On Fri, Jun 6, 2025 at 4:29 PM KP Singh <kpsingh@xxxxxxxxxx> wrote: > > Convert the kernel's generated verification certificate into a C header > file using xxd. Finally, update the main test runner to load this > certificate into the session keyring via the add_key() syscall before > executing any tests. > > The kernel's module signing verification certificate is converted to a > headerfile and loaded as a session key and all light skeleton tests are > updated to be signed. > > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx> > --- > tools/testing/selftests/bpf/.gitignore | 1 + > tools/testing/selftests/bpf/Makefile | 13 +++++++++++-- > tools/testing/selftests/bpf/test_progs.c | 13 +++++++++++++ > 3 files changed, 25 insertions(+), 2 deletions(-) > > diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore > index e2a2c46c008b..5ab96f8ab1c9 100644 > --- a/tools/testing/selftests/bpf/.gitignore > +++ b/tools/testing/selftests/bpf/.gitignore > @@ -45,3 +45,4 @@ xdp_redirect_multi > xdp_synproxy > xdp_hw_metadata > xdp_features > +verification_cert.h > diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile > index cf5ed3bee573..778b54be7ef4 100644 > --- a/tools/testing/selftests/bpf/Makefile > +++ b/tools/testing/selftests/bpf/Makefile > @@ -7,6 +7,7 @@ CXX ?= $(CROSS_COMPILE)g++ > > CURDIR := $(abspath .) > TOOLSDIR := $(abspath ../../..) > +CERTSDIR := $(abspath ../../../../certs) > LIBDIR := $(TOOLSDIR)/lib > BPFDIR := $(LIBDIR)/bpf > TOOLSINCDIR := $(TOOLSDIR)/include > @@ -534,7 +535,7 @@ HEADERS_FOR_BPF_OBJS := $(wildcard $(BPFDIR)/*.bpf.h) \ > # $1 - test runner base binary name (e.g., test_progs) > # $2 - test runner extra "flavor" (e.g., no_alu32, cpuv4, bpf_gcc, etc) > define DEFINE_TEST_RUNNER > - > +LSKEL_SIGN := -S -k $(CERTSDIR)/signing_key.pem -i $(CERTSDIR)/signing_key.x509 Can we do a fallback for setups without CONFIG_MODULE_SIG ? Reuse setup() helper from verify_sig_setup.sh ? Doesn't have to be right away. It can be a follow up.
