Add cryptographic hash and signature verification kfuncs to BPF #6470
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author
|
Upstream branch: 835a507 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
6d4eb64 to
af4bac7
Compare
Author
|
Upstream branch: 81f88f6 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1030930=>bpf-next
branch
from
6559e96 to
edbaafb
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
af4bac7 to
6ba2fc1
Compare
Author
|
Upstream branch: 5d9fb42 |
Add bpf_crypto_shash module that registers a hash type with the BPF crypto infrastructure, enabling BPF programs to access kernel hash algorithms through a unified interface. Update the bpf_crypto_type interface with hash-specific callbacks: - alloc_tfm: Allocates crypto_shash context with proper descriptor size - free_tfm: Releases hash transform and context memory - has_algo: Checks algorithm availability via crypto_has_shash() - hash: Performs single-shot hashing via crypto_shash_digest() - digestsize: Returns the output size for the hash algorithm - get_flags: Exposes transform flags to BPF programs Update bpf_shash_ctx to contain crypto_shash transform and shash_desc descriptor to accommodate algorithm-specific descriptor requirements. Signed-off-by: Daniel Hodges <[email protected]>
Extend bpf_crypto_type structure with hash operations: - hash(): Performs hashing operation - digestsize(): Returns hash output size Update bpf_crypto_ctx_create() to support keyless operations: - Hash algorithms don't require keys, unlike ciphers - Only validates key presence if type->setkey is defined - Conditionally sets IV/state length for cipher operations only Add bpf_crypto_hash() kfunc that works with any hash algorithm registered in the kernel's crypto API through the BPF crypto type system. This enables BPF programs to compute cryptographic hashes for use cases such as content verification, integrity checking, and data authentication. Signed-off-by: Daniel Hodges <[email protected]>
Add selftests to validate the bpf_crypto_hash works properly. The tests verify both correct functionality and proper error handling. Test Data: All tests use the well-known NIST test vector input "abc" and validate against the standardized expected outputs for each algorithm. This ensures the BPF kfunc wrappers correctly delegate to the kernel crypto library. Signed-off-by: Daniel Hodges <[email protected]>
Add context-based ECDSA signature verification kfuncs: - bpf_ecdsa_ctx_create(): Creates reusable ECDSA context with public key - bpf_ecdsa_verify(): Verifies signatures using the context - bpf_ecdsa_ctx_acquire(): Increments context reference count - bpf_ecdsa_ctx_release(): Releases context with RCU safety The ECDSA implementation supports NIST curves (P-256, P-384, P-521) and uses the kernel's crypto_sig API. Public keys must be in uncompressed format (0x04 || x || y), and signatures are in r || s format. Signed-off-by: Daniel Hodges <[email protected]>
Add selftests to validate the ECDSA signature verification kfuncs introduced in the BPF crypto subsystem. The tests verify both valid signature acceptance and invalid signature rejection using the context-based ECDSA API. The tests use RFC 6979 test vectors for NIST P-256 (secp256r1) with well-known valid signatures. The algorithm "p1363(ecdsa-nist-p256)" is used to handle standard r||s signature format. Signed-off-by: Daniel Hodges <[email protected]>
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1030930=>bpf-next
branch
from
edbaafb to
64f2544
Compare
kernel-patches-daemon-bpf-rc
bot
deleted the
series/1030930=>bpf-next
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: Add cryptographic hash and signature verification kfuncs to BPF
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1030930