Re: [PATCH v2 08/13] bpf: Implement signature verification for BPF programs

James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> · Wed, 23 Jul 2025 13:11:13 -0400

On Mon, 2025-07-21 at 23:19 +0200, KP Singh wrote:
[...]

> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index fd3b895ebebf..b42c3740e053 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -1607,6 +1607,16 @@ union bpf_attr {
>  		 * continuous.
>  		 */
>  		__u32		fd_array_cnt;
> +		/* Pointer to a buffer containing the signature of
> the BPF
> +		 * program.
> +		 */
> +		__aligned_u64   signature;
> +		/* Size of the signature buffer in bytes. */
> +		__u32 		signature_size;
> +		/* ID of the kernel keyring to be used for signature
> +		 * verification.
> +		 */
> +		__u32 		keyring_id;

This should become __s32 to match the value passed in to
bpf_lookup_user_key().

[...]
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 22fda92ab7ce..111f91a99166 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -2779,8 +2779,41 @@ static bool is_perfmon_prog_type(enum
> bpf_prog_type prog_type)
>  	}
>  }
>  
> +static noinline int bpf_prog_verify_signature(struct bpf_prog *prog,
> +					      union bpf_attr *attr,
> +					      bool is_kernel)
> +{
> +	bpfptr_t usig = make_bpfptr(attr->signature, is_kernel);
> +	struct bpf_dynptr_kern sig_ptr, insns_ptr;
> +	struct bpf_key *key = NULL;
> +	void *sig;
> +	int err = 0;
> +
> +	key = bpf_lookup_user_key(attr->keyring_id, 0);
> +	if (!key)
> +		return -ENOKEY;

This still only checks against user keyrings and not system trusted
keyrings as was pointed out in v1.  Since user keyrings are negative
and user key serials begin at 3 or more, there's no overlap with the
system keyring specifiers and you can just overload attr->keyring_id,
like the below.

Regards,

James

---

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 111f91a99166..10fd3ea5d91f 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -13,6 +13,7 @@
 #include <linux/slab.h>
 #include <linux/sched/signal.h>
 #include <linux/vmalloc.h>
+#include <linux/verification.h>
 #include <linux/mmzone.h>
 #include <linux/anon_inodes.h>
 #include <linux/fdtable.h>
@@ -2789,7 +2790,10 @@ static noinline int bpf_prog_verify_signature(struct bpf_prog *prog,
 	void *sig;
 	int err = 0;
 
-	key = bpf_lookup_user_key(attr->keyring_id, 0);
+	if (system_keyring_id_check(attr->keyring_id) == 0)
+		key = bpf_lookup_system_key(attr->keyring_id);
+	else
+		key = bpf_lookup_user_key(attr->keyring_id, 0);
 	if (!key)
 		return -ENOKEY;
 














