On Thu, Aug 14, 2025 at 8:46 PM Andrii Nakryiko
<andrii.nakryiko@xxxxxxxxx> wrote:
>
> On Wed, Aug 13, 2025 at 1:55 PM KP Singh <kpsingh@xxxxxxxxxx> wrote:
> >
> > Currently only array maps are supported, but the implementation can be
> > extended for other maps and objects. The hash is memoized only for
> > exclusive and frozen maps as their content is stable until the exclusive
> > program modifies the map.
> >
> > This is required for BPF signing, enabling a trusted loader program to
> > verify a map's integrity. The loader retrieves
> > the map's runtime hash from the kernel and compares it against an
> > expected hash computed at build time.
> >
> > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
> > ---
> > include/linux/bpf.h | 3 +++
> > include/uapi/linux/bpf.h | 2 ++
> > kernel/bpf/arraymap.c | 13 +++++++++++
> > kernel/bpf/syscall.c | 23 +++++++++++++++++++
> > tools/include/uapi/linux/bpf.h | 2 ++
> > .../selftests/bpf/progs/verifier_map_ptr.c | 7 ++++--
> > 6 files changed, 48 insertions(+), 2 deletions(-)
> >
>
> [...]
>
> > struct bpf_btf_info {
> > diff --git a/tools/testing/selftests/bpf/progs/verifier_map_ptr.c b/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> > index 11a079145966..e2767d27d8aa 100644
> > --- a/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> > +++ b/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> > @@ -70,10 +70,13 @@ __naked void bpf_map_ptr_write_rejected(void)
> > : __clobber_all);
> > }
> >
> > +/* The first element of struct bpf_map is a SHA256 hash of 32 bytes, accessing
> > + * into this array is valid. The opts field is now at offset 33.
> > + */
>
> Does hash have to be at the beginning of struct bpf_map? why not just
> put it at the end and not have to adjust any tests?.. (which now will
> fail on older kernel for no good reason, unless I miss something)
It has to be on the top, see the explanation / the code we generate
for verifying the hash it reads from the const_ptr_to_map.
- KP
>
>
> > SEC("socket")
> > __description("bpf_map_ptr: read non-existent field rejected")
> > __failure
> > -__msg("cannot access ptr member ops with moff 0 in struct bpf_map with off 1 size 4")
> > +__msg("cannot access ptr member ops with moff 32 in struct bpf_map with off 33 size 4")
> > __failure_unpriv
> > __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN")
> > __flag(BPF_F_ANY_ALIGNMENT)
> > @@ -82,7 +85,7 @@ __naked void read_non_existent_field_rejected(void)
> > asm volatile (" \
> > r6 = 0; \
> > r1 = %[map_array_48b] ll; \
> > - r6 = *(u32*)(r1 + 1); \
> > + r6 = *(u32*)(r1 + 33); \
> > r0 = 1; \
> > exit; \
> > " :
> > --
> > 2.43.0
> >
