[PATCH bpf-next 0/2] Ease BPF signing build requirements

[PATCH bpf-next 0/2] Ease BPF signing build requirements

[Alan Maguire]

This series makes it easier to build bpftool and selftests with
signing support, removing reliance on >= openssl v3 (supporting
openssl v1) to build bpftool and not requiring latest xxd to
build verification cert header in selftests.

Alan Maguire (2):
  bpftool: Allow bpftool to build with openssl < 3
  selftests/bpf: Allow selftests to build with older xxd

 tools/bpf/bpftool/sign.c             | 6 ++++++
 tools/testing/selftests/bpf/Makefile | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

-- 
2.43.5

[PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3

[Alan Maguire]

ERR_get_error_all()[1] is a openssl v3 API, so to make code
compatible with openssl v1 utilize ERR_get_err_line_data
instead.  Since openssl is already a build requirement for
the kernel (minimum requirement openssl 1.0.0), this will
allow bpftool to compile where opensslv3 is not available.
Signing-related BPF selftests pass with openssl v1.

[1] https://docs.openssl.org/3.4/man3/ERR_get_error/

Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs")
Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
---
 tools/bpf/bpftool/sign.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
index b34f74d210e9..f9b742f4bb10 100644
--- a/tools/bpf/bpftool/sign.c
+++ b/tools/bpf/bpftool/sign.c
@@ -28,6 +28,12 @@
 
 #define OPEN_SSL_ERR_BUF_LEN 256
 
+/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */
+#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
+#define ERR_get_error_all(file, line, func, data, flags) \
+	ERR_get_error_line_data(file, line, data, flags)
+#endif
+
 static void display_openssl_errors(int l)
 {
 	char buf[OPEN_SSL_ERR_BUF_LEN];
-- 
2.43.5

[PATCH bpf-next 2/2] selftests/bpf: Allow selftests to build with older xxd

[Alan Maguire]

Currently selftests require xxd with the "-n <name>" option
which allows the user to specify a name not derived from
the input object path.  Instead of relying on this newer
feature, older xxd can be used if we link our desired name
("test_progs_verification_cert") to the input object.

Many distros ship xxd in vim-common package and do not have
the latest xxd with -n support.

Fixes: b720903e2b14d ("selftests/bpf: Enable signature verification for some lskel tests")
Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
---
 tools/testing/selftests/bpf/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 34ea23c63bd5..8687c17c5084 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -731,7 +731,8 @@ $(VERIFICATION_CERT) $(PRIVATE_KEY): $(VERIFY_SIG_SETUP)
 	$(Q)$(VERIFY_SIG_SETUP) genkey $(BUILD_DIR)
 
 $(VERIFY_SIG_HDR): $(VERIFICATION_CERT)
-	$(Q)xxd -i -n test_progs_verification_cert $< > $@
+	$(Q)ln -fs $< test_progs_verification_cert && \
+	xxd -i test_progs_verification_cert > $@
 
 # Define test_progs test runner.
 TRUNNER_TESTS_DIR := prog_tests
-- 
2.43.5

Re: [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3

[Song Liu]

On Fri, Nov 14, 2025 at 2:23 PM Alan Maguire <alan.maguire@oracle.com> wrote:
>
> ERR_get_error_all()[1] is a openssl v3 API, so to make code
> compatible with openssl v1 utilize ERR_get_err_line_data
> instead.  Since openssl is already a build requirement for
> the kernel (minimum requirement openssl 1.0.0), this will
> allow bpftool to compile where opensslv3 is not available.
> Signing-related BPF selftests pass with openssl v1.
>
> [1] https://docs.openssl.org/3.4/man3/ERR_get_error/
>
> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs")
> Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
> ---
>  tools/bpf/bpftool/sign.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
> index b34f74d210e9..f9b742f4bb10 100644
> --- a/tools/bpf/bpftool/sign.c
> +++ b/tools/bpf/bpftool/sign.c
> @@ -28,6 +28,12 @@
>
>  #define OPEN_SSL_ERR_BUF_LEN 256
>
> +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */
> +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
> +#define ERR_get_error_all(file, line, func, data, flags) \
> +       ERR_get_error_line_data(file, line, data, flags)
> +#endif
> +

We have func=NULL in display_openssl_errors(). Shall we just use
ERR_get_error_line_data instead?

Thanks,
Song

>  static void display_openssl_errors(int l)
>  {
>         char buf[OPEN_SSL_ERR_BUF_LEN];
> --
> 2.43.5
>

Re: [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3

[Alan Maguire]

On 14/11/2025 22:55, Song Liu wrote:
> On Fri, Nov 14, 2025 at 2:23 PM Alan Maguire <alan.maguire@oracle.com> wrote:
>>
>> ERR_get_error_all()[1] is a openssl v3 API, so to make code
>> compatible with openssl v1 utilize ERR_get_err_line_data
>> instead.  Since openssl is already a build requirement for
>> the kernel (minimum requirement openssl 1.0.0), this will
>> allow bpftool to compile where opensslv3 is not available.
>> Signing-related BPF selftests pass with openssl v1.
>>
>> [1] https://docs.openssl.org/3.4/man3/ERR_get_error/
>>
>> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs")
>> Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
>> ---
>>  tools/bpf/bpftool/sign.c | 6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
>> index b34f74d210e9..f9b742f4bb10 100644
>> --- a/tools/bpf/bpftool/sign.c
>> +++ b/tools/bpf/bpftool/sign.c
>> @@ -28,6 +28,12 @@
>>
>>  #define OPEN_SSL_ERR_BUF_LEN 256
>>
>> +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */
>> +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
>> +#define ERR_get_error_all(file, line, func, data, flags) \
>> +       ERR_get_error_line_data(file, line, data, flags)
>> +#endif
>> +
> 
> We have func=NULL in display_openssl_errors(). Shall we just use
> ERR_get_error_line_data instead?
>

It's a good idea, and I tried it - unfortunately we then get a
"deprecated in v3" warning when we build with opensslv3. So this was the
only way I could think of to build on v1 and not get warnings with v3.

Thanks!

Alan

> Thanks,
> Song
> 
>>  static void display_openssl_errors(int l)
>>  {
>>         char buf[OPEN_SSL_ERR_BUF_LEN];
>> --
>> 2.43.5
>>

Re: [PATCH bpf-next 2/2] selftests/bpf: Allow selftests to build with older xxd

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 1104 bytes --]

> diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
> index 34ea23c63..8687c17c5 100644
> --- a/tools/testing/selftests/bpf/Makefile
> +++ b/tools/testing/selftests/bpf/Makefile
> @@ -731,7 +731,8 @@ $(VERIFICATION_CERT) $(PRIVATE_KEY): $(VERIFY_SIG_SETUP)
>  	$(Q)$(VERIFY_SIG_SETUP) genkey $(BUILD_DIR)
>
>  $(VERIFY_SIG_HDR): $(VERIFICATION_CERT)
> -	$(Q)xxd -i -n test_progs_verification_cert $< > $@
> +	$(Q)ln -fs $< test_progs_verification_cert && \
> +	xxd -i test_progs_verification_cert > $@

Should the symlink test_progs_verification_cert be added to the cleanup
targets? Currently it's not included in EXTRA_CLEAN (lines 903-909), so
after running "make clean" the symlink will remain as a dangling link in
the source tree. This will appear as an untracked file in git status and
is not present in .gitignore.


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19379374420

Re: [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3

[Song Liu]

On Fri, Nov 14, 2025 at 3:04 PM Alan Maguire <alan.maguire@oracle.com> wrote:
>
> On 14/11/2025 22:55, Song Liu wrote:
> > On Fri, Nov 14, 2025 at 2:23 PM Alan Maguire <alan.maguire@oracle.com> wrote:
> >>
> >> ERR_get_error_all()[1] is a openssl v3 API, so to make code
> >> compatible with openssl v1 utilize ERR_get_err_line_data
> >> instead.  Since openssl is already a build requirement for
> >> the kernel (minimum requirement openssl 1.0.0), this will
> >> allow bpftool to compile where opensslv3 is not available.
> >> Signing-related BPF selftests pass with openssl v1.
> >>
> >> [1] https://docs.openssl.org/3.4/man3/ERR_get_error/
> >>
> >> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs")
> >> Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
> >> ---
> >>  tools/bpf/bpftool/sign.c | 6 ++++++
> >>  1 file changed, 6 insertions(+)
> >>
> >> diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
> >> index b34f74d210e9..f9b742f4bb10 100644
> >> --- a/tools/bpf/bpftool/sign.c
> >> +++ b/tools/bpf/bpftool/sign.c
> >> @@ -28,6 +28,12 @@
> >>
> >>  #define OPEN_SSL_ERR_BUF_LEN 256
> >>
> >> +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */
> >> +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
> >> +#define ERR_get_error_all(file, line, func, data, flags) \
> >> +       ERR_get_error_line_data(file, line, data, flags)
> >> +#endif
> >> +
> >
> > We have func=NULL in display_openssl_errors(). Shall we just use
> > ERR_get_error_line_data instead?
> >
>
> It's a good idea, and I tried it - unfortunately we then get a
> "deprecated in v3" warning when we build with opensslv3. So this was the
> only way I could think of to build on v1 and not get warnings with v3.

I see. Thanks for the explanation. This looks good to me.

Acked-by: Song Liu <song@kernel.org>

Re: [PATCH bpf-next 2/2] selftests/bpf: Allow selftests to build with older xxd

[Alan Maguire]

On 14/11/2025 23:06, bot+bpf-ci@kernel.org wrote:
>> diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
>> index 34ea23c63..8687c17c5 100644
>> --- a/tools/testing/selftests/bpf/Makefile
>> +++ b/tools/testing/selftests/bpf/Makefile
>> @@ -731,7 +731,8 @@ $(VERIFICATION_CERT) $(PRIVATE_KEY): $(VERIFY_SIG_SETUP)
>>  	$(Q)$(VERIFY_SIG_SETUP) genkey $(BUILD_DIR)
>>
>>  $(VERIFY_SIG_HDR): $(VERIFICATION_CERT)
>> -	$(Q)xxd -i -n test_progs_verification_cert $< > $@
>> +	$(Q)ln -fs $< test_progs_verification_cert && \
>> +	xxd -i test_progs_verification_cert > $@
> 
> Should the symlink test_progs_verification_cert be added to the cleanup
> targets? Currently it's not included in EXTRA_CLEAN (lines 903-909), so
> after running "make clean" the symlink will remain as a dangling link in
> the source tree. This will appear as an untracked file in git status and
> is not present in .gitignore.
> 

yep, adding the symlink to EXTRA_CLEAN in Makefile and .gitignore is a
good catch; I'll wait to see if there's additional feedback before
sending a v2 with those changes.

Alan

> 
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
> 
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19379374420

Re: [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3

[Quentin Monnet]

2025-11-14 15:17 UTC-0800 ~ Song Liu <song@kernel.org>
> On Fri, Nov 14, 2025 at 3:04 PM Alan Maguire <alan.maguire@oracle.com> wrote:
>>
>> On 14/11/2025 22:55, Song Liu wrote:
>>> On Fri, Nov 14, 2025 at 2:23 PM Alan Maguire <alan.maguire@oracle.com> wrote:
>>>>
>>>> ERR_get_error_all()[1] is a openssl v3 API, so to make code
>>>> compatible with openssl v1 utilize ERR_get_err_line_data
>>>> instead.  Since openssl is already a build requirement for
>>>> the kernel (minimum requirement openssl 1.0.0), this will
>>>> allow bpftool to compile where opensslv3 is not available.
>>>> Signing-related BPF selftests pass with openssl v1.
>>>>
>>>> [1] https://docs.openssl.org/3.4/man3/ERR_get_error/
>>>>
>>>> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs")
>>>> Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
>>>> ---
>>>>  tools/bpf/bpftool/sign.c | 6 ++++++
>>>>  1 file changed, 6 insertions(+)
>>>>
>>>> diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
>>>> index b34f74d210e9..f9b742f4bb10 100644
>>>> --- a/tools/bpf/bpftool/sign.c
>>>> +++ b/tools/bpf/bpftool/sign.c
>>>> @@ -28,6 +28,12 @@
>>>>
>>>>  #define OPEN_SSL_ERR_BUF_LEN 256
>>>>
>>>> +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */
>>>> +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
>>>> +#define ERR_get_error_all(file, line, func, data, flags) \
>>>> +       ERR_get_error_line_data(file, line, data, flags)
>>>> +#endif
>>>> +
>>>
>>> We have func=NULL in display_openssl_errors(). Shall we just use
>>> ERR_get_error_line_data instead?
>>>
>>
>> It's a good idea, and I tried it - unfortunately we then get a
>> "deprecated in v3" warning when we build with opensslv3. So this was the
>> only way I could think of to build on v1 and not get warnings with v3.
> 
> I see. Thanks for the explanation. This looks good to me.
> 
> Acked-by: Song Liu <song@kernel.org>


Acked-by: Quentin Monnet <qmo@kernel.org>

Thank you Alan!