From: Daniel Hodges <git@danielhodges.dev>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Vadim Fedorenko <vadim.fedorenko@linux.dev>,
Song Liu <song@kernel.org>, Mykyta Yatsenko <yatsenko@meta.com>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>,
Yonghong Song <yonghong.song@linux.dev>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org,
Daniel Hodges <git@danielhodges.dev>
Subject: [PATCH bpf-next v5 3/7] crypto: Add BPF signature algorithm type registration module
Date: Tue, 20 Jan 2026 13:46:57 -0500 [thread overview]
Message-ID: <20260120184701.23082-4-git@danielhodges.dev> (raw)
In-Reply-To: <20260120184701.23082-1-git@danielhodges.dev>
Add a new bpf_crypto_sig module that registers signature verification
algorithms with the BPF crypto type system. This enables signature
operations (like ECDSA) to use the unified bpf_crypto_ctx structure
instead of requiring separate context types.
Changes:
- Add verify() callback to bpf_crypto_type for signature verification
- Add bpf_crypto_sig module with:
- alloc_tfm/free_tfm for crypto_sig transform lifecycle
- has_algo to check algorithm availability
- setkey for public key configuration
- verify for signature verification
- get_flags for crypto API flags
This allows ECDSA and other signature verification operations to
integrate with the existing BPF crypto infrastructure.
Signed-off-by: Daniel Hodges <git@danielhodges.dev>
---
MAINTAINERS | 1 +
crypto/Makefile | 3 ++
crypto/bpf_crypto_sig.c | 67 ++++++++++++++++++++++++++++++++++++++
include/linux/bpf_crypto.h | 2 ++
4 files changed, 73 insertions(+)
create mode 100644 crypto/bpf_crypto_sig.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 4e9b369acd1c..62d712a1f730 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4714,6 +4714,7 @@ M: Vadim Fedorenko <vadim.fedorenko@linux.dev>
L: bpf@vger.kernel.org
S: Maintained
F: crypto/bpf_crypto_shash.c
+F: crypto/bpf_crypto_sig.c
F: crypto/bpf_crypto_skcipher.c
F: include/linux/bpf_crypto.h
F: kernel/bpf/crypto.c
diff --git a/crypto/Makefile b/crypto/Makefile
index 853dff375906..c9ab98b57bc0 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -36,6 +36,9 @@ endif
obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o
obj-$(CONFIG_CRYPTO_SIG2) += sig.o
+ifeq ($(CONFIG_BPF_SYSCALL),y)
+obj-$(CONFIG_CRYPTO_SIG2) += bpf_crypto_sig.o
+endif
obj-$(CONFIG_CRYPTO_KPP2) += kpp.o
obj-$(CONFIG_CRYPTO_HKDF) += hkdf.o
diff --git a/crypto/bpf_crypto_sig.c b/crypto/bpf_crypto_sig.c
new file mode 100644
index 000000000000..1d6521a066be
--- /dev/null
+++ b/crypto/bpf_crypto_sig.c
@@ -0,0 +1,67 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */
+#include <linux/types.h>
+#include <linux/module.h>
+#include <linux/bpf_crypto.h>
+#include <linux/crypto.h>
+#include <crypto/sig.h>
+
+static void *bpf_crypto_sig_alloc_tfm(const char *algo)
+{
+ return crypto_alloc_sig(algo, 0, 0);
+}
+
+static void bpf_crypto_sig_free_tfm(void *tfm)
+{
+ crypto_free_sig(tfm);
+}
+
+static int bpf_crypto_sig_has_algo(const char *algo)
+{
+ return crypto_has_alg(algo, CRYPTO_ALG_TYPE_SIG, CRYPTO_ALG_TYPE_MASK);
+}
+
+static u32 bpf_crypto_sig_get_flags(void *tfm)
+{
+ return crypto_tfm_get_flags(crypto_sig_tfm(tfm));
+}
+
+static int bpf_crypto_sig_setkey(void *tfm, const u8 *key, unsigned int keylen)
+{
+ return crypto_sig_set_pubkey(tfm, key, keylen);
+}
+
+static int bpf_crypto_sig_verify(void *tfm, const u8 *sig, unsigned int sig_len,
+ const u8 *msg, unsigned int msg_len)
+{
+ return crypto_sig_verify(tfm, sig, sig_len, msg, msg_len);
+}
+
+static const struct bpf_crypto_type bpf_crypto_sig_type = {
+ .alloc_tfm = bpf_crypto_sig_alloc_tfm,
+ .free_tfm = bpf_crypto_sig_free_tfm,
+ .has_algo = bpf_crypto_sig_has_algo,
+ .get_flags = bpf_crypto_sig_get_flags,
+ .setkey = bpf_crypto_sig_setkey,
+ .verify = bpf_crypto_sig_verify,
+ .owner = THIS_MODULE,
+ .type_id = BPF_CRYPTO_TYPE_SIG,
+ .name = "sig",
+};
+
+static int __init bpf_crypto_sig_init(void)
+{
+ return bpf_crypto_register_type(&bpf_crypto_sig_type);
+}
+
+static void __exit bpf_crypto_sig_exit(void)
+{
+ int err = bpf_crypto_unregister_type(&bpf_crypto_sig_type);
+
+ WARN_ON_ONCE(err);
+}
+
+module_init(bpf_crypto_sig_init);
+module_exit(bpf_crypto_sig_exit);
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Signature algorithm support for BPF");
diff --git a/include/linux/bpf_crypto.h b/include/linux/bpf_crypto.h
index cf2c66f9782b..363ed72561f4 100644
--- a/include/linux/bpf_crypto.h
+++ b/include/linux/bpf_crypto.h
@@ -18,6 +18,8 @@ struct bpf_crypto_type {
int (*encrypt)(void *tfm, const u8 *src, u8 *dst, unsigned int len, u8 *iv);
int (*decrypt)(void *tfm, const u8 *src, u8 *dst, unsigned int len, u8 *iv);
int (*hash)(void *tfm, const u8 *data, u8 *out, unsigned int len);
+ int (*verify)(void *tfm, const u8 *sig, unsigned int sig_len,
+ const u8 *msg, unsigned int msg_len);
unsigned int (*ivsize)(void *tfm);
unsigned int (*statesize)(void *tfm);
unsigned int (*digestsize)(void *tfm);
--
2.52.0
next prev parent reply other threads:[~2026-01-20 18:47 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-20 18:46 [PATCH bpf-next v5 0/7] Add cryptographic hash and signature verification kfuncs to BPF Daniel Hodges
2026-01-20 18:46 ` [PATCH bpf-next v5 1/7] bpf: Extend bpf_crypto_type with hash operations Daniel Hodges
2026-01-20 18:46 ` [PATCH bpf-next v5 2/7] crypto: Add BPF hash algorithm type registration module Daniel Hodges
2026-01-20 19:13 ` bot+bpf-ci
2026-04-23 7:44 ` XIAO WU
2026-01-20 18:46 ` Daniel Hodges [this message]
2026-01-20 19:13 ` [PATCH bpf-next v5 3/7] crypto: Add BPF signature " bot+bpf-ci
2026-01-20 18:46 ` [PATCH bpf-next v5 4/7] bpf: Add hash kfunc for cryptographic hashing Daniel Hodges
2026-01-20 18:46 ` [PATCH bpf-next v5 5/7] selftests/bpf: Add tests for bpf_crypto_hash kfunc Daniel Hodges
2026-01-20 18:47 ` [PATCH bpf-next v5 6/7] bpf: Add signature verification kfuncs Daniel Hodges
2026-01-20 18:47 ` [PATCH bpf-next v5 7/7] selftests/bpf: Add tests for " Daniel Hodges
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260120184701.23082-4-git@danielhodges.dev \
--to=git@danielhodges.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=vadim.fedorenko@linux.dev \
--cc=yatsenko@meta.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.