Re: [PATCH bpf-next 1/4] bpf: Add SHA hash kfuncs for cryptographic hashing

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Vadim Fedorenko <vadim.fedorenko@linux.dev>
To: Daniel Hodges <git@danielhodges.dev>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	"open list:BPF [CRYPTO]" <bpf@vger.kernel.org>,
	open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH bpf-next 1/4] bpf: Add SHA hash kfuncs for cryptographic hashing
Date: Tue, 18 Nov 2025 12:13:39 +0000	[thread overview]
Message-ID: <1f313f86-c0be-4d29-aa90-5c95afa92827@linux.dev> (raw)
In-Reply-To: <20251117211413.1394-2-git@danielhodges.dev>

On 17/11/2025 21:13, Daniel Hodges wrote:
> Add three new kfuncs for computing cryptographic hashes in BPF programs:
> - bpf_sha256_hash(): Computes SHA-256 hash (32-byte output)
> - bpf_sha384_hash(): Computes SHA-384 hash (48-byte output)
> - bpf_sha512_hash(): Computes SHA-512 hash (64-byte output)
> 
> These kfuncs leverage the kernel's existing crypto library (sha256/sha384/
> sha512 functions) and use bpf_dynptr for safe memory access without risk
> of page faults. The functions validate input parameters including checking
> for read-only output buffers and ensuring sufficient buffer sizes.
> 
> This enables BPF programs to compute cryptographic hashes for use cases
> such as content verification, integrity checking, and data authentication.
> 
> Signed-off-by: Daniel Hodges <git@danielhodges.dev>

[...]

> +#if IS_ENABLED(CONFIG_CRYPTO_LIB_SHA256)
> +/**
> + * bpf_sha256_hash() - Compute SHA-256 hash using kernel crypto library
> + * @data: bpf_dynptr to the input data to hash. Must be a trusted pointer.
> + * @out: bpf_dynptr to the output buffer (must be at least 32 bytes). Must be a trusted pointer.
> + *
> + * Computes SHA-256 hash of the input data. Uses bpf_dynptr to ensure safe memory access
> + * without risk of page faults.
> + */
> +__bpf_kfunc int bpf_sha256_hash(const struct bpf_dynptr *data, const struct bpf_dynptr *out)
> +{
> +	const struct bpf_dynptr_kern *data_kern = (struct bpf_dynptr_kern *)data;
> +	const struct bpf_dynptr_kern *out_kern = (struct bpf_dynptr_kern *)out;
> +	u32 data_len, out_len;
> +	const u8 *data_ptr;
> +	u8 *out_ptr;
> +
> +	if (__bpf_dynptr_is_rdonly(out_kern))
> +		return -EINVAL;

__bpf_dynptr_data_rw() contains __bpf_dynptr_is_rdonly() check, no need
to do it again explicitly. This applies to all helpers

> +
> +	data_len = __bpf_dynptr_size(data_kern);
> +	out_len = __bpf_dynptr_size(out_kern);
> +
> +	if (data_len == 0 || out_len < 32)
> +		return -EINVAL;
> +
> +	data_ptr = __bpf_dynptr_data(data_kern, data_len);
> +	if (!data_ptr)
> +		return -EINVAL;
> +
> +	out_ptr = __bpf_dynptr_data_rw(out_kern, out_len);
> +	if (!out_ptr)
> +		return -EINVAL;
> +
> +	sha256(data_ptr, data_len, out_ptr);
> +
> +	return 0;
> +}

next prev parent reply	other threads:[~2025-11-18 12:13 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20251117211413.1394-1-git@danielhodges.dev>
2025-11-17 21:13 ` [PATCH bpf-next 1/4] bpf: Add SHA hash kfuncs for cryptographic hashing Daniel Hodges
2025-11-18 10:11   ` kernel test robot
2025-11-18 12:13   ` Vadim Fedorenko [this message]
2025-11-18 15:53   ` kernel test robot
2025-11-17 21:13 ` [PATCH bpf-next 2/4] selftests/bpf: Add tests for SHA hash kfuncs Daniel Hodges
2025-11-18 13:45   ` Vadim Fedorenko
2025-11-17 21:14 ` [PATCH bpf-next 3/4] bpf: Add ECDSA signature verification kfuncs Daniel Hodges
2025-11-18 17:28   ` kernel test robot
2025-11-17 21:14 ` [PATCH bpf-next 4/4] selftests/bpf: Add tests for " Daniel Hodges

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1f313f86-c0be-4d29-aa90-5c95afa92827@linux.dev \
    --to=vadim.fedorenko@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=git@danielhodges.dev \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=sdf@fomichev.me \
    --cc=song@kernel.org \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox