tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: Update the bpf_prog_calc_tag to use SHA256

Exclusive maps restrict map access to specific programs using a hash.
The current hash used for this is SHA1, which is prone to collisions.
This patch uses SHA256, which is more resilient against
collisions. This new hash is stored in bpf_prog and used by the verifier
to determine if a program can access a given exclusive map.

The original 64-bit tags are kept, as they are used by users as a short,
possibly colliding program identifier for non-security purposes.

Signed-off-by: KP Singh <kpsingh@kernel.org>
Link: https://lore.kernel.org/r/20250914215141.15144-2-kpsingh@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

KP Singh and committed by
Alexei Starovoitov 603b4416 3547a61e

+8 -5
+5 -1
include/linux/bpf.h
··· 31 31 #include <linux/memcontrol.h> 32 32 #include <linux/cfi.h> 33 33 #include <asm/rqspinlock.h> 34 + #include <crypto/sha2.h> 34 35 35 36 struct bpf_verifier_env; 36 37 struct bpf_verifier_log; ··· 1718 1717 enum bpf_attach_type expected_attach_type; /* For some prog types */ 1719 1718 u32 len; /* Number of filter blocks */ 1720 1719 u32 jited_len; /* Size of jited insns in bytes */ 1721 - u8 tag[BPF_TAG_SIZE]; 1720 + union { 1721 + u8 digest[SHA256_DIGEST_SIZE]; 1722 + u8 tag[BPF_TAG_SIZE]; 1723 + }; 1722 1724 struct bpf_prog_stats __percpu *stats; 1723 1725 int __percpu *active; 1724 1726 unsigned int (*bpf_func)(const void *ctx,
+1 -1
kernel/bpf/Kconfig
··· 3 3 # BPF interpreter that, for example, classic socket filters depend on. 4 4 config BPF 5 5 bool 6 - select CRYPTO_LIB_SHA1 6 + select CRYPTO_LIB_SHA256 7 7 8 8 # Used by archs to tell that they support BPF JIT compiler plus which 9 9 # flavour. Only one of the two can be selected for a specific arch since
+2 -3
kernel/bpf/core.c
··· 39 39 #include <linux/bpf_mem_alloc.h> 40 40 #include <linux/memcontrol.h> 41 41 #include <linux/execmem.h> 42 + #include <crypto/sha2.h> 42 43 43 44 #include <asm/barrier.h> 44 45 #include <linux/unaligned.h> ··· 297 296 int bpf_prog_calc_tag(struct bpf_prog *fp) 298 297 { 299 298 size_t size = bpf_prog_insn_size(fp); 300 - u8 digest[SHA1_DIGEST_SIZE]; 301 299 struct bpf_insn *dst; 302 300 bool was_ld_map; 303 301 u32 i; ··· 327 327 was_ld_map = false; 328 328 } 329 329 } 330 - sha1((const u8 *)dst, size, digest); 331 - memcpy(fp->tag, digest, sizeof(fp->tag)); 330 + sha256((u8 *)dst, size, fp->digest); 332 331 vfree(dst); 333 332 return 0; 334 333 }