* [PATCH bpf-next 0/2] Ease BPF signing build requirements @ 2025-11-14 22:22 Alan Maguire 2025-11-14 22:22 ` [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3 Alan Maguire 2025-11-14 22:22 ` [PATCH bpf-next 2/2] selftests/bpf: Allow selftests to build with older xxd Alan Maguire 0 siblings, 2 replies; 9+ messages in thread From: Alan Maguire @ 2025-11-14 22:22 UTC (permalink / raw) To: qmo Cc: kpsingh, ast, andrii, daniel, martin.lau, eddyz87, song, yonghong.song, john.fastabend, sdf, haoluo, jolsa, bpf, Alan Maguire This series makes it easier to build bpftool and selftests with signing support, removing reliance on >= openssl v3 (supporting openssl v1) to build bpftool and not requiring latest xxd to build verification cert header in selftests. Alan Maguire (2): bpftool: Allow bpftool to build with openssl < 3 selftests/bpf: Allow selftests to build with older xxd tools/bpf/bpftool/sign.c | 6 ++++++ tools/testing/selftests/bpf/Makefile | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) -- 2.43.5 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3 2025-11-14 22:22 [PATCH bpf-next 0/2] Ease BPF signing build requirements Alan Maguire @ 2025-11-14 22:22 ` Alan Maguire 2025-11-14 22:55 ` Song Liu 2025-11-14 22:22 ` [PATCH bpf-next 2/2] selftests/bpf: Allow selftests to build with older xxd Alan Maguire 1 sibling, 1 reply; 9+ messages in thread From: Alan Maguire @ 2025-11-14 22:22 UTC (permalink / raw) To: qmo Cc: kpsingh, ast, andrii, daniel, martin.lau, eddyz87, song, yonghong.song, john.fastabend, sdf, haoluo, jolsa, bpf, Alan Maguire ERR_get_error_all()[1] is a openssl v3 API, so to make code compatible with openssl v1 utilize ERR_get_err_line_data instead. Since openssl is already a build requirement for the kernel (minimum requirement openssl 1.0.0), this will allow bpftool to compile where opensslv3 is not available. Signing-related BPF selftests pass with openssl v1. [1] https://docs.openssl.org/3.4/man3/ERR_get_error/ Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs") Signed-off-by: Alan Maguire <alan.maguire@oracle.com> --- tools/bpf/bpftool/sign.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c index b34f74d210e9..f9b742f4bb10 100644 --- a/tools/bpf/bpftool/sign.c +++ b/tools/bpf/bpftool/sign.c @@ -28,6 +28,12 @@ #define OPEN_SSL_ERR_BUF_LEN 256 +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */ +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3) +#define ERR_get_error_all(file, line, func, data, flags) \ + ERR_get_error_line_data(file, line, data, flags) +#endif + static void display_openssl_errors(int l) { char buf[OPEN_SSL_ERR_BUF_LEN]; -- 2.43.5 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3 2025-11-14 22:22 ` [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3 Alan Maguire @ 2025-11-14 22:55 ` Song Liu 2025-11-14 23:03 ` Alan Maguire 0 siblings, 1 reply; 9+ messages in thread From: Song Liu @ 2025-11-14 22:55 UTC (permalink / raw) To: Alan Maguire Cc: qmo, kpsingh, ast, andrii, daniel, martin.lau, eddyz87, song, yonghong.song, john.fastabend, sdf, haoluo, jolsa, bpf On Fri, Nov 14, 2025 at 2:23 PM Alan Maguire <alan.maguire@oracle.com> wrote: > > ERR_get_error_all()[1] is a openssl v3 API, so to make code > compatible with openssl v1 utilize ERR_get_err_line_data > instead. Since openssl is already a build requirement for > the kernel (minimum requirement openssl 1.0.0), this will > allow bpftool to compile where opensslv3 is not available. > Signing-related BPF selftests pass with openssl v1. > > [1] https://docs.openssl.org/3.4/man3/ERR_get_error/ > > Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs") > Signed-off-by: Alan Maguire <alan.maguire@oracle.com> > --- > tools/bpf/bpftool/sign.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c > index b34f74d210e9..f9b742f4bb10 100644 > --- a/tools/bpf/bpftool/sign.c > +++ b/tools/bpf/bpftool/sign.c > @@ -28,6 +28,12 @@ > > #define OPEN_SSL_ERR_BUF_LEN 256 > > +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */ > +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3) > +#define ERR_get_error_all(file, line, func, data, flags) \ > + ERR_get_error_line_data(file, line, data, flags) > +#endif > + We have func=NULL in display_openssl_errors(). Shall we just use ERR_get_error_line_data instead? Thanks, Song > static void display_openssl_errors(int l) > { > char buf[OPEN_SSL_ERR_BUF_LEN]; > -- > 2.43.5 > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3 2025-11-14 22:55 ` Song Liu @ 2025-11-14 23:03 ` Alan Maguire 2025-11-14 23:17 ` Song Liu 0 siblings, 1 reply; 9+ messages in thread From: Alan Maguire @ 2025-11-14 23:03 UTC (permalink / raw) To: Song Liu Cc: qmo, kpsingh, ast, andrii, daniel, martin.lau, eddyz87, yonghong.song, john.fastabend, sdf, haoluo, jolsa, bpf On 14/11/2025 22:55, Song Liu wrote: > On Fri, Nov 14, 2025 at 2:23 PM Alan Maguire <alan.maguire@oracle.com> wrote: >> >> ERR_get_error_all()[1] is a openssl v3 API, so to make code >> compatible with openssl v1 utilize ERR_get_err_line_data >> instead. Since openssl is already a build requirement for >> the kernel (minimum requirement openssl 1.0.0), this will >> allow bpftool to compile where opensslv3 is not available. >> Signing-related BPF selftests pass with openssl v1. >> >> [1] https://docs.openssl.org/3.4/man3/ERR_get_error/ >> >> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs") >> Signed-off-by: Alan Maguire <alan.maguire@oracle.com> >> --- >> tools/bpf/bpftool/sign.c | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c >> index b34f74d210e9..f9b742f4bb10 100644 >> --- a/tools/bpf/bpftool/sign.c >> +++ b/tools/bpf/bpftool/sign.c >> @@ -28,6 +28,12 @@ >> >> #define OPEN_SSL_ERR_BUF_LEN 256 >> >> +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */ >> +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3) >> +#define ERR_get_error_all(file, line, func, data, flags) \ >> + ERR_get_error_line_data(file, line, data, flags) >> +#endif >> + > > We have func=NULL in display_openssl_errors(). Shall we just use > ERR_get_error_line_data instead? > It's a good idea, and I tried it - unfortunately we then get a "deprecated in v3" warning when we build with opensslv3. So this was the only way I could think of to build on v1 and not get warnings with v3. Thanks! Alan > Thanks, > Song > >> static void display_openssl_errors(int l) >> { >> char buf[OPEN_SSL_ERR_BUF_LEN]; >> -- >> 2.43.5 >> ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3 2025-11-14 23:03 ` Alan Maguire @ 2025-11-14 23:17 ` Song Liu 2025-11-17 11:53 ` Quentin Monnet 0 siblings, 1 reply; 9+ messages in thread From: Song Liu @ 2025-11-14 23:17 UTC (permalink / raw) To: Alan Maguire Cc: Song Liu, qmo, kpsingh, ast, andrii, daniel, martin.lau, eddyz87, yonghong.song, john.fastabend, sdf, haoluo, jolsa, bpf On Fri, Nov 14, 2025 at 3:04 PM Alan Maguire <alan.maguire@oracle.com> wrote: > > On 14/11/2025 22:55, Song Liu wrote: > > On Fri, Nov 14, 2025 at 2:23 PM Alan Maguire <alan.maguire@oracle.com> wrote: > >> > >> ERR_get_error_all()[1] is a openssl v3 API, so to make code > >> compatible with openssl v1 utilize ERR_get_err_line_data > >> instead. Since openssl is already a build requirement for > >> the kernel (minimum requirement openssl 1.0.0), this will > >> allow bpftool to compile where opensslv3 is not available. > >> Signing-related BPF selftests pass with openssl v1. > >> > >> [1] https://docs.openssl.org/3.4/man3/ERR_get_error/ > >> > >> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs") > >> Signed-off-by: Alan Maguire <alan.maguire@oracle.com> > >> --- > >> tools/bpf/bpftool/sign.c | 6 ++++++ > >> 1 file changed, 6 insertions(+) > >> > >> diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c > >> index b34f74d210e9..f9b742f4bb10 100644 > >> --- a/tools/bpf/bpftool/sign.c > >> +++ b/tools/bpf/bpftool/sign.c > >> @@ -28,6 +28,12 @@ > >> > >> #define OPEN_SSL_ERR_BUF_LEN 256 > >> > >> +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */ > >> +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3) > >> +#define ERR_get_error_all(file, line, func, data, flags) \ > >> + ERR_get_error_line_data(file, line, data, flags) > >> +#endif > >> + > > > > We have func=NULL in display_openssl_errors(). Shall we just use > > ERR_get_error_line_data instead? > > > > It's a good idea, and I tried it - unfortunately we then get a > "deprecated in v3" warning when we build with opensslv3. So this was the > only way I could think of to build on v1 and not get warnings with v3. I see. Thanks for the explanation. This looks good to me. Acked-by: Song Liu <song@kernel.org> ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3 2025-11-14 23:17 ` Song Liu @ 2025-11-17 11:53 ` Quentin Monnet 0 siblings, 0 replies; 9+ messages in thread From: Quentin Monnet @ 2025-11-17 11:53 UTC (permalink / raw) To: Alan Maguire Cc: Song Liu, kpsingh, ast, andrii, daniel, martin.lau, eddyz87, yonghong.song, john.fastabend, sdf, haoluo, jolsa, bpf 2025-11-14 15:17 UTC-0800 ~ Song Liu <song@kernel.org> > On Fri, Nov 14, 2025 at 3:04 PM Alan Maguire <alan.maguire@oracle.com> wrote: >> >> On 14/11/2025 22:55, Song Liu wrote: >>> On Fri, Nov 14, 2025 at 2:23 PM Alan Maguire <alan.maguire@oracle.com> wrote: >>>> >>>> ERR_get_error_all()[1] is a openssl v3 API, so to make code >>>> compatible with openssl v1 utilize ERR_get_err_line_data >>>> instead. Since openssl is already a build requirement for >>>> the kernel (minimum requirement openssl 1.0.0), this will >>>> allow bpftool to compile where opensslv3 is not available. >>>> Signing-related BPF selftests pass with openssl v1. >>>> >>>> [1] https://docs.openssl.org/3.4/man3/ERR_get_error/ >>>> >>>> Fixes: 40863f4d6ef2 ("bpftool: Add support for signing BPF programs") >>>> Signed-off-by: Alan Maguire <alan.maguire@oracle.com> >>>> --- >>>> tools/bpf/bpftool/sign.c | 6 ++++++ >>>> 1 file changed, 6 insertions(+) >>>> >>>> diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c >>>> index b34f74d210e9..f9b742f4bb10 100644 >>>> --- a/tools/bpf/bpftool/sign.c >>>> +++ b/tools/bpf/bpftool/sign.c >>>> @@ -28,6 +28,12 @@ >>>> >>>> #define OPEN_SSL_ERR_BUF_LEN 256 >>>> >>>> +/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */ >>>> +#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3) >>>> +#define ERR_get_error_all(file, line, func, data, flags) \ >>>> + ERR_get_error_line_data(file, line, data, flags) >>>> +#endif >>>> + >>> >>> We have func=NULL in display_openssl_errors(). Shall we just use >>> ERR_get_error_line_data instead? >>> >> >> It's a good idea, and I tried it - unfortunately we then get a >> "deprecated in v3" warning when we build with opensslv3. So this was the >> only way I could think of to build on v1 and not get warnings with v3. > > I see. Thanks for the explanation. This looks good to me. > > Acked-by: Song Liu <song@kernel.org> Acked-by: Quentin Monnet <qmo@kernel.org> Thank you Alan! ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH bpf-next 2/2] selftests/bpf: Allow selftests to build with older xxd 2025-11-14 22:22 [PATCH bpf-next 0/2] Ease BPF signing build requirements Alan Maguire 2025-11-14 22:22 ` [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3 Alan Maguire @ 2025-11-14 22:22 ` Alan Maguire 2025-11-14 23:06 ` bot+bpf-ci 1 sibling, 1 reply; 9+ messages in thread From: Alan Maguire @ 2025-11-14 22:22 UTC (permalink / raw) To: qmo Cc: kpsingh, ast, andrii, daniel, martin.lau, eddyz87, song, yonghong.song, john.fastabend, sdf, haoluo, jolsa, bpf, Alan Maguire Currently selftests require xxd with the "-n <name>" option which allows the user to specify a name not derived from the input object path. Instead of relying on this newer feature, older xxd can be used if we link our desired name ("test_progs_verification_cert") to the input object. Many distros ship xxd in vim-common package and do not have the latest xxd with -n support. Fixes: b720903e2b14d ("selftests/bpf: Enable signature verification for some lskel tests") Signed-off-by: Alan Maguire <alan.maguire@oracle.com> --- tools/testing/selftests/bpf/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile index 34ea23c63bd5..8687c17c5084 100644 --- a/tools/testing/selftests/bpf/Makefile +++ b/tools/testing/selftests/bpf/Makefile @@ -731,7 +731,8 @@ $(VERIFICATION_CERT) $(PRIVATE_KEY): $(VERIFY_SIG_SETUP) $(Q)$(VERIFY_SIG_SETUP) genkey $(BUILD_DIR) $(VERIFY_SIG_HDR): $(VERIFICATION_CERT) - $(Q)xxd -i -n test_progs_verification_cert $< > $@ + $(Q)ln -fs $< test_progs_verification_cert && \ + xxd -i test_progs_verification_cert > $@ # Define test_progs test runner. TRUNNER_TESTS_DIR := prog_tests -- 2.43.5 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH bpf-next 2/2] selftests/bpf: Allow selftests to build with older xxd 2025-11-14 22:22 ` [PATCH bpf-next 2/2] selftests/bpf: Allow selftests to build with older xxd Alan Maguire @ 2025-11-14 23:06 ` bot+bpf-ci 2025-11-15 11:46 ` Alan Maguire 0 siblings, 1 reply; 9+ messages in thread From: bot+bpf-ci @ 2025-11-14 23:06 UTC (permalink / raw) To: alan.maguire, qmo Cc: kpsingh, ast, andrii, daniel, martin.lau, eddyz87, song, yonghong.song, john.fastabend, sdf, haoluo, jolsa, bpf, alan.maguire, ast, andrii, daniel, martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai [-- Attachment #1: Type: text/plain, Size: 1104 bytes --] > diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile > index 34ea23c63..8687c17c5 100644 > --- a/tools/testing/selftests/bpf/Makefile > +++ b/tools/testing/selftests/bpf/Makefile > @@ -731,7 +731,8 @@ $(VERIFICATION_CERT) $(PRIVATE_KEY): $(VERIFY_SIG_SETUP) > $(Q)$(VERIFY_SIG_SETUP) genkey $(BUILD_DIR) > > $(VERIFY_SIG_HDR): $(VERIFICATION_CERT) > - $(Q)xxd -i -n test_progs_verification_cert $< > $@ > + $(Q)ln -fs $< test_progs_verification_cert && \ > + xxd -i test_progs_verification_cert > $@ Should the symlink test_progs_verification_cert be added to the cleanup targets? Currently it's not included in EXTRA_CLEAN (lines 903-909), so after running "make clean" the symlink will remain as a dangling link in the source tree. This will appear as an untracked file in git status and is not present in .gitignore. --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19379374420 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH bpf-next 2/2] selftests/bpf: Allow selftests to build with older xxd 2025-11-14 23:06 ` bot+bpf-ci @ 2025-11-15 11:46 ` Alan Maguire 0 siblings, 0 replies; 9+ messages in thread From: Alan Maguire @ 2025-11-15 11:46 UTC (permalink / raw) To: bot+bpf-ci, qmo Cc: kpsingh, ast, andrii, daniel, martin.lau, eddyz87, song, yonghong.song, john.fastabend, sdf, haoluo, jolsa, bpf, martin.lau, clm, ihor.solodrai On 14/11/2025 23:06, bot+bpf-ci@kernel.org wrote: >> diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile >> index 34ea23c63..8687c17c5 100644 >> --- a/tools/testing/selftests/bpf/Makefile >> +++ b/tools/testing/selftests/bpf/Makefile >> @@ -731,7 +731,8 @@ $(VERIFICATION_CERT) $(PRIVATE_KEY): $(VERIFY_SIG_SETUP) >> $(Q)$(VERIFY_SIG_SETUP) genkey $(BUILD_DIR) >> >> $(VERIFY_SIG_HDR): $(VERIFICATION_CERT) >> - $(Q)xxd -i -n test_progs_verification_cert $< > $@ >> + $(Q)ln -fs $< test_progs_verification_cert && \ >> + xxd -i test_progs_verification_cert > $@ > > Should the symlink test_progs_verification_cert be added to the cleanup > targets? Currently it's not included in EXTRA_CLEAN (lines 903-909), so > after running "make clean" the symlink will remain as a dangling link in > the source tree. This will appear as an untracked file in git status and > is not present in .gitignore. > yep, adding the symlink to EXTRA_CLEAN in Makefile and .gitignore is a good catch; I'll wait to see if there's additional feedback before sending a v2 with those changes. Alan > > --- > AI reviewed your patch. Please fix the bug or email reply why it's not a bug. > See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md > > CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19379374420 ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2025-11-17 11:53 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-11-14 22:22 [PATCH bpf-next 0/2] Ease BPF signing build requirements Alan Maguire 2025-11-14 22:22 ` [PATCH bpf-next 1/2] bpftool: Allow bpftool to build with openssl < 3 Alan Maguire 2025-11-14 22:55 ` Song Liu 2025-11-14 23:03 ` Alan Maguire 2025-11-14 23:17 ` Song Liu 2025-11-17 11:53 ` Quentin Monnet 2025-11-14 22:22 ` [PATCH bpf-next 2/2] selftests/bpf: Allow selftests to build with older xxd Alan Maguire 2025-11-14 23:06 ` bot+bpf-ci 2025-11-15 11:46 ` Alan Maguire
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox