This patchset extends the currently proposed signature verification patchset https://lore.kernel.org/linux-security-module/20250813205526.2992911-1-kpsingh@xxxxxxxxxx/ with hash-chain functionality to verify the contents of arbitrary maps. The currently proposed loader + map signature verification scheme—requested by Alexei and KP—is simple to implement and acceptable if users/admins are satisfied with it. However, verifying both the loader and the maps offers additional benefits beyond just verifying the loader: 1. Simplified Loader Logic: The lskel loader becomes simpler since it doesn’t need to verify program maps—this is already handled by bpf_check_signature(). 2. Security and Audit Integrity: A key advantage is that the LSM (Linux Security Module) hook for authorizing BPF program loads can operate after signature verification. This ensures: * Access control decisions can be based on verified signature status. * Accurate system state measurement and logging. * Log events claiming a verified signature are fully truthful, avoiding misleading entries that only the loader was verified while the actual BPF program verification happens later without logging. This approach addresses concerns from users who require strict audit trails and verification guarantees, especially in security-sensitive environments. A working tree with this patchset is being maintained at https://github.com/blaiseboscaccy/linux/tree/bpf-hash-chains Blaise Boscaccy (2): bpf: Add hash chain signature support for arbitrary maps libbpf: Add hash chain signing support to light skeletons. include/uapi/linux/bpf.h | 6 +++ kernel/bpf/syscall.c | 75 ++++++++++++++++++++++++++++++++-- tools/bpf/bpftool/gen.c | 25 ++++++++++++ tools/bpf/bpftool/main.c | 8 +++- tools/bpf/bpftool/main.h | 1 + tools/bpf/bpftool/sign.c | 17 ++++++-- tools/include/uapi/linux/bpf.h | 6 +++ tools/lib/bpf/libbpf.h | 3 +- tools/lib/bpf/skel_internal.h | 6 ++- 9 files changed, 137 insertions(+), 10 deletions(-) -- 2.48.1
