Skip to content

BPF signature hash chains #6068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

BPF signature hash chains #6068

wants to merge 3 commits into from

Conversation

@kernel-patches-daemon-bpf-rc
Copy link

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot commented Sep 29, 2025

Pull request for series with
subject: BPF signature hash chains
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1007203

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Sep 29, 2025

Upstream branch: 4ef77dd
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1007203
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Oct 1, 2025

Upstream branch: 4ef77dd
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1007203
version: 2

Blaise Boscaccy added 3 commits October 2, 2025 14:31
bpf: Add hash chain signature support for arbitrary maps
b1e25a3 
This patch introduces hash chain support for signature verification of
arbitrary bpf map objects which was described here:
https://lore.kernel.org/linux-security-module/[email protected]/

The UAPI is extended to allow for in-kernel checking of maps passed in
via the fd_array. A hash chain is constructed from the maps, in order
specified by the signature_maps field. The hash chain is terminated
with the hash of the program itself.

Tested-by: [email protected]
Signed-off-by: Blaise Boscaccy <[email protected]>
selftests/bpf: Enable map verification for some lskel tests
ae09452 
Convert an existing signed lskel test to use the newly introduced map
signature hash-chain support added to libbpf.

Signed-off-by: Blaise Boscaccy <[email protected]>
bpftool: Add support for signing program and map hash chains
893c906 
Add a new mode of operation for program loading which supports the
generation of signed hash chains for light skeletons, using the new
signed map hash chain UAPI additions.

e.g bpftool prog load -S -M -k <private_key> -i <identity_cert> fentry_test.bpf.o

The -M or --sign-maps command line switch is introduced. It generates
a hash chain such that:

H(program, maps) = sha256(sha256(program), sha256(map[0]))

Signed-off-by: Blaise Boscaccy <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Oct 2, 2025

Upstream branch: 4ef77dd
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1007203
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Oct 4, 2025

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1007203 irrelevant now. Closing PR.

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot deleted the series/1007203=>bpf-next branch October 4, 2025 01:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bpf-next rejected V2-ci-fail V2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant