something more generic it will
be easily caught and corrected at build time.

Signed-off-by: Paul Moore <paul at paul-moore.com>
---
 security/hornet/hornet_lsm.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/security/hornet/hornet_lsm.c b/security/hornet/hornet_lsm.c
index eeb422db1092..a1cb2e130323 100644
--- a/security/hornet/hornet_lsm.c
+++ b/security/hornet/hornet_lsm.c
@@ -17,16 +17,17 @@
 #include <linux/sort.h>
 #include <linux/asn1_decoder.h>
 #include <linux/oid_registry.h>
+#include <linux/stddef.h>
 #include "hornet.asn1.h"
 
 #define MAX_USED_MAPS 64
 
-/* The only hashing algorithm available is SHA256 due to it be hardcoded
- * in the bpf subsystem.
- */
+/* Use the hash alg hardcoded into the bpf subsystem, currently sha256 */
+#define MAP_DIGEST_SIZE (sizeof_field(struct bpf_map, sha))
+
 struct hornet_prog_security_struct {
 	int signed_hash_count;
-	unsigned char signed_hashes[SHA256_DIGEST_SIZE * MAX_USED_MAPS];
+	unsigned char signed_hashes[MAP_DIGEST_SIZE * MAX_USED_MAPS];
 };
 
 struct hornet_parse_context {
@@ -60,12 +61,12 @@ int hornet_map_hash(void *context, size_t hdrlen,
 {
 	struct hornet_parse_context *ctx = (struct hornet_parse_context *)context;
 
-	if (vlen != SHA256_DIGEST_SIZE && vlen != 0)
+	if (vlen != MAP_DIGEST_SIZE && vlen != 0)
 		return -EINVAL;
 	if (ctx->security->signed_hash_count >= MAX_USED_MAPS)
 		return -EINVAL;
 
-	memcpy(&ctx->security->signed_hashes[ctx->security->signed_hash_count * SHA256_DIGEST_SIZE],
+	memcpy(&ctx->security->signed_hashes[ctx->security->signed_hash_count * MAP_DIGEST_SIZE],
 	       value, vlen);
 
 	return 0;
@@ -188,7 +189,6 @@ static int hornet_bpf_prog_load_integrity(struct bpf_prog *prog, union bpf_attr
 static int hornet_check_prog_maps(struct bpf_prog *prog)
 {
 	struct hornet_prog_security_struct *security;
-	unsigned char hash[SHA256_DIGEST_SIZE];
 	struct bpf_map *map;
 	int i, j;
 	bool found;
@@ -209,12 +209,12 @@ static int hornet_check_prog_maps(struct bpf_prog *prog)
 			if (!READ_ONCE(map->frozen) || !map->ops->map_get_hash)
 				continue;
 
-			if (map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, hash))
+			if (map->ops->map_get_hash(map))
 				continue;
 
-			if (memcmp(hash,
-				   &security->signed_hashes[i * SHA256_DIGEST_SIZE],
-				   SHA256_DIGEST_SIZE) == 0) {
+			if (memcmp(map->sha,
+				   &security->signed_hashes[i * MAP_DIGEST_SIZE],
+				   MAP_DIGEST_SIZE) == 0) {
 				found = true;
 				break;
 			}
-- 
2.54.0


