kernel-patches · kernel-patches-daemon-bpf-rc · Oct 29, 2025 · Oct 29, 2025
diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
@@ -101,6 +101,7 @@ FEATURE_TESTS := clang-bpf-co-re
 FEATURE_TESTS += llvm
 FEATURE_TESTS += libcap
 FEATURE_TESTS += libbfd
+FEATURE_TESTS += libcrypto
 FEATURE_TESTS += libbfd-liberty
 FEATURE_TESTS += libbfd-liberty-z
 FEATURE_TESTS += disassembler-four-args
@@ -110,6 +111,7 @@ FEATURE_TESTS += libelf-zstd
 FEATURE_DISPLAY := clang-bpf-co-re
 FEATURE_DISPLAY += llvm
 FEATURE_DISPLAY += libcap
+FEATURE_DISPLAY += libcrypto
 FEATURE_DISPLAY += libbfd
 FEATURE_DISPLAY += libbfd-liberty
 FEATURE_DISPLAY += libbfd-liberty-z
@@ -130,8 +132,14 @@ include $(FEATURES_DUMP)
 endif
 endif
 
-LIBS = $(LIBBPF) -lelf -lz -lcrypto
-LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz -lcrypto
+LIBS = $(LIBBPF) -lelf -lz
+LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz
+
+ifeq ($(feature-libcrypto),1)
+CFLAGS += -DUSE_CRYPTO
+LIBS += -lcrypto
+LIBS_BOOTSTRAP += -lcrypto
+endif
 
 ifeq ($(feature-libelf-zstd),1)
 LIBS += -lzstd
@@ -194,7 +202,10 @@ endif
 
 BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
 
-BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
+BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o)
+ifeq ($(feature-libcrypto),1)
+BOOTSTRAP_OBJS += $(addprefix $(BOOTSTRAP_OUTPUT),sign.o)
+endif
 $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
 
 OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o

diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
@@ -688,16 +688,15 @@ static void codegen_destroy(struct bpf_object *obj, const char *obj_name)
 static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *header_guard)
 {
 	DECLARE_LIBBPF_OPTS(gen_loader_opts, opts);
-	struct bpf_load_and_run_opts sopts = {};
-	char sig_buf[MAX_SIG_SIZE];
-	__u8 prog_sha[SHA256_DIGEST_LENGTH];
 	struct bpf_map *map;
 
 	char ident[256];
 	int err = 0;
 
+#ifdef USE_CRYPTO
 	if (sign_progs)
 		opts.gen_hash = true;
+#endif
 
 	err = bpf_object__gen_loader(obj, &opts);
 	if (err)
@@ -790,7 +789,12 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
 		\n\
 		\";\n");
 
+#ifdef USE_CRYPTO
 	if (sign_progs) {
+		struct bpf_load_and_run_opts sopts = {};
+		char sig_buf[MAX_SIG_SIZE];
+		__u8 prog_sha[SHA256_DIGEST_LENGTH];
+
 		sopts.insns = opts.insns;
 		sopts.insns_sz = opts.insns_sz;
 		sopts.excl_prog_hash = prog_sha;
@@ -831,7 +835,7 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
 			opts.keyring_id = skel->keyring_id;			\n\
 		");
 	}
-
+#endif /* USE_CRYPTO */
 	codegen("\
 		\n\
 			opts.ctx = (struct bpf_loader_ctx *)skel;	    \n\
@@ -1406,13 +1410,14 @@ static int do_skeleton(int argc, char **argv)
 
 		printf("\t} links;\n");
 	}
-
+#ifdef USE_CRYPTO
 	if (sign_progs) {
 		codegen("\
 		\n\
 			__s32 keyring_id;				   \n\
 		");
 	}
+#endif /* USE_CRYPTO */
 
 	if (btf) {
 		err = codegen_datasecs(obj, obj_name);
@@ -1990,7 +1995,9 @@ static int do_help(int argc, char **argv)
 		"       %1$s %2$s help\n"
 		"\n"
 		"       " HELP_SPEC_OPTIONS " |\n"
+#ifdef USE_CRYPTO
 		"                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ]}\n"
+#endif
 		"",
 		bin_name, "gen");
 

diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
@@ -1931,12 +1931,10 @@ static int try_loader(struct gen_loader_opts *gen)
 {
 	struct bpf_load_and_run_opts opts = {};
 	struct bpf_loader_ctx *ctx;
-	char sig_buf[MAX_SIG_SIZE];
-	__u8 prog_sha[SHA256_DIGEST_LENGTH];
 	int ctx_sz = sizeof(*ctx) + 64 * max(sizeof(struct bpf_map_desc),
 					     sizeof(struct bpf_prog_desc));
 	int log_buf_sz = (1u << 24) - 1;
-	int err, fds_before, fd_delta;
+	int err = 0, fds_before, fd_delta;
 	char *log_buf = NULL;
 
 	ctx = alloca(ctx_sz);
@@ -1947,7 +1945,7 @@ static int try_loader(struct gen_loader_opts *gen)
 		ctx->log_size = log_buf_sz;
 		log_buf = malloc(log_buf_sz);
 		if (!log_buf)
-			return -ENOMEM;
+			goto out;
 		ctx->log_buf = (long) log_buf;
 	}
 	opts.ctx = ctx;
@@ -1956,8 +1954,11 @@ static int try_loader(struct gen_loader_opts *gen)
 	opts.insns = gen->insns;
 	opts.insns_sz = gen->insns_sz;
 	fds_before = count_open_fds();
-
+#ifdef USE_CRYPTO
 	if (sign_progs) {
+		char sig_buf[MAX_SIG_SIZE];
+		__u8 prog_sha[SHA256_DIGEST_LENGTH];
+
 		opts.excl_prog_hash = prog_sha;
 		opts.excl_prog_hash_sz = sizeof(prog_sha);
 		opts.signature = sig_buf;
@@ -1976,6 +1977,7 @@ static int try_loader(struct gen_loader_opts *gen)
 			goto out;
 		}
 	}
+#endif
 	err = bpf_load_and_run(&opts);
 	fd_delta = count_open_fds() - fds_before;
 	if (err < 0 || verifier_logs) {

diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
@@ -3,6 +3,7 @@
  * Copyright (C) 2025 Google LLC.
  */
 
+#ifdef USE_CRYPTO
 #ifndef _GNU_SOURCE
 #define _GNU_SOURCE
 #endif
@@ -209,3 +210,4 @@ int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
 	DISPLAY_OSSL_ERR(err < 0);
 	return err;
 }
+#endif /* USE_CRYPTO */
diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile
@@ -22,6 +22,7 @@ FILES=                                          \
          test-cplus-demangle.bin                \
          test-cxa-demangle.bin                  \
          test-libcap.bin			\
+         test-libcrypto.bin			\
          test-libelf.bin                        \
          test-libelf-getphdrnum.bin             \
          test-libelf-gelf_getnote.bin           \
@@ -107,7 +108,7 @@ all: $(FILES)
 __BUILD = $(CC) $(CFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.c,$(@F)) $(LDFLAGS)
   BUILD = $(__BUILD) > $(@:.bin=.make.output) 2>&1
   BUILD_BFD = $(BUILD) -DPACKAGE='"perf"' -lbfd -ldl
-  BUILD_ALL = $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lelf -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -DPACKAGE='"perf"' -lbfd -ldl -lz -llzma -lzstd
+  BUILD_ALL = $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lcrypto -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -DPACKAGE='"perf"' -lbfd -ldl -lz -llzma -lzstd
 
 __BUILDXX = $(CXX) $(CXXFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.cpp,$(@F)) $(LDFLAGS)
   BUILDXX = $(__BUILDXX) > $(@:.bin=.make.output) 2>&1
@@ -138,6 +139,9 @@ $(OUTPUT)test-bionic.bin:
 $(OUTPUT)test-libcap.bin:
 	$(BUILD) -lcap
 
+$(OUTPUT)test-libcrypto.bin:
+	$(BUILD) -lcrypto
+
 $(OUTPUT)test-libelf.bin:
 	$(BUILD) -lelf
 

diff --git a/tools/build/feature/test-libcrypto.c b/tools/build/feature/test-libcrypto.c
@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <openssl/err.h>
+
+/*
+ * ERR_get_error_all() was introduced in openssl3
+ *
+ * https://docs.openssl.org/3.0/man3/ERR_get_error/
+ */
+int main(void)
+{
+	return ERR_get_error_all(NULL, NULL, NULL, NULL, NULL);
+}