From: Quentin Monnet <qmo@kernel.org>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: KP Singh <kpsingh@kernel.org>, bpf <bpf@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Blaise Boscaccy <bboscaccy@linux.microsoft.com>,
Paul Moore <paul@paul-moore.com>,
"K. Y. Srinivasan" <kys@microsoft.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>
Subject: Re: [PATCH bpf-next v7 4/5] bpftool: Add support for signing BPF programs
Date: Tue, 23 Sep 2025 09:39:03 +0100 [thread overview]
Message-ID: <eea720eb-59d3-4836-8db1-6cd59406206c@kernel.org> (raw)
In-Reply-To: <CAADnVQ+S1i5wcW3FK9=KhpTr8nxSBCNCvvZvWShDouTbWt9eig@mail.gmail.com>
2025-09-22 19:31 UTC-0700 ~ Alexei Starovoitov
<alexei.starovoitov@gmail.com>
> On Mon, Sep 22, 2025 at 4:24 AM Quentin Monnet <qmo@kernel.org> wrote:
>>
>> 2025-09-21 18:01 UTC+0200 ~ KP Singh <kpsingh@kernel.org>
>>> Two modes of operation being added:
>>>
>>> Add two modes of operation:
>>>
>>> * For prog load, allow signing a program immediately before loading. This
>>> is essential for command-line testing and administration.
>>>
>>> bpftool prog load -S -k <private_key> -i <identity_cert> fentry_test.bpf.o
>>>
>>> * For gen skeleton, embed a pre-generated signature into the C skeleton
>>> file. This supports the use of signed programs in compiled applications.
>>>
>>> bpftool gen skeleton -S -k <private_key> -i <identity_cert> fentry_test.bpf.o
>>>
>>> Generation of the loader program and its metadata map is implemented in
>>> libbpf (bpf_obj__gen_loader). bpftool generates a skeleton that loads
>>> the program and automates the required steps: freezing the map, creating
>>> an exclusive map, loading, and running. Users can use standard libbpf
>>> APIs directly or integrate loader program generation into their own
>>> toolchains.
>>>
>>> Signed-off-by: KP Singh <kpsingh@kernel.org>
>>
>>
>> Acked-by: Quentin Monnet <qmo@kernel.org>
>>
>> Thanks a lot!
>>
>>
>>> ---
>>> .../bpf/bpftool/Documentation/bpftool-gen.rst | 13 +-
>>> .../bpftool/Documentation/bpftool-prog.rst | 14 +-
>>> tools/bpf/bpftool/Makefile | 6 +-
>>> tools/bpf/bpftool/cgroup.c | 4 +
>>> tools/bpf/bpftool/gen.c | 68 +++++-
>>> tools/bpf/bpftool/main.c | 26 ++-
>>> tools/bpf/bpftool/main.h | 11 +
>>> tools/bpf/bpftool/prog.c | 29 ++-
>>> tools/bpf/bpftool/sign.c | 212 ++++++++++++++++++
>>> 9 files changed, 372 insertions(+), 11 deletions(-)
>>> create mode 100644 tools/bpf/bpftool/sign.c
>>>
>>> diff --git a/tools/bpf/bpftool/Documentation/bpftool-gen.rst b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
>>> index ca860fd97d8d..d0a36f442db7 100644
>>> --- a/tools/bpf/bpftool/Documentation/bpftool-gen.rst
>>> +++ b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
>>> @@ -16,7 +16,7 @@ SYNOPSIS
>>>
>>> **bpftool** [*OPTIONS*] **gen** *COMMAND*
>>>
>>> -*OPTIONS* := { |COMMON_OPTIONS| | { **-L** | **--use-loader** } }
>>> +*OPTIONS* := { |COMMON_OPTIONS| | { **-L** | **--use-loader** } | [ { **-S** | **--sign** } {**-k** <private_key.pem>} **-i** <certificate.x509> ] }
>>>
>>> *COMMAND* := { **object** | **skeleton** | **help** }
>>>
>>> @@ -186,6 +186,17 @@ OPTIONS
>>> skeleton). A light skeleton contains a loader eBPF program. It does not use
>>> the majority of the libbpf infrastructure, and does not need libelf.
>>>
>>> +-S, --sign
>>> + For skeletons, generate a signed skeleton. This option must be used with
>>> + **-k** and **-i**. Using this flag implicitly enables **--use-loader**.
>>> +
>>> +-k <private_key.pem>
>>> + Path to the private key file in PEM format, required for signing.
>>> +
>>> +-i <certificate.x509>
>>> + Path to the X.509 certificate file in PEM or DER format, required for
>>> + signing.
>>> +
>>> EXAMPLES
>>> ========
>>> **$ cat example1.bpf.c**
>>> diff --git a/tools/bpf/bpftool/Documentation/bpftool-prog.rst b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
>>> index f69fd92df8d8..009633294b09 100644
>>> --- a/tools/bpf/bpftool/Documentation/bpftool-prog.rst
>>> +++ b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
>>> @@ -18,7 +18,7 @@ SYNOPSIS
>>>
>>> *OPTIONS* := { |COMMON_OPTIONS| |
>>> { **-f** | **--bpffs** } | { **-m** | **--mapcompat** } | { **-n** | **--nomount** } |
>>> -{ **-L** | **--use-loader** } }
>>> +{ **-L** | **--use-loader** } | [ { **-S** | **--sign** } **-k** <private_key.pem> **-i** <certificate.x509> ] }
>>
>>
>> Perfect, thank you!
>>
>>
>>>
>>> *COMMANDS* :=
>>> { **show** | **list** | **dump xlated** | **dump jited** | **pin** | **load** |
>>> @@ -248,6 +248,18 @@ OPTIONS
>>> creating the maps, and loading the programs (see **bpftool prog tracelog**
>>> as a way to dump those messages).
>>>
>>> +-S, --sign
>>> + Enable signing of the BPF program before loading. This option must be
>>> + used with **-k** and **-i**. Using this flag implicitly enables
>>> + **--use-loader**.
>>> +
>>> +-k <private_key.pem>
>>> + Path to the private key file in PEM format, required when signing.
>>> +
>>> +-i <certificate.x509>
>>> + Path to the X.509 certificate file in PEM or DER format, required when
>>> + signing.
>>> +
>>> EXAMPLES
>>> ========
>>> **# bpftool prog show**
>>> diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
>>> index 9e9a5f006cd2..586d1b2595d1 100644
>>> --- a/tools/bpf/bpftool/Makefile
>>> +++ b/tools/bpf/bpftool/Makefile
>>> @@ -130,8 +130,8 @@ include $(FEATURES_DUMP)
>>> endif
>>> endif
>>>
>>> -LIBS = $(LIBBPF) -lelf -lz
>>> -LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz
>>> +LIBS = $(LIBBPF) -lelf -lz -lcrypto
>>> +LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz -lcrypto
>>>
>>> ifeq ($(feature-libelf-zstd),1)
>>> LIBS += -lzstd
>>> @@ -194,7 +194,7 @@ endif
>>>
>>> BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
>>>
>>> -BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o)
>>> +BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
>>> $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
>>>
>>> OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o
>>> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
>>> index 944ebe21a216..ec356deb27c9 100644
>>> --- a/tools/bpf/bpftool/cgroup.c
>>> +++ b/tools/bpf/bpftool/cgroup.c
>>> @@ -2,6 +2,10 @@
>>> // Copyright (C) 2017 Facebook
>>> // Author: Roman Gushchin <guro@fb.com>
>>>
>>> +#undef GCC_VERSION
>>> +#ifndef _GNU_SOURCE
>>> +#define _GNU_SOURCE
>>> +#endif
>>> #define _XOPEN_SOURCE 500
>>> #include <errno.h>
>>> #include <fcntl.h>
>>> diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
>>> index 67a60114368f..993c7d9484a4 100644
>>> --- a/tools/bpf/bpftool/gen.c
>>> +++ b/tools/bpf/bpftool/gen.c
>>
>>> @@ -1930,7 +1990,7 @@ static int do_help(int argc, char **argv)
>>> " %1$s %2$s help\n"
>>> "\n"
>>> " " HELP_SPEC_OPTIONS " |\n"
>>> - " {-L|--use-loader} }\n"
>>> + " {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ]}\n"
>>
>>
>> With regards to our discussion on v4 - Sorry, I had not realised
>> removing the braces would make the sync test fail. ACK for keeping them
>> until this is resolved in the test.
>>
>> As for the bash completion, I agree this should not block this series.
>> Please make sure to follow-up with it. I think it should be as follows:
>
> Quentin,
> since you wrote the patch can you send it ?
>
Sure, I will
next prev parent reply other threads:[~2025-09-23 8:39 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-21 16:01 [PATCH bpf-next v7 0/5] Signed BPF programs KP Singh
2025-09-21 16:01 ` [PATCH bpf-next v7 1/5] bpf: Implement signature verification for " KP Singh
2025-10-07 16:42 ` Chris Mason
2025-09-21 16:01 ` [PATCH bpf-next v7 2/5] libbpf: Update light skeleton for signing KP Singh
2025-09-21 16:01 ` [PATCH bpf-next v7 3/5] libbpf: Embed and verify the metadata hash in the loader KP Singh
2025-09-21 16:01 ` [PATCH bpf-next v7 4/5] bpftool: Add support for signing BPF programs KP Singh
2025-09-22 11:24 ` Quentin Monnet
2025-09-23 2:31 ` Alexei Starovoitov
2025-09-23 8:39 ` Quentin Monnet [this message]
2025-09-21 16:01 ` [PATCH bpf-next v7 5/5] selftests/bpf: Enable signature verification for some lskel tests KP Singh
2025-09-23 1:26 ` [PATCH bpf-next v7 0/5] Signed BPF programs Paul Moore
2025-09-23 2:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eea720eb-59d3-4836-8db1-6cd59406206c@kernel.org \
--to=qmo@kernel.org \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@kernel.org \
--cc=kys@microsoft.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.