Add cryptographic hash and signature verification kfuncs to BPF #6478
+925
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author
|
Upstream branch: 5d9fb42 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
6ba2fc1 to
362a95a
Compare
Author
|
Upstream branch: 5d9fb42 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1031239=>bpf-next
branch
from
5731fba to
952179e
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
362a95a to
9671fbe
Compare
Author
|
Upstream branch: c93c124 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1031239=>bpf-next
branch
from
952179e to
cd5885f
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
9671fbe to
dad8a9c
Compare
Author
|
Upstream branch: 759377d |
Add hash operation callbacks to bpf_crypto_type structure: - hash(): Performs hashing operation on input data - digestsize(): Returns the output size for the hash algorithm These additions enable BPF programs to use cryptographic hash functions through the unified bpf_crypto_type interface, supporting use cases such as content verification, integrity checking, and data authentication. Signed-off-by: Daniel Hodges <[email protected]>
Add bpf_crypto_shash module that registers a hash type with the BPF crypto infrastructure, enabling BPF programs to access kernel hash algorithms through a unified interface. Update the bpf_crypto_type interface with hash-specific callbacks: - alloc_tfm: Allocates crypto_shash context with proper descriptor size - free_tfm: Releases hash transform and context memory - has_algo: Checks algorithm availability via crypto_has_shash() - hash: Performs single-shot hashing via crypto_shash_digest() - digestsize: Returns the output size for the hash algorithm - get_flags: Exposes transform flags to BPF programs Update bpf_shash_ctx to contain crypto_shash transform and shash_desc descriptor to accommodate algorithm-specific descriptor requirements. Signed-off-by: Daniel Hodges <[email protected]>
Extend bpf_crypto_type structure with hash operations: - hash(): Performs hashing operation - digestsize(): Returns hash output size Update bpf_crypto_ctx_create() to support keyless operations: - Hash algorithms don't require keys, unlike ciphers - Only validates key presence if type->setkey is defined - Conditionally sets IV/state length for cipher operations only Add bpf_crypto_hash() kfunc that works with any hash algorithm registered in the kernel's crypto API through the BPF crypto type system. This enables BPF programs to compute cryptographic hashes for use cases such as content verification, integrity checking, and data authentication. Signed-off-by: Daniel Hodges <[email protected]>
Add selftests to validate the bpf_crypto_hash works properly. The tests verify both correct functionality and proper error handling. Test Data: All tests use the well-known NIST test vector input "abc" and validate against the standardized expected outputs for each algorithm. This ensures the BPF kfunc wrappers correctly delegate to the kernel crypto library. Signed-off-by: Daniel Hodges <[email protected]>
Add context-based ECDSA signature verification kfuncs: - bpf_ecdsa_ctx_create(): Creates reusable ECDSA context with public key - bpf_ecdsa_verify(): Verifies signatures using the context - bpf_ecdsa_ctx_acquire(): Increments context reference count - bpf_ecdsa_ctx_release(): Releases context with RCU safety The ECDSA implementation supports NIST curves (P-256, P-384, P-521) and uses the kernel's crypto_sig API. Public keys must be in uncompressed format (0x04 || x || y), and signatures are in r || s format. Signed-off-by: Daniel Hodges <[email protected]>
Add selftests to validate the ECDSA signature verification kfuncs introduced in the BPF crypto subsystem. The tests verify both valid signature acceptance and invalid signature rejection using the context-based ECDSA API. The tests use RFC 6979 test vectors for NIST P-256 (secp256r1) with well-known valid signatures. The algorithm "p1363(ecdsa-nist-p256)" is used to handle standard r||s signature format. Signed-off-by: Daniel Hodges <[email protected]>
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1031239=>bpf-next
branch
from
cd5885f to
3b45b76
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: Add cryptographic hash and signature verification kfuncs to BPF
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1031239