libbpf: Embed and verify the metadata hash in the loader

To fulfill the BPF signing contract, represented as Sig(I_loader ||
H_meta), the generated trusted loader program must verify the integrity
of the metadata. This signature cryptographically binds the loader's
instructions (I_loader) to a hash of the metadata (H_meta).

The verification process is embedded directly into the loader program.
Upon execution, the loader loads the runtime hash from struct bpf_map
i.e. BPF_PSEUDO_MAP_IDX and compares this runtime hash against an
expected hash value that has been hardcoded directly by
bpf_obj__gen_loader.

The load from bpf_map can be improved by calling
BPF_OBJ_GET_INFO_BY_FD from the kernel context after BPF_OBJ_GET_INFO_BY_FD
has been updated for being called from the kernel context.

The following instructions are generated:

ld_imm64 r1, const_ptr_to_map // insn[0].src_reg == BPF_PSEUDO_MAP_IDX
r2 = *(u64 *)(r1 + 0);
ld_imm64 r3, sha256_of_map_part1 // constant precomputed by
bpftool (part of H_meta)
if r2 != r3 goto out;

r2 = *(u64 *)(r1 + 8);
ld_imm64 r3, sha256_of_map_part2 // (part of H_meta)
if r2 != r3 goto out;

r2 = *(u64 *)(r1 + 16);
ld_imm64 r3, sha256_of_map_part3 // (part of H_meta)
if r2 != r3 goto out;

r2 = *(u64 *)(r1 + 24);
ld_imm64 r3, sha256_of_map_part4 // (part of H_meta)
if r2 != r3 goto out;
...

Signed-off-by: KP Singh <kpsingh@kernel.org>
Link: https://lore.kernel.org/r/20250921160120.9711-4-kpsingh@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

KP Singh and committed by

Alexei Starovoitov 8 months ago ea923080 fb2b0e29

+59 -1

3 changed files

expand all

tools

lib

bpf

bpf_gen_internal.h

gen_loader.c

libbpf.h

tools/lib/bpf/bpf_gen_internal.h

··· 4 4 #define __BPF_GEN_INTERNAL_H 5 5 6 6 #include "bpf.h" 7 + #include "libbpf_internal.h" 7 8 8 9 struct ksym_relo_desc { 9 10 const char *name; ··· 51 50 __u32 nr_ksyms; 52 51 int fd_array; 53 52 int nr_fd_array; 53 + int hash_insn_offset[SHA256_DWORD_SIZE]; 54 54 }; 55 55 56 56 void bpf_gen__init(struct bpf_gen *gen, int log_level, int nr_progs, int nr_maps);

+55

tools/lib/bpf/gen_loader.c

··· 110 110 111 111 static int add_data(struct bpf_gen *gen, const void *data, __u32 size); 112 112 static void emit_sys_close_blob(struct bpf_gen *gen, int blob_off); 113 + static void emit_signature_match(struct bpf_gen *gen); 113 114 114 115 void bpf_gen__init(struct bpf_gen *gen, int log_level, int nr_progs, int nr_maps) 115 116 { ··· 153 152 /* R7 contains the error code from sys_bpf. Copy it into R0 and exit. */ 154 153 emit(gen, BPF_MOV64_REG(BPF_REG_0, BPF_REG_7)); 155 154 emit(gen, BPF_EXIT_INSN()); 155 + if (OPTS_GET(gen->opts, gen_hash, false)) 156 + emit_signature_match(gen); 156 157 } 157 158 158 159 static int add_data(struct bpf_gen *gen, const void *data, __u32 size) ··· 371 368 __emit_sys_close(gen); 372 369 } 373 370 371 + static int compute_sha_udpate_offsets(struct bpf_gen *gen); 372 + 374 373 int bpf_gen__finish(struct bpf_gen *gen, int nr_progs, int nr_maps) 375 374 { 376 375 int i; ··· 399 394 blob_fd_array_off(gen, i)); 400 395 emit(gen, BPF_MOV64_IMM(BPF_REG_0, 0)); 401 396 emit(gen, BPF_EXIT_INSN()); 397 + if (OPTS_GET(gen->opts, gen_hash, false)) { 398 + gen->error = compute_sha_udpate_offsets(gen); 399 + if (gen->error) 400 + return gen->error; 401 + } 402 + 402 403 pr_debug("gen: finish %s\n", errstr(gen->error)); 403 404 if (!gen->error) { 404 405 struct gen_loader_opts *opts = gen->opts; ··· 456 445 } \ 457 446 _val; \ 458 447 }) 448 + 449 + static int compute_sha_udpate_offsets(struct bpf_gen *gen) 450 + { 451 + __u64 sha[SHA256_DWORD_SIZE]; 452 + __u64 sha_dw; 453 + int i, err; 454 + 455 + err = libbpf_sha256(gen->data_start, gen->data_cur - gen->data_start, sha, SHA256_DIGEST_LENGTH); 456 + if (err < 0) { 457 + pr_warn("sha256 computation of the metadata failed"); 458 + return err; 459 + } 460 + for (i = 0; i < SHA256_DWORD_SIZE; i++) { 461 + struct bpf_insn *insn = 462 + (struct bpf_insn *)(gen->insn_start + gen->hash_insn_offset[i]); 463 + sha_dw = tgt_endian(sha[i]); 464 + insn[0].imm = (__u32)sha_dw; 465 + insn[1].imm = sha_dw >> 32; 466 + } 467 + return 0; 468 + } 459 469 460 470 void bpf_gen__load_btf(struct bpf_gen *gen, const void *btf_raw_data, 461 471 __u32 btf_raw_size) ··· 587 555 } 588 556 if (close_inner_map_fd) 589 557 emit_sys_close_stack(gen, stack_off(inner_map_fd)); 558 + } 559 + 560 + static void emit_signature_match(struct bpf_gen *gen) 561 + { 562 + __s64 off; 563 + int i; 564 + 565 + for (i = 0; i < SHA256_DWORD_SIZE; i++) { 566 + emit2(gen, BPF_LD_IMM64_RAW_FULL(BPF_REG_1, BPF_PSEUDO_MAP_IDX, 567 + 0, 0, 0, 0)); 568 + emit(gen, BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, i * sizeof(__u64))); 569 + gen->hash_insn_offset[i] = gen->insn_cur - gen->insn_start; 570 + emit2(gen, BPF_LD_IMM64_RAW_FULL(BPF_REG_3, 0, 0, 0, 0, 0)); 571 + 572 + off = -(gen->insn_cur - gen->insn_start - gen->cleanup_label) / 8 - 1; 573 + if (is_simm16(off)) { 574 + emit(gen, BPF_MOV64_IMM(BPF_REG_7, -EINVAL)); 575 + emit(gen, BPF_JMP_REG(BPF_JNE, BPF_REG_2, BPF_REG_3, off)); 576 + } else { 577 + gen->error = -ERANGE; 578 + emit(gen, BPF_JMP_IMM(BPF_JA, 0, 0, -1)); 579 + } 580 + } 590 581 } 591 582 592 583 void bpf_gen__record_attach_target(struct bpf_gen *gen, const char *attach_name,

+2 -1

tools/lib/bpf/libbpf.h

··· 1857 1857 const char *insns; 1858 1858 __u32 data_sz; 1859 1859 __u32 insns_sz; 1860 + bool gen_hash; 1860 1861 }; 1861 1862 1862 - #define gen_loader_opts__last_field insns_sz 1863 + #define gen_loader_opts__last_field gen_hash 1863 1864 LIBBPF_API int bpf_object__gen_loader(struct bpf_object *obj, 1864 1865 struct gen_loader_opts *opts); 1865 1866

Configure Feed

Configure Feed