| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1f313f86-c0be-4d29-aa90-5c95afa92827@linux.dev>
Date: Tue, 18 Nov 2025 12:13:39 +0000
From: Vadim Fedorenko <vadim.fedorenko@...ux.dev>
To: Daniel Hodges <git@...ielhodges.dev>, Alexei Starovoitov
<ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau
<martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>,
Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>,
John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>,
Jiri Olsa <jolsa@...nel.org>, "open list:BPF [CRYPTO]"
<bpf@...r.kernel.org>, open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf-next 1/4] bpf: Add SHA hash kfuncs for cryptographic
hashing
On 17/11/2025 21:13, Daniel Hodges wrote:
> Add three new kfuncs for computing cryptographic hashes in BPF programs:
> - bpf_sha256_hash(): Computes SHA-256 hash (32-byte output)
> - bpf_sha384_hash(): Computes SHA-384 hash (48-byte output)
> - bpf_sha512_hash(): Computes SHA-512 hash (64-byte output)
>
> These kfuncs leverage the kernel's existing crypto library (sha256/sha384/
> sha512 functions) and use bpf_dynptr for safe memory access without risk
> of page faults. The functions validate input parameters including checking
> for read-only output buffers and ensuring sufficient buffer sizes.
>
> This enables BPF programs to compute cryptographic hashes for use cases
> such as content verification, integrity checking, and data authentication.
>
> Signed-off-by: Daniel Hodges <git@...ielhodges.dev>
[...]
> +#if IS_ENABLED(CONFIG_CRYPTO_LIB_SHA256)
> +/**
> + * bpf_sha256_hash() - Compute SHA-256 hash using kernel crypto library
> + * @data: bpf_dynptr to the input data to hash. Must be a trusted pointer.
> + * @out: bpf_dynptr to the output buffer (must be at least 32 bytes). Must be a trusted pointer.
> + *
> + * Computes SHA-256 hash of the input data. Uses bpf_dynptr to ensure safe memory access
> + * without risk of page faults.
> + */
> +__bpf_kfunc int bpf_sha256_hash(const struct bpf_dynptr *data, const struct bpf_dynptr *out)
> +{
> + const struct bpf_dynptr_kern *data_kern = (struct bpf_dynptr_kern *)data;
> + const struct bpf_dynptr_kern *out_kern = (struct bpf_dynptr_kern *)out;
> + u32 data_len, out_len;
> + const u8 *data_ptr;
> + u8 *out_ptr;
> +
> + if (__bpf_dynptr_is_rdonly(out_kern))
> + return -EINVAL;
__bpf_dynptr_data_rw() contains __bpf_dynptr_is_rdonly() check, no need
to do it again explicitly. This applies to all helpers
> +
> + data_len = __bpf_dynptr_size(data_kern);
> + out_len = __bpf_dynptr_size(out_kern);
> +
> + if (data_len == 0 || out_len < 32)
> + return -EINVAL;
> +
> + data_ptr = __bpf_dynptr_data(data_kern, data_len);
> + if (!data_ptr)
> + return -EINVAL;
> +
> + out_ptr = __bpf_dynptr_data_rw(out_kern, out_len);
> + if (!out_ptr)
> + return -EINVAL;
> +
> + sha256(data_ptr, data_len, out_ptr);
> +
> + return 0;
> +}
Powered by blists - more mailing lists