From: Vadim Fedorenko <vadim.fedorenko@linux.dev>
To: Daniel Hodges <git@danielhodges.dev>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
"open list:BPF [CRYPTO]" <bpf@vger.kernel.org>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH bpf-next 1/4] bpf: Add SHA hash kfuncs for cryptographic hashing
Date: Tue, 18 Nov 2025 12:13:39 +0000 [thread overview]
Message-ID: <1f313f86-c0be-4d29-aa90-5c95afa92827@linux.dev> (raw)
In-Reply-To: <20251117211413.1394-2-git@danielhodges.dev>
On 17/11/2025 21:13, Daniel Hodges wrote:
> Add three new kfuncs for computing cryptographic hashes in BPF programs:
> - bpf_sha256_hash(): Computes SHA-256 hash (32-byte output)
> - bpf_sha384_hash(): Computes SHA-384 hash (48-byte output)
> - bpf_sha512_hash(): Computes SHA-512 hash (64-byte output)
>
> These kfuncs leverage the kernel's existing crypto library (sha256/sha384/
> sha512 functions) and use bpf_dynptr for safe memory access without risk
> of page faults. The functions validate input parameters including checking
> for read-only output buffers and ensuring sufficient buffer sizes.
>
> This enables BPF programs to compute cryptographic hashes for use cases
> such as content verification, integrity checking, and data authentication.
>
> Signed-off-by: Daniel Hodges <git@danielhodges.dev>
[...]
> +#if IS_ENABLED(CONFIG_CRYPTO_LIB_SHA256)
> +/**
> + * bpf_sha256_hash() - Compute SHA-256 hash using kernel crypto library
> + * @data: bpf_dynptr to the input data to hash. Must be a trusted pointer.
> + * @out: bpf_dynptr to the output buffer (must be at least 32 bytes). Must be a trusted pointer.
> + *
> + * Computes SHA-256 hash of the input data. Uses bpf_dynptr to ensure safe memory access
> + * without risk of page faults.
> + */
> +__bpf_kfunc int bpf_sha256_hash(const struct bpf_dynptr *data, const struct bpf_dynptr *out)
> +{
> + const struct bpf_dynptr_kern *data_kern = (struct bpf_dynptr_kern *)data;
> + const struct bpf_dynptr_kern *out_kern = (struct bpf_dynptr_kern *)out;
> + u32 data_len, out_len;
> + const u8 *data_ptr;
> + u8 *out_ptr;
> +
> + if (__bpf_dynptr_is_rdonly(out_kern))
> + return -EINVAL;
__bpf_dynptr_data_rw() contains __bpf_dynptr_is_rdonly() check, no need
to do it again explicitly. This applies to all helpers
> +
> + data_len = __bpf_dynptr_size(data_kern);
> + out_len = __bpf_dynptr_size(out_kern);
> +
> + if (data_len == 0 || out_len < 32)
> + return -EINVAL;
> +
> + data_ptr = __bpf_dynptr_data(data_kern, data_len);
> + if (!data_ptr)
> + return -EINVAL;
> +
> + out_ptr = __bpf_dynptr_data_rw(out_kern, out_len);
> + if (!out_ptr)
> + return -EINVAL;
> +
> + sha256(data_ptr, data_len, out_ptr);
> +
> + return 0;
> +}
next prev parent reply other threads:[~2025-11-18 12:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-17 21:13 [PATCH bpf-next 0/4] Add cryptographic hash and signature verification kfuncs to BPF Daniel Hodges
2025-11-17 21:13 ` [PATCH bpf-next 1/4] bpf: Add SHA hash kfuncs for cryptographic hashing Daniel Hodges
2025-11-18 10:11 ` kernel test robot
2025-11-18 12:13 ` Vadim Fedorenko [this message]
2025-11-18 15:53 ` kernel test robot
2025-11-17 21:13 ` [PATCH bpf-next 2/4] selftests/bpf: Add tests for SHA hash kfuncs Daniel Hodges
2025-11-18 13:45 ` Vadim Fedorenko
2025-11-17 21:14 ` [PATCH bpf-next 3/4] bpf: Add ECDSA signature verification kfuncs Daniel Hodges
2025-11-18 17:28 ` kernel test robot
2025-11-17 21:14 ` [PATCH bpf-next 4/4] selftests/bpf: Add tests for " Daniel Hodges
2025-11-18 14:41 ` [PATCH bpf-next 0/4] Add cryptographic hash and signature verification kfuncs to BPF Vadim Fedorenko
2025-11-18 15:44 ` Daniel Hodges
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1f313f86-c0be-4d29-aa90-5c95afa92827@linux.dev \
--to=vadim.fedorenko@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=git@danielhodges.dev \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.