Re: [PATCH 1/3] bpf: Add bpf_check_signature

[PATCH 0/3] BPF signature verification · Blaise Boscaccy <hidden> · 2025-05-28
[PATCH 1/3] bpf: Add bpf_check_signature · Blaise Boscaccy <hidden> · 2025-05-28
Re: [PATCH 1/3] bpf: Add bpf_check_signature · kernel test robot <hidden> · 2025-05-29
Re: [PATCH 1/3] bpf: Add bpf_check_signature · Lukas Wunner <lukas@wunner.de> · 2025-05-29
Re: [PATCH 1/3] bpf: Add bpf_check_signature · Blaise Boscaccy <hidden> · 2025-05-29
Re: [PATCH 1/3] bpf: Add bpf_check_signature · Lukas Wunner <lukas@wunner.de> · 2025-05-29
Re: [PATCH 1/3] bpf: Add bpf_check_signature · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-05-29
Re: [PATCH 1/3] bpf: Add bpf_check_signature · Paul Moore <paul@paul-moore.com> · 2025-06-02
Re: [PATCH 1/3] bpf: Add bpf_check_signature · Jarkko Sakkinen <jarkko@kernel.org> · 2025-06-04
[PATCH 2/3] bpf: Support light-skeleton signatures in autogenerated code · Blaise Boscaccy <hidden> · 2025-05-28
[PATCH 3/3] bpftool: Allow signing of light-skeleton programs · Blaise Boscaccy <hidden> · 2025-05-28
Re: [PATCH 0/3] BPF signature verification · KP Singh <kpsingh@kernel.org> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · Paul Moore <paul@paul-moore.com> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · KP Singh <kpsingh@kernel.org> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · Blaise Boscaccy <hidden> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · KP Singh <kpsingh@kernel.org> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · KP Singh <kpsingh@kernel.org> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · Blaise Boscaccy <hidden> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · Blaise Boscaccy <hidden> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · KP Singh <kpsingh@kernel.org> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · Blaise Boscaccy <hidden> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · KP Singh <kpsingh@kernel.org> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · Blaise Boscaccy <hidden> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · KP Singh <kpsingh@kernel.org> · 2025-05-30
Re: [PATCH 0/3] BPF signature verification · Blaise Boscaccy <hidden> · 2025-06-02
Re: [PATCH 0/3] BPF signature verification · Jarkko Sakkinen <jarkko@kernel.org> · 2025-06-04

From: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: 2025-05-29 19:36:18
Also in: bpf, keyrings, linux-crypto, lkml

On Thu, 2025-05-29 at 21:31 +0200, Lukas Wunner wrote:

On Thu, May 29, 2025 at 08:32:43AM -0700, Blaise Boscaccy wrote:

quoted

Lukas Wunner [off-list ref] writes:

quoted

Constraining oneself to sha256 doesn't seem future-proof.

Definitely not a bad idea, curious, how would you envision that
looking from an UAPI perspective?

If possible, extend the anonymous struct used by BPF_PROG_LOAD
command with an additional parameter to select the hash algorithm.

Alternatively, create a new command to set the hash algorithm for
subsequent BPF_PROG_LOAD commands.

Both of those look like less than good ideas.  There's not much point
having a hash that's different from the hash used in the signature
(which is currently sha256), so we could simply extract the hash from
the PKCS7 bundle and use that.  We can also get bonus points this way
for not modifying any internal APIs ...

Regards,

James

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help