Re: [PATCH v3 08/12] bpf: Implement signature verification for BPF programs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Aug 13, 2025 at 11:02 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> On Wed, Aug 13, 2025 at 4:55 PM KP Singh <kpsingh@xxxxxxxxxx> wrote:
> >
> > This patch extends the BPF_PROG_LOAD command by adding three new fields
> > to `union bpf_attr` in the user-space API:
> >
> >   - signature: A pointer to the signature blob.
> >   - signature_size: The size of the signature blob.
> >   - keyring_id: The serial number of a loaded kernel keyring (e.g.,
> >     the user or session keyring) containing the trusted public keys.
> >
> > When a BPF program is loaded with a signature, the kernel:
> >
> > 1.  Retrieves the trusted keyring using the provided `keyring_id`.
> > 2.  Verifies the supplied signature against the BPF program's
> >     instruction buffer.
> > 3.  If the signature is valid and was generated by a key in the trusted
> >     keyring, the program load proceeds.
> > 4.  If no signature is provided, the load proceeds as before, allowing
> >     for backward compatibility. LSMs can chose to restrict unsigned
> >     programs and implement a security policy.
> > 5.  If signature verification fails for any reason,
> >     the program is not loaded.
> >
> > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
> > ---
> >  crypto/asymmetric_keys/pkcs7_verify.c |  1 +
> >  include/linux/verification.h          |  1 +
> >  include/uapi/linux/bpf.h              | 10 +++++++
> >  kernel/bpf/helpers.c                  |  2 +-
> >  kernel/bpf/syscall.c                  | 42 ++++++++++++++++++++++++++-
> >  tools/include/uapi/linux/bpf.h        | 10 +++++++
> >  tools/lib/bpf/bpf.c                   |  2 +-
> >  7 files changed, 65 insertions(+), 3 deletions(-)
>
> It's nice to see a v3 revision, but it would be good to see some
> comments on Blaise's reply to your v2 revision.  From what I can see
> it should enable the different use cases and requirements that have
> been posted.

I will defer to Alexei and others here (mostly due to time crunch). It
would however be useful to explain the use-cases in which signed maps
are useful (beyond being a different approach than the current
delegated verification).

>
> https://lore.kernel.org/linux-security-module/87sei58vy3.fsf@xxxxxxxxxxxxx


>
> --
> paul-moore.com
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux