Re: [PATCH bpf-next v7 1/5] bpf: Implement signature verification for BPF programs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chris Mason <clm@meta.com>
To: KP Singh <kpsingh@kernel.org>
Cc: Chris Mason <clm@meta.com>, <bpf@vger.kernel.org>,
	<linux-security-module@vger.kernel.org>,
	<bboscaccy@linux.microsoft.com>, <paul@paul-moore.com>,
	<kys@microsoft.com>, <ast@kernel.org>, <daniel@iogearbox.net>,
	<andrii@kernel.org>, <syzbot@syzkaller.appspotmail.com>
Subject: Re: [PATCH bpf-next v7 1/5] bpf: Implement signature verification for BPF programs
Date: Tue, 7 Oct 2025 09:42:10 -0700	[thread overview]
Message-ID: <20251007164217.1966541-1-clm@meta.com> (raw)
In-Reply-To: <20250921160120.9711-2-kpsingh@kernel.org>

Hi KP,

On Sun, 21 Sep 2025 18:01:16 +0200 KP Singh <kpsingh@kernel.org> wrote:

> This patch extends the BPF_PROG_LOAD command by adding three new fields
> to `union bpf_attr` in the user-space API:
> 
>   - signature: A pointer to the signature blob.
>   - signature_size: The size of the signature blob.
>   - keyring_id: The serial number of a loaded kernel keyring (e.g.,
>     the user or session keyring) containing the trusted public keys.
> 
> When a BPF program is loaded with a signature, the kernel:
> 
> 1.  Retrieves the trusted keyring using the provided `keyring_id`.
> 2.  Verifies the supplied signature against the BPF program's
>     instruction buffer.
> 3.  If the signature is valid and was generated by a key in the trusted
>     keyring, the program load proceeds.
> 4.  If no signature is provided, the load proceeds as before, allowing
>     for backward compatibility. LSMs can chose to restrict unsigned
>     programs and implement a security policy.
> 5.  If signature verification fails for any reason,
>     the program is not loaded.
> 
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index cf7173b1bb83..8a3c3d26f6e2 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -39,6 +39,7 @@
>  #include <linux/tracepoint.h>
>  #include <linux/overflow.h>
>  #include <linux/cookie.h>
> +#include <linux/verification.h>
>  
>  #include <net/netfilter/nf_bpf_link.h>
>  #include <net/netkit.h>
> @@ -2785,8 +2786,44 @@ static bool is_perfmon_prog_type(enum bpf_prog_type prog_type)
>  	}
>  }
>  
> +static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr,
> +				     bool is_kernel)
> +{
> +	bpfptr_t usig = make_bpfptr(attr->signature, is_kernel);
> +	struct bpf_dynptr_kern sig_ptr, insns_ptr;
> +	struct bpf_key *key = NULL;
> +	void *sig;
> +	int err = 0;
> +
> +	if (system_keyring_id_check(attr->keyring_id) == 0)
> +		key = bpf_lookup_system_key(attr->keyring_id);
> +	else
> +		key = bpf_lookup_user_key(attr->keyring_id, 0);
> +
> +	if (!key)
> +		return -EINVAL;
> +
> +	sig = kvmemdup_bpfptr(usig, attr->signature_size);

Should there be some validation on signature_size?  It looks like we're
giving vmalloc exactly what userland sent.

-chris

next prev parent reply	other threads:[~2025-10-07 16:43 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-21 16:01 [PATCH bpf-next v7 0/5] Signed BPF programs KP Singh
2025-09-21 16:01 ` [PATCH bpf-next v7 1/5] bpf: Implement signature verification for " KP Singh
2025-10-07 16:42   ` Chris Mason [this message]
2025-09-21 16:01 ` [PATCH bpf-next v7 2/5] libbpf: Update light skeleton for signing KP Singh
2025-09-21 16:01 ` [PATCH bpf-next v7 3/5] libbpf: Embed and verify the metadata hash in the loader KP Singh
2025-09-21 16:01 ` [PATCH bpf-next v7 4/5] bpftool: Add support for signing BPF programs KP Singh
2025-09-22 11:24   ` Quentin Monnet
2025-09-23  2:31     ` Alexei Starovoitov
2025-09-23  8:39       ` Quentin Monnet
2025-09-21 16:01 ` [PATCH bpf-next v7 5/5] selftests/bpf: Enable signature verification for some lskel tests KP Singh
2025-09-23  1:26 ` [PATCH bpf-next v7 0/5] Signed BPF programs Paul Moore
2025-09-23  2:30 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251007164217.1966541-1-clm@meta.com \
    --to=clm@meta.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bboscaccy@linux.microsoft.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=kpsingh@kernel.org \
    --cc=kys@microsoft.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=syzbot@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.