[RFC bpf-next 0/2] bpftool signing feature check

[RFC bpf-next 0/2] bpftool signing feature check

[Alan Maguire]

Add feature check for libcrypto >= 3 needed for bpftool signing and
use that feature test in bpftool compilation.

Patch 1 implements the feature check using a libcrypto function
present in v3.0 and later; patch 2 uses that feature to conditionally
compile signing code.

Alan Maguire (2):
  tools-build: Add feature test for openssl3
  bpftool: Use libcrypto feature test to optionally support signing

 tools/bpf/bpftool/Makefile           | 17 ++++++++++++++---
 tools/bpf/bpftool/gen.c              | 17 ++++++++++++-----
 tools/bpf/bpftool/prog.c             | 12 +++++++-----
 tools/bpf/bpftool/sign.c             |  2 ++
 tools/build/feature/Makefile         |  6 +++++-
 tools/build/feature/test-libcrypto.c | 12 ++++++++++++
 6 files changed, 52 insertions(+), 14 deletions(-)
 create mode 100644 tools/build/feature/test-libcrypto.c

-- 
2.39.3

[RFC bpf-next 1/2] tools-build: Add feature test for openssl3

[Alan Maguire]

Add test that verifies if libcrypto has >= openssl3 support; use openssl3
function ERR_get_error_all() [1]

[1] https://docs.openssl.org/3.0/man3/ERR_get_error/

Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
---
 tools/build/feature/Makefile         |  6 +++++-
 tools/build/feature/test-libcrypto.c | 12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 tools/build/feature/test-libcrypto.c

diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile
index 49b0add392b1..380087f9170d 100644
--- a/tools/build/feature/Makefile
+++ b/tools/build/feature/Makefile
@@ -22,6 +22,7 @@ FILES=                                          \
          test-cplus-demangle.bin                \
          test-cxa-demangle.bin                  \
          test-libcap.bin			\
+         test-libcrypto.bin			\
          test-libelf.bin                        \
          test-libelf-getphdrnum.bin             \
          test-libelf-gelf_getnote.bin           \
@@ -107,7 +108,7 @@ all: $(FILES)
 __BUILD = $(CC) $(CFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.c,$(@F)) $(LDFLAGS)
   BUILD = $(__BUILD) > $(@:.bin=.make.output) 2>&1
   BUILD_BFD = $(BUILD) -DPACKAGE='"perf"' -lbfd -ldl
-  BUILD_ALL = $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lelf -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -DPACKAGE='"perf"' -lbfd -ldl -lz -llzma -lzstd
+  BUILD_ALL = $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lcrypto -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -DPACKAGE='"perf"' -lbfd -ldl -lz -llzma -lzstd
 
 __BUILDXX = $(CXX) $(CXXFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.cpp,$(@F)) $(LDFLAGS)
   BUILDXX = $(__BUILDXX) > $(@:.bin=.make.output) 2>&1
@@ -138,6 +139,9 @@ $(OUTPUT)test-bionic.bin:
 $(OUTPUT)test-libcap.bin:
 	$(BUILD) -lcap
 
+$(OUTPUT)test-libcrypto.bin:
+	$(BUILD) -lcrypto
+
 $(OUTPUT)test-libelf.bin:
 	$(BUILD) -lelf
 
diff --git a/tools/build/feature/test-libcrypto.c b/tools/build/feature/test-libcrypto.c
new file mode 100644
index 000000000000..b94116e0c44c
--- /dev/null
+++ b/tools/build/feature/test-libcrypto.c
@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <openssl/err.h>
+
+/*
+ * ERR_get_error_all() was introduced in openssl3
+ *
+ * https://docs.openssl.org/3.0/man3/ERR_get_error/
+ */
+int main(void)
+{
+	return ERR_get_error_all(NULL, NULL, NULL, NULL, NULL);
+}
-- 
2.39.3

[RFC bpf-next 2/2] bpftool: Use libcrypto feature test to optionally support signing

[Alan Maguire]

New libcrypto test verifies presence of openssl3 needed for BPF
signing; use that feature to conditionally compile signing-related
code so bpftool build will not break in the absence of libcrypto v3.

Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs")
Suggested-by: Quentin Monnet <qmo@kernel.org>
Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
---
 tools/bpf/bpftool/Makefile | 17 ++++++++++++++---
 tools/bpf/bpftool/gen.c    | 17 ++++++++++++-----
 tools/bpf/bpftool/prog.c   | 12 +++++++-----
 tools/bpf/bpftool/sign.c   |  2 ++
 4 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
index 586d1b2595d1..3e59fd97ada8 100644
--- a/tools/bpf/bpftool/Makefile
+++ b/tools/bpf/bpftool/Makefile
@@ -101,6 +101,7 @@ FEATURE_TESTS := clang-bpf-co-re
 FEATURE_TESTS += llvm
 FEATURE_TESTS += libcap
 FEATURE_TESTS += libbfd
+FEATURE_TESTS += libcrypto
 FEATURE_TESTS += libbfd-liberty
 FEATURE_TESTS += libbfd-liberty-z
 FEATURE_TESTS += disassembler-four-args
@@ -110,6 +111,7 @@ FEATURE_TESTS += libelf-zstd
 FEATURE_DISPLAY := clang-bpf-co-re
 FEATURE_DISPLAY += llvm
 FEATURE_DISPLAY += libcap
+FEATURE_DISPLAY += libcrypto
 FEATURE_DISPLAY += libbfd
 FEATURE_DISPLAY += libbfd-liberty
 FEATURE_DISPLAY += libbfd-liberty-z
@@ -130,8 +132,14 @@ include $(FEATURES_DUMP)
 endif
 endif
 
-LIBS = $(LIBBPF) -lelf -lz -lcrypto
-LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz -lcrypto
+LIBS = $(LIBBPF) -lelf -lz
+LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz
+
+ifeq ($(feature-libcrypto),1)
+CFLAGS += -DUSE_CRYPTO
+LIBS += -lcrypto
+LIBS_BOOTSTRAP += -lcrypto
+endif
 
 ifeq ($(feature-libelf-zstd),1)
 LIBS += -lzstd
@@ -194,7 +202,10 @@ endif
 
 BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
 
-BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
+BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o)
+ifeq ($(feature-libcrypto),1)
+BOOTSTRAP_OBJS += $(addprefix $(BOOTSTRAP_OUTPUT),sign.o)
+endif
 $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
 
 OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o
diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
index 993c7d9484a4..257d3c89dc4a 100644
--- a/tools/bpf/bpftool/gen.c
+++ b/tools/bpf/bpftool/gen.c
@@ -688,16 +688,15 @@ static void codegen_destroy(struct bpf_object *obj, const char *obj_name)
 static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *header_guard)
 {
 	DECLARE_LIBBPF_OPTS(gen_loader_opts, opts);
-	struct bpf_load_and_run_opts sopts = {};
-	char sig_buf[MAX_SIG_SIZE];
-	__u8 prog_sha[SHA256_DIGEST_LENGTH];
 	struct bpf_map *map;
 
 	char ident[256];
 	int err = 0;
 
+#ifdef USE_CRYPTO
 	if (sign_progs)
 		opts.gen_hash = true;
+#endif
 
 	err = bpf_object__gen_loader(obj, &opts);
 	if (err)
@@ -790,7 +789,12 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
 		\n\
 		\";\n");
 
+#ifdef USE_CRYPTO
 	if (sign_progs) {
+		struct bpf_load_and_run_opts sopts = {};
+		char sig_buf[MAX_SIG_SIZE];
+		__u8 prog_sha[SHA256_DIGEST_LENGTH];
+
 		sopts.insns = opts.insns;
 		sopts.insns_sz = opts.insns_sz;
 		sopts.excl_prog_hash = prog_sha;
@@ -831,7 +835,7 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
 			opts.keyring_id = skel->keyring_id;			\n\
 		");
 	}
-
+#endif /* USE_CRYPTO */
 	codegen("\
 		\n\
 			opts.ctx = (struct bpf_loader_ctx *)skel;	    \n\
@@ -1406,13 +1410,14 @@ static int do_skeleton(int argc, char **argv)
 
 		printf("\t} links;\n");
 	}
-
+#ifdef USE_CRYPTO
 	if (sign_progs) {
 		codegen("\
 		\n\
 			__s32 keyring_id;				   \n\
 		");
 	}
+#endif /* USE_CRYPTO */
 
 	if (btf) {
 		err = codegen_datasecs(obj, obj_name);
@@ -1990,7 +1995,9 @@ static int do_help(int argc, char **argv)
 		"       %1$s %2$s help\n"
 		"\n"
 		"       " HELP_SPEC_OPTIONS " |\n"
+#ifdef USE_CRYPTO
 		"                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ]}\n"
+#endif
 		"",
 		bin_name, "gen");
 
diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
index 6daf19809ca4..914b0fc175a4 100644
--- a/tools/bpf/bpftool/prog.c
+++ b/tools/bpf/bpftool/prog.c
@@ -1931,12 +1931,10 @@ static int try_loader(struct gen_loader_opts *gen)
 {
 	struct bpf_load_and_run_opts opts = {};
 	struct bpf_loader_ctx *ctx;
-	char sig_buf[MAX_SIG_SIZE];
-	__u8 prog_sha[SHA256_DIGEST_LENGTH];
 	int ctx_sz = sizeof(*ctx) + 64 * max(sizeof(struct bpf_map_desc),
 					     sizeof(struct bpf_prog_desc));
 	int log_buf_sz = (1u << 24) - 1;
-	int err, fds_before, fd_delta;
+	int err = 0, fds_before, fd_delta;
 	char *log_buf = NULL;
 
 	ctx = alloca(ctx_sz);
@@ -1947,7 +1945,7 @@ static int try_loader(struct gen_loader_opts *gen)
 		ctx->log_size = log_buf_sz;
 		log_buf = malloc(log_buf_sz);
 		if (!log_buf)
-			return -ENOMEM;
+			goto out;
 		ctx->log_buf = (long) log_buf;
 	}
 	opts.ctx = ctx;
@@ -1956,8 +1954,11 @@ static int try_loader(struct gen_loader_opts *gen)
 	opts.insns = gen->insns;
 	opts.insns_sz = gen->insns_sz;
 	fds_before = count_open_fds();
-
+#ifdef USE_CRYPTO
 	if (sign_progs) {
+		char sig_buf[MAX_SIG_SIZE];
+		__u8 prog_sha[SHA256_DIGEST_LENGTH];
+
 		opts.excl_prog_hash = prog_sha;
 		opts.excl_prog_hash_sz = sizeof(prog_sha);
 		opts.signature = sig_buf;
@@ -1976,6 +1977,7 @@ static int try_loader(struct gen_loader_opts *gen)
 			goto out;
 		}
 	}
+#endif
 	err = bpf_load_and_run(&opts);
 	fd_delta = count_open_fds() - fds_before;
 	if (err < 0 || verifier_logs) {
diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
index b34f74d210e9..5f613d3e2766 100644
--- a/tools/bpf/bpftool/sign.c
+++ b/tools/bpf/bpftool/sign.c
@@ -3,6 +3,7 @@
  * Copyright (C) 2025 Google LLC.
  */
 
+#ifdef USE_CRYPTO
 #ifndef _GNU_SOURCE
 #define _GNU_SOURCE
 #endif
@@ -209,3 +210,4 @@ int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
 	DISPLAY_OSSL_ERR(err < 0);
 	return err;
 }
+#endif /* USE_CRYPTO */
-- 
2.39.3

Re: [RFC bpf-next 2/2] bpftool: Use libcrypto feature test to optionally support signing

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 1981 bytes --]


```
commit d2f495eb79d8b11d0ce090766e078d07cff9a826
Author: Alan Maguire <alan.maguire@oracle.com>

bpftool: Use libcrypto feature test to optionally support signing

This patch adds conditional compilation support for BPF signing
functionality, allowing bpftool to build without libcrypto v3 by
wrapping signing-related code in #ifdef USE_CRYPTO guards.

> diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
> index 6daf19809..914b0fc17 100644
> --- a/tools/bpf/bpftool/prog.c
> +++ b/tools/bpf/bpftool/prog.c

[ ... ]

> @@ -1931,12 +1931,10 @@ static int try_loader(struct gen_loader_opts *gen)
>  {
>  	struct bpf_load_and_run_opts opts = {};
>  	struct bpf_loader_ctx *ctx;
> -	char sig_buf[MAX_SIG_SIZE];
> -	__u8 prog_sha[SHA256_DIGEST_LENGTH];
>  	int ctx_sz = sizeof(*ctx) + 64 * max(sizeof(struct bpf_map_desc),
>  					     sizeof(struct bpf_prog_desc));
>  	int log_buf_sz = (1u << 24) - 1;
> -	int err, fds_before, fd_delta;
> +	int err = 0, fds_before, fd_delta;
>  	char *log_buf = NULL;
>
>  	ctx = alloca(ctx_sz);
> @@ -1947,7 +1945,7 @@ static int try_loader(struct gen_loader_opts *gen)
>  		ctx->log_size = log_buf_sz;
>  		log_buf = malloc(log_buf_sz);
>  		if (!log_buf)
> -			return -ENOMEM;
> +			goto out;
                        ^^^^^^^^

When malloc fails here, does err get set to -ENOMEM before the goto?
It looks like err is initialized to 0 at the top of the function, but
there's no assignment before this goto. The old code returned -ENOMEM
directly. Won't this cause malloc failure to return success (0) instead
of -ENOMEM?

>  		ctx->log_buf = (long) log_buf;
>  	}
>  	opts.ctx = ctx;

[ ... ]


```

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

In-Reply-To-Subject: `bpftool: Use libcrypto feature test to optionally support signing`
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/18904020660

Re: [RFC bpf-next 2/2] bpftool: Use libcrypto feature test to optionally support signing

[Quentin Monnet]

2025-10-29 09:46 UTC+0000 ~ Alan Maguire <alan.maguire@oracle.com>
> New libcrypto test verifies presence of openssl3 needed for BPF
> signing; use that feature to conditionally compile signing-related
> code so bpftool build will not break in the absence of libcrypto v3.


Hi Alan, thanks for this work!


> 
> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs")
> Suggested-by: Quentin Monnet <qmo@kernel.org>


This is not exactly what I suggested, I mentioned adding such a feature
check and printing a more user-friendly error message at build time if
the dependency is missing, not leaving out the program signing feature.

I've got reservations about the current approach: my concern is that
people packaging bpftool may prefer to compile and ship it without
program signing, if their build environment does not include the OpenSSL
dependency. But it seems to me that it will be an important feature
going forward, and that bpftool should ship with it.

Regarding the OpenSSL v3 vs. older version concern (from the build
failure report thread):

> One issue here is that some distros package openssl v3 such that the
> #include files are in /usr/include/openssl3 and libraries in
> /usr/lib64/openssl3 so that older versions can co-exist. Maybe we could
> figure out a feature test that handles that too?

In that case, we should have a feature probe that gives us the right
build parameters to ensure that v3, and not some older version, is
picked when building bpftool? (We could imagine falling back to an older
version, but I see v3.0 is now the oldest OpenSSL supported version so
it's probably not worth it?)

Best regards,
Quentin

Re: [RFC bpf-next 2/2] bpftool: Use libcrypto feature test to optionally support signing

[Alan Maguire]

On 29/10/2025 10:40, Quentin Monnet wrote:
> 2025-10-29 09:46 UTC+0000 ~ Alan Maguire <alan.maguire@oracle.com>
>> New libcrypto test verifies presence of openssl3 needed for BPF
>> signing; use that feature to conditionally compile signing-related
>> code so bpftool build will not break in the absence of libcrypto v3.
> 
> 
> Hi Alan, thanks for this work!
> 
> 
>>
>> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs")
>> Suggested-by: Quentin Monnet <qmo@kernel.org>
> 
> 
> This is not exactly what I suggested, I mentioned adding such a feature
> check and printing a more user-friendly error message at build time if
> the dependency is missing, not leaving out the program signing feature.
> 
> I've got reservations about the current approach: my concern is that
> people packaging bpftool may prefer to compile and ship it without
> program signing, if their build environment does not include the OpenSSL
> dependency. But it seems to me that it will be an important feature
> going forward, and that bpftool should ship with it.
> 
> Regarding the OpenSSL v3 vs. older version concern (from the build
> failure report thread):
> 
>> One issue here is that some distros package openssl v3 such that the
>> #include files are in /usr/include/openssl3 and libraries in
>> /usr/lib64/openssl3 so that older versions can co-exist. Maybe we could
>> figure out a feature test that handles that too?
> 
> In that case, we should have a feature probe that gives us the right
> build parameters to ensure that v3, and not some older version, is
> picked when building bpftool? (We could imagine falling back to an older
> version, but I see v3.0 is now the oldest OpenSSL supported version so
> it's probably not worth it?)
>

Actually there may be a simpler solution here; compilation at least
succeeds for openssl < 3 with the following change

diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
index b34f74d210e9..f9b742f4bb10 100644
--- a/tools/bpf/bpftool/sign.c
+++ b/tools/bpf/bpftool/sign.c
@@ -28,6 +28,12 @@

 #define OPEN_SSL_ERR_BUF_LEN 256

+/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */
+#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
+#define ERR_get_error_all(file, line, func, data, flags) \
+       ERR_get_error_line_data(file, line, data, flags)
+#endif
+
 static void display_openssl_errors(int l)
 {
        char buf[OPEN_SSL_ERR_BUF_LEN];


Given that openssl is already a build requirement for the kernel, that
may well be enough to resolve this issue without feature tests etc.
However I can't speak to whether there are other issues with using
openssl v1 aside from compile-time problem this solves.

Thanks!

Alan

Re: [RFC bpf-next 2/2] bpftool: Use libcrypto feature test to optionally support signing

[Quentin Monnet]

2025-10-29 11:22 UTC+0000 ~ Alan Maguire <alan.maguire@oracle.com>
> On 29/10/2025 10:40, Quentin Monnet wrote:
>> 2025-10-29 09:46 UTC+0000 ~ Alan Maguire <alan.maguire@oracle.com>
>>> New libcrypto test verifies presence of openssl3 needed for BPF
>>> signing; use that feature to conditionally compile signing-related
>>> code so bpftool build will not break in the absence of libcrypto v3.
>>
>>
>> Hi Alan, thanks for this work!
>>
>>
>>>
>>> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs")
>>> Suggested-by: Quentin Monnet <qmo@kernel.org>
>>
>>
>> This is not exactly what I suggested, I mentioned adding such a feature
>> check and printing a more user-friendly error message at build time if
>> the dependency is missing, not leaving out the program signing feature.
>>
>> I've got reservations about the current approach: my concern is that
>> people packaging bpftool may prefer to compile and ship it without
>> program signing, if their build environment does not include the OpenSSL
>> dependency. But it seems to me that it will be an important feature
>> going forward, and that bpftool should ship with it.
>>
>> Regarding the OpenSSL v3 vs. older version concern (from the build
>> failure report thread):
>>
>>> One issue here is that some distros package openssl v3 such that the
>>> #include files are in /usr/include/openssl3 and libraries in
>>> /usr/lib64/openssl3 so that older versions can co-exist. Maybe we could
>>> figure out a feature test that handles that too?
>>
>> In that case, we should have a feature probe that gives us the right
>> build parameters to ensure that v3, and not some older version, is
>> picked when building bpftool? (We could imagine falling back to an older
>> version, but I see v3.0 is now the oldest OpenSSL supported version so
>> it's probably not worth it?)
>>
> 
> Actually there may be a simpler solution here; compilation at least
> succeeds for openssl < 3 with the following change
> 
> diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
> index b34f74d210e9..f9b742f4bb10 100644
> --- a/tools/bpf/bpftool/sign.c
> +++ b/tools/bpf/bpftool/sign.c
> @@ -28,6 +28,12 @@
> 
>  #define OPEN_SSL_ERR_BUF_LEN 256
> 
> +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */
> +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
> +#define ERR_get_error_all(file, line, func, data, flags) \
> +       ERR_get_error_line_data(file, line, data, flags)
> +#endif
> +
>  static void display_openssl_errors(int l)
>  {
>         char buf[OPEN_SSL_ERR_BUF_LEN];
> 
> 
> Given that openssl is already a build requirement for the kernel, that
> may well be enough to resolve this issue without feature tests etc.
> However I can't speak to whether there are other issues with using
> openssl v1 aside from compile-time problem this solves.


I'm equally unfamiliar with the risks associated with older OpenSSL
versions. Other than that, it sounds like a good solution to me. As
Namhyung pointed out, bpftool's build affects other things like perf, or
kernel build itself (for preloaded BPF iterators), so aligning
requirements with the ones from the kernel would make sense. From
Documentation/process/changes.rst I see that the minimal requirement for
OpenSSL is v1.0.0, so your suggestion is probably acceptable?

Quentin

bpftool BPF signing supported using openssl v1? (Was Re: [RFC bpf-next 2/2] bpftool: Use libcrypto feature test to optionally support signing)

[Alan Maguire]

On 30/10/2025 13:58, Quentin Monnet wrote:
> 2025-10-29 11:22 UTC+0000 ~ Alan Maguire <alan.maguire@oracle.com>
>> On 29/10/2025 10:40, Quentin Monnet wrote:
>>> 2025-10-29 09:46 UTC+0000 ~ Alan Maguire <alan.maguire@oracle.com>
>>>> New libcrypto test verifies presence of openssl3 needed for BPF
>>>> signing; use that feature to conditionally compile signing-related
>>>> code so bpftool build will not break in the absence of libcrypto v3.
>>>
>>>
>>> Hi Alan, thanks for this work!
>>>
>>>
>>>>
>>>> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs")
>>>> Suggested-by: Quentin Monnet <qmo@kernel.org>
>>>
>>>
>>> This is not exactly what I suggested, I mentioned adding such a feature
>>> check and printing a more user-friendly error message at build time if
>>> the dependency is missing, not leaving out the program signing feature.
>>>
>>> I've got reservations about the current approach: my concern is that
>>> people packaging bpftool may prefer to compile and ship it without
>>> program signing, if their build environment does not include the OpenSSL
>>> dependency. But it seems to me that it will be an important feature
>>> going forward, and that bpftool should ship with it.
>>>
>>> Regarding the OpenSSL v3 vs. older version concern (from the build
>>> failure report thread):
>>>
>>>> One issue here is that some distros package openssl v3 such that the
>>>> #include files are in /usr/include/openssl3 and libraries in
>>>> /usr/lib64/openssl3 so that older versions can co-exist. Maybe we could
>>>> figure out a feature test that handles that too?
>>>
>>> In that case, we should have a feature probe that gives us the right
>>> build parameters to ensure that v3, and not some older version, is
>>> picked when building bpftool? (We could imagine falling back to an older
>>> version, but I see v3.0 is now the oldest OpenSSL supported version so
>>> it's probably not worth it?)
>>>
>>
>> Actually there may be a simpler solution here; compilation at least
>> succeeds for openssl < 3 with the following change
>>
>> diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
>> index b34f74d210e9..f9b742f4bb10 100644
>> --- a/tools/bpf/bpftool/sign.c
>> +++ b/tools/bpf/bpftool/sign.c
>> @@ -28,6 +28,12 @@
>>
>>  #define OPEN_SSL_ERR_BUF_LEN 256
>>
>> +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */
>> +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
>> +#define ERR_get_error_all(file, line, func, data, flags) \
>> +       ERR_get_error_line_data(file, line, data, flags)
>> +#endif
>> +
>>  static void display_openssl_errors(int l)
>>  {
>>         char buf[OPEN_SSL_ERR_BUF_LEN];
>>
>>
>> Given that openssl is already a build requirement for the kernel, that
>> may well be enough to resolve this issue without feature tests etc.
>> However I can't speak to whether there are other issues with using
>> openssl v1 aside from compile-time problem this solves.
> 
> 
> I'm equally unfamiliar with the risks associated with older OpenSSL
> versions. Other than that, it sounds like a good solution to me. As
> Namhyung pointed out, bpftool's build affects other things like perf, or
> kernel build itself (for preloaded BPF iterators), so aligning
> requirements with the ones from the kernel would make sense. From
> Documentation/process/changes.rst I see that the minimal requirement for
> OpenSSL is v1.0.0, so your suggestion is probably acceptable?
>

Sounds good to me! Would be good to get clarification from KP if
opensslv1 is acceptable as I couldn't find any openssl versioning
specific discussion in the threads; changed the subject line
accordingly. KP is openssl v1 ok? FWIW the BPF fentry_fexit tests that
use signed lskels do pass when run using bpftool+openssl v1 for me:

$ sudo ./test_progs -vvv -t fentry_fexit
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_fentry_fexit:PASS:fentry_skel_load 0 nsec
test_fentry_fexit:PASS:fentry_skel_load 0 nsec
test_fentry_fexit:PASS:fexit_skel_load 0 nsec
test_fentry_fexit:PASS:fexit_skel_load 0 nsec
test_fentry_fexit:PASS:fentry_attach 0 nsec
test_fentry_fexit:PASS:fexit_attach 0 nsec
test_fentry_fexit:PASS:ipv6 test_run 0 nsec
test_fentry_fexit:PASS:ipv6 test retval 0 nsec
test_fentry_fexit:PASS:fentry result 0 nsec
test_fentry_fexit:PASS:fexit result 0 nsec
test_fentry_fexit:PASS:fentry result 0 nsec
test_fentry_fexit:PASS:fexit result 0 nsec
test_fentry_fexit:PASS:fentry result 0 nsec
test_fentry_fexit:PASS:fexit result 0 nsec
test_fentry_fexit:PASS:fentry result 0 nsec
test_fentry_fexit:PASS:fexit result 0 nsec
test_fentry_fexit:PASS:fentry result 0 nsec
test_fentry_fexit:PASS:fexit result 0 nsec
test_fentry_fexit:PASS:fentry result 0 nsec
test_fentry_fexit:PASS:fexit result 0 nsec
test_fentry_fexit:PASS:fentry result 0 nsec
test_fentry_fexit:PASS:fexit result 0 nsec
test_fentry_fexit:PASS:fentry result 0 nsec
test_fentry_fexit:PASS:fexit result 0 nsec
#108     fentry_fexit:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED

$ ldd tools/sbin/bpftool
	linux-vdso.so.1 (0x00007f5497efc000)
	libelf.so.1 => /usr/lib64/libelf.so.1 (0x00007f5497800000)
	libz.so.1 => /usr/lib64/libz.so.1 (0x00007f5497400000)
	libcrypto.so.1.1 => /usr/lib64/libcrypto.so.1.1 (0x00007f5496e00000)
	^^^^^^^^^^^^^^
	openssl v1