tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: Move the signature kfuncs to helpers.c

No functional changes, except for the addition of the headers for the
kfuncs so that they can be used for signature verification.

Signed-off-by: KP Singh <kpsingh@kernel.org>
Link: https://lore.kernel.org/r/20250914215141.15144-8-kpsingh@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

KP Singh and committed by
Alexei Starovoitov 8cd189e4 ea2e6467

+198 -183
+32
include/linux/bpf.h
··· 3424 3424 #endif /* CONFIG_BPF_SYSCALL */ 3425 3425 #endif /* defined(CONFIG_INET) && defined(CONFIG_BPF_SYSCALL) */ 3426 3426 3427 + #if defined(CONFIG_KEYS) && defined(CONFIG_BPF_SYSCALL) 3428 + 3429 + struct bpf_key *bpf_lookup_user_key(s32 serial, u64 flags); 3430 + struct bpf_key *bpf_lookup_system_key(u64 id); 3431 + void bpf_key_put(struct bpf_key *bkey); 3432 + int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p, 3433 + struct bpf_dynptr *sig_p, 3434 + struct bpf_key *trusted_keyring); 3435 + 3436 + #else 3437 + static inline struct bpf_key *bpf_lookup_user_key(u32 serial, u64 flags) 3438 + { 3439 + return NULL; 3440 + } 3441 + 3442 + static inline struct bpf_key *bpf_lookup_system_key(u64 id) 3443 + { 3444 + return NULL; 3445 + } 3446 + 3447 + static inline void bpf_key_put(struct bpf_key *bkey) 3448 + { 3449 + } 3450 + 3451 + static inline int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p, 3452 + struct bpf_dynptr *sig_p, 3453 + struct bpf_key *trusted_keyring) 3454 + { 3455 + return -EOPNOTSUPP; 3456 + } 3457 + #endif /* defined(CONFIG_KEYS) && defined(CONFIG_BPF_SYSCALL) */ 3458 + 3427 3459 /* verifier prototypes for helper functions called from eBPF programs */ 3428 3460 extern const struct bpf_func_proto bpf_map_lookup_elem_proto; 3429 3461 extern const struct bpf_func_proto bpf_map_update_elem_proto;
+166
kernel/bpf/helpers.c
··· 25 25 #include <linux/kasan.h> 26 26 #include <linux/bpf_verifier.h> 27 27 #include <linux/uaccess.h> 28 + #include <linux/verification.h> 28 29 29 30 #include "../../lib/kstrtox.h" 30 31 ··· 3748 3747 { 3749 3748 return bpf_strnstr(s1__ign, s2__ign, XATTR_SIZE_MAX); 3750 3749 } 3750 + #ifdef CONFIG_KEYS 3751 + /** 3752 + * bpf_lookup_user_key - lookup a key by its serial 3753 + * @serial: key handle serial number 3754 + * @flags: lookup-specific flags 3755 + * 3756 + * Search a key with a given *serial* and the provided *flags*. 3757 + * If found, increment the reference count of the key by one, and 3758 + * return it in the bpf_key structure. 3759 + * 3760 + * The bpf_key structure must be passed to bpf_key_put() when done 3761 + * with it, so that the key reference count is decremented and the 3762 + * bpf_key structure is freed. 3763 + * 3764 + * Permission checks are deferred to the time the key is used by 3765 + * one of the available key-specific kfuncs. 3766 + * 3767 + * Set *flags* with KEY_LOOKUP_CREATE, to attempt creating a requested 3768 + * special keyring (e.g. session keyring), if it doesn't yet exist. 3769 + * Set *flags* with KEY_LOOKUP_PARTIAL, to lookup a key without waiting 3770 + * for the key construction, and to retrieve uninstantiated keys (keys 3771 + * without data attached to them). 3772 + * 3773 + * Return: a bpf_key pointer with a valid key pointer if the key is found, a 3774 + * NULL pointer otherwise. 3775 + */ 3776 + __bpf_kfunc struct bpf_key *bpf_lookup_user_key(s32 serial, u64 flags) 3777 + { 3778 + key_ref_t key_ref; 3779 + struct bpf_key *bkey; 3780 + 3781 + if (flags & ~KEY_LOOKUP_ALL) 3782 + return NULL; 3783 + 3784 + /* 3785 + * Permission check is deferred until the key is used, as the 3786 + * intent of the caller is unknown here. 3787 + */ 3788 + key_ref = lookup_user_key(serial, flags, KEY_DEFER_PERM_CHECK); 3789 + if (IS_ERR(key_ref)) 3790 + return NULL; 3791 + 3792 + bkey = kmalloc(sizeof(*bkey), GFP_KERNEL); 3793 + if (!bkey) { 3794 + key_put(key_ref_to_ptr(key_ref)); 3795 + return NULL; 3796 + } 3797 + 3798 + bkey->key = key_ref_to_ptr(key_ref); 3799 + bkey->has_ref = true; 3800 + 3801 + return bkey; 3802 + } 3803 + 3804 + /** 3805 + * bpf_lookup_system_key - lookup a key by a system-defined ID 3806 + * @id: key ID 3807 + * 3808 + * Obtain a bpf_key structure with a key pointer set to the passed key ID. 3809 + * The key pointer is marked as invalid, to prevent bpf_key_put() from 3810 + * attempting to decrement the key reference count on that pointer. The key 3811 + * pointer set in such way is currently understood only by 3812 + * verify_pkcs7_signature(). 3813 + * 3814 + * Set *id* to one of the values defined in include/linux/verification.h: 3815 + * 0 for the primary keyring (immutable keyring of system keys); 3816 + * VERIFY_USE_SECONDARY_KEYRING for both the primary and secondary keyring 3817 + * (where keys can be added only if they are vouched for by existing keys 3818 + * in those keyrings); VERIFY_USE_PLATFORM_KEYRING for the platform 3819 + * keyring (primarily used by the integrity subsystem to verify a kexec'ed 3820 + * kerned image and, possibly, the initramfs signature). 3821 + * 3822 + * Return: a bpf_key pointer with an invalid key pointer set from the 3823 + * pre-determined ID on success, a NULL pointer otherwise 3824 + */ 3825 + __bpf_kfunc struct bpf_key *bpf_lookup_system_key(u64 id) 3826 + { 3827 + struct bpf_key *bkey; 3828 + 3829 + if (system_keyring_id_check(id) < 0) 3830 + return NULL; 3831 + 3832 + bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC); 3833 + if (!bkey) 3834 + return NULL; 3835 + 3836 + bkey->key = (struct key *)(unsigned long)id; 3837 + bkey->has_ref = false; 3838 + 3839 + return bkey; 3840 + } 3841 + 3842 + /** 3843 + * bpf_key_put - decrement key reference count if key is valid and free bpf_key 3844 + * @bkey: bpf_key structure 3845 + * 3846 + * Decrement the reference count of the key inside *bkey*, if the pointer 3847 + * is valid, and free *bkey*. 3848 + */ 3849 + __bpf_kfunc void bpf_key_put(struct bpf_key *bkey) 3850 + { 3851 + if (bkey->has_ref) 3852 + key_put(bkey->key); 3853 + 3854 + kfree(bkey); 3855 + } 3856 + 3857 + /** 3858 + * bpf_verify_pkcs7_signature - verify a PKCS#7 signature 3859 + * @data_p: data to verify 3860 + * @sig_p: signature of the data 3861 + * @trusted_keyring: keyring with keys trusted for signature verification 3862 + * 3863 + * Verify the PKCS#7 signature *sig_ptr* against the supplied *data_ptr* 3864 + * with keys in a keyring referenced by *trusted_keyring*. 3865 + * 3866 + * Return: 0 on success, a negative value on error. 3867 + */ 3868 + __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p, 3869 + struct bpf_dynptr *sig_p, 3870 + struct bpf_key *trusted_keyring) 3871 + { 3872 + #ifdef CONFIG_SYSTEM_DATA_VERIFICATION 3873 + struct bpf_dynptr_kern *data_ptr = (struct bpf_dynptr_kern *)data_p; 3874 + struct bpf_dynptr_kern *sig_ptr = (struct bpf_dynptr_kern *)sig_p; 3875 + const void *data, *sig; 3876 + u32 data_len, sig_len; 3877 + int ret; 3878 + 3879 + if (trusted_keyring->has_ref) { 3880 + /* 3881 + * Do the permission check deferred in bpf_lookup_user_key(). 3882 + * See bpf_lookup_user_key() for more details. 3883 + * 3884 + * A call to key_task_permission() here would be redundant, as 3885 + * it is already done by keyring_search() called by 3886 + * find_asymmetric_key(). 3887 + */ 3888 + ret = key_validate(trusted_keyring->key); 3889 + if (ret < 0) 3890 + return ret; 3891 + } 3892 + 3893 + data_len = __bpf_dynptr_size(data_ptr); 3894 + data = __bpf_dynptr_data(data_ptr, data_len); 3895 + sig_len = __bpf_dynptr_size(sig_ptr); 3896 + sig = __bpf_dynptr_data(sig_ptr, sig_len); 3897 + 3898 + return verify_pkcs7_signature(data, data_len, sig, sig_len, 3899 + trusted_keyring->key, 3900 + VERIFYING_UNSPECIFIED_SIGNATURE, NULL, 3901 + NULL); 3902 + #else 3903 + return -EOPNOTSUPP; 3904 + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ 3905 + } 3906 + #endif /* CONFIG_KEYS */ 3751 3907 3752 3908 __bpf_kfunc_end_defs(); 3753 3909 ··· 3945 3787 BTF_ID_FLAGS(func, bpf_throw) 3946 3788 #ifdef CONFIG_BPF_EVENTS 3947 3789 BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS) 3790 + #endif 3791 + #ifdef CONFIG_KEYS 3792 + BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE) 3793 + BTF_ID_FLAGS(func, bpf_lookup_system_key, KF_ACQUIRE | KF_RET_NULL) 3794 + BTF_ID_FLAGS(func, bpf_key_put, KF_RELEASE) 3795 + #ifdef CONFIG_SYSTEM_DATA_VERIFICATION 3796 + BTF_ID_FLAGS(func, bpf_verify_pkcs7_signature, KF_SLEEPABLE) 3797 + #endif 3948 3798 #endif 3949 3799 BTF_KFUNCS_END(generic_btf_ids) 3950 3800
-183
kernel/trace/bpf_trace.c
··· 22 22 #include <linux/bsearch.h> 23 23 #include <linux/sort.h> 24 24 #include <linux/key.h> 25 - #include <linux/verification.h> 26 25 #include <linux/namei.h> 27 26 28 27 #include <net/bpf_sk_storage.h> ··· 1239 1240 .ret_type = RET_INTEGER, 1240 1241 .arg1_type = ARG_PTR_TO_CTX, 1241 1242 }; 1242 - 1243 - #ifdef CONFIG_KEYS 1244 - __bpf_kfunc_start_defs(); 1245 - 1246 - /** 1247 - * bpf_lookup_user_key - lookup a key by its serial 1248 - * @serial: key handle serial number 1249 - * @flags: lookup-specific flags 1250 - * 1251 - * Search a key with a given *serial* and the provided *flags*. 1252 - * If found, increment the reference count of the key by one, and 1253 - * return it in the bpf_key structure. 1254 - * 1255 - * The bpf_key structure must be passed to bpf_key_put() when done 1256 - * with it, so that the key reference count is decremented and the 1257 - * bpf_key structure is freed. 1258 - * 1259 - * Permission checks are deferred to the time the key is used by 1260 - * one of the available key-specific kfuncs. 1261 - * 1262 - * Set *flags* with KEY_LOOKUP_CREATE, to attempt creating a requested 1263 - * special keyring (e.g. session keyring), if it doesn't yet exist. 1264 - * Set *flags* with KEY_LOOKUP_PARTIAL, to lookup a key without waiting 1265 - * for the key construction, and to retrieve uninstantiated keys (keys 1266 - * without data attached to them). 1267 - * 1268 - * Return: a bpf_key pointer with a valid key pointer if the key is found, a 1269 - * NULL pointer otherwise. 1270 - */ 1271 - __bpf_kfunc struct bpf_key *bpf_lookup_user_key(s32 serial, u64 flags) 1272 - { 1273 - key_ref_t key_ref; 1274 - struct bpf_key *bkey; 1275 - 1276 - if (flags & ~KEY_LOOKUP_ALL) 1277 - return NULL; 1278 - 1279 - /* 1280 - * Permission check is deferred until the key is used, as the 1281 - * intent of the caller is unknown here. 1282 - */ 1283 - key_ref = lookup_user_key(serial, flags, KEY_DEFER_PERM_CHECK); 1284 - if (IS_ERR(key_ref)) 1285 - return NULL; 1286 - 1287 - bkey = kmalloc(sizeof(*bkey), GFP_KERNEL); 1288 - if (!bkey) { 1289 - key_put(key_ref_to_ptr(key_ref)); 1290 - return NULL; 1291 - } 1292 - 1293 - bkey->key = key_ref_to_ptr(key_ref); 1294 - bkey->has_ref = true; 1295 - 1296 - return bkey; 1297 - } 1298 - 1299 - /** 1300 - * bpf_lookup_system_key - lookup a key by a system-defined ID 1301 - * @id: key ID 1302 - * 1303 - * Obtain a bpf_key structure with a key pointer set to the passed key ID. 1304 - * The key pointer is marked as invalid, to prevent bpf_key_put() from 1305 - * attempting to decrement the key reference count on that pointer. The key 1306 - * pointer set in such way is currently understood only by 1307 - * verify_pkcs7_signature(). 1308 - * 1309 - * Set *id* to one of the values defined in include/linux/verification.h: 1310 - * 0 for the primary keyring (immutable keyring of system keys); 1311 - * VERIFY_USE_SECONDARY_KEYRING for both the primary and secondary keyring 1312 - * (where keys can be added only if they are vouched for by existing keys 1313 - * in those keyrings); VERIFY_USE_PLATFORM_KEYRING for the platform 1314 - * keyring (primarily used by the integrity subsystem to verify a kexec'ed 1315 - * kerned image and, possibly, the initramfs signature). 1316 - * 1317 - * Return: a bpf_key pointer with an invalid key pointer set from the 1318 - * pre-determined ID on success, a NULL pointer otherwise 1319 - */ 1320 - __bpf_kfunc struct bpf_key *bpf_lookup_system_key(u64 id) 1321 - { 1322 - struct bpf_key *bkey; 1323 - 1324 - if (system_keyring_id_check(id) < 0) 1325 - return NULL; 1326 - 1327 - bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC); 1328 - if (!bkey) 1329 - return NULL; 1330 - 1331 - bkey->key = (struct key *)(unsigned long)id; 1332 - bkey->has_ref = false; 1333 - 1334 - return bkey; 1335 - } 1336 - 1337 - /** 1338 - * bpf_key_put - decrement key reference count if key is valid and free bpf_key 1339 - * @bkey: bpf_key structure 1340 - * 1341 - * Decrement the reference count of the key inside *bkey*, if the pointer 1342 - * is valid, and free *bkey*. 1343 - */ 1344 - __bpf_kfunc void bpf_key_put(struct bpf_key *bkey) 1345 - { 1346 - if (bkey->has_ref) 1347 - key_put(bkey->key); 1348 - 1349 - kfree(bkey); 1350 - } 1351 - 1352 - #ifdef CONFIG_SYSTEM_DATA_VERIFICATION 1353 - /** 1354 - * bpf_verify_pkcs7_signature - verify a PKCS#7 signature 1355 - * @data_p: data to verify 1356 - * @sig_p: signature of the data 1357 - * @trusted_keyring: keyring with keys trusted for signature verification 1358 - * 1359 - * Verify the PKCS#7 signature *sig_ptr* against the supplied *data_ptr* 1360 - * with keys in a keyring referenced by *trusted_keyring*. 1361 - * 1362 - * Return: 0 on success, a negative value on error. 1363 - */ 1364 - __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p, 1365 - struct bpf_dynptr *sig_p, 1366 - struct bpf_key *trusted_keyring) 1367 - { 1368 - struct bpf_dynptr_kern *data_ptr = (struct bpf_dynptr_kern *)data_p; 1369 - struct bpf_dynptr_kern *sig_ptr = (struct bpf_dynptr_kern *)sig_p; 1370 - const void *data, *sig; 1371 - u32 data_len, sig_len; 1372 - int ret; 1373 - 1374 - if (trusted_keyring->has_ref) { 1375 - /* 1376 - * Do the permission check deferred in bpf_lookup_user_key(). 1377 - * See bpf_lookup_user_key() for more details. 1378 - * 1379 - * A call to key_task_permission() here would be redundant, as 1380 - * it is already done by keyring_search() called by 1381 - * find_asymmetric_key(). 1382 - */ 1383 - ret = key_validate(trusted_keyring->key); 1384 - if (ret < 0) 1385 - return ret; 1386 - } 1387 - 1388 - data_len = __bpf_dynptr_size(data_ptr); 1389 - data = __bpf_dynptr_data(data_ptr, data_len); 1390 - sig_len = __bpf_dynptr_size(sig_ptr); 1391 - sig = __bpf_dynptr_data(sig_ptr, sig_len); 1392 - 1393 - return verify_pkcs7_signature(data, data_len, sig, sig_len, 1394 - trusted_keyring->key, 1395 - VERIFYING_UNSPECIFIED_SIGNATURE, NULL, 1396 - NULL); 1397 - } 1398 - #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ 1399 - 1400 - __bpf_kfunc_end_defs(); 1401 - 1402 - BTF_KFUNCS_START(key_sig_kfunc_set) 1403 - BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE) 1404 - BTF_ID_FLAGS(func, bpf_lookup_system_key, KF_ACQUIRE | KF_RET_NULL) 1405 - BTF_ID_FLAGS(func, bpf_key_put, KF_RELEASE) 1406 - #ifdef CONFIG_SYSTEM_DATA_VERIFICATION 1407 - BTF_ID_FLAGS(func, bpf_verify_pkcs7_signature, KF_SLEEPABLE) 1408 - #endif 1409 - BTF_KFUNCS_END(key_sig_kfunc_set) 1410 - 1411 - static const struct btf_kfunc_id_set bpf_key_sig_kfunc_set = { 1412 - .owner = THIS_MODULE, 1413 - .set = &key_sig_kfunc_set, 1414 - }; 1415 - 1416 - static int __init bpf_key_sig_kfuncs_init(void) 1417 - { 1418 - return register_btf_kfunc_id_set(BPF_PROG_TYPE_TRACING, 1419 - &bpf_key_sig_kfunc_set); 1420 - } 1421 - 1422 - late_initcall(bpf_key_sig_kfuncs_init); 1423 - #endif /* CONFIG_KEYS */ 1424 1243 1425 1244 static const struct bpf_func_proto * 1426 1245 bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)