| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260120184701.23082-4-git@danielhodges.dev>
Date: Tue, 20 Jan 2026 13:46:57 -0500
From: Daniel Hodges <git@...ielhodges.dev>
To: bpf@...r.kernel.org
Cc: Alexei Starovoitov <ast@...nel.org>,
Andrii Nakryiko <andrii@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Vadim Fedorenko <vadim.fedorenko@...ux.dev>,
Song Liu <song@...nel.org>,
Mykyta Yatsenko <yatsenko@...a.com>,
Martin KaFai Lau <martin.lau@...ux.dev>,
Eduard Zingerman <eddyz87@...il.com>,
Hao Luo <haoluo@...gle.com>,
Jiri Olsa <jolsa@...nel.org>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...ichev.me>,
Yonghong Song <yonghong.song@...ux.dev>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S . Miller" <davem@...emloft.net>,
linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org,
Daniel Hodges <git@...ielhodges.dev>
Subject: [PATCH bpf-next v5 3/7] crypto: Add BPF signature algorithm type registration module
Add a new bpf_crypto_sig module that registers signature verification
algorithms with the BPF crypto type system. This enables signature
operations (like ECDSA) to use the unified bpf_crypto_ctx structure
instead of requiring separate context types.
Changes:
- Add verify() callback to bpf_crypto_type for signature verification
- Add bpf_crypto_sig module with:
- alloc_tfm/free_tfm for crypto_sig transform lifecycle
- has_algo to check algorithm availability
- setkey for public key configuration
- verify for signature verification
- get_flags for crypto API flags
This allows ECDSA and other signature verification operations to
integrate with the existing BPF crypto infrastructure.
Signed-off-by: Daniel Hodges <git@...ielhodges.dev>
---
MAINTAINERS | 1 +
crypto/Makefile | 3 ++
crypto/bpf_crypto_sig.c | 67 ++++++++++++++++++++++++++++++++++++++
include/linux/bpf_crypto.h | 2 ++
4 files changed, 73 insertions(+)
create mode 100644 crypto/bpf_crypto_sig.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 4e9b369acd1c..62d712a1f730 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4714,6 +4714,7 @@ M: Vadim Fedorenko <vadim.fedorenko@...ux.dev>
L: bpf@...r.kernel.org
S: Maintained
F: crypto/bpf_crypto_shash.c
+F: crypto/bpf_crypto_sig.c
F: crypto/bpf_crypto_skcipher.c
F: include/linux/bpf_crypto.h
F: kernel/bpf/crypto.c
diff --git a/crypto/Makefile b/crypto/Makefile
index 853dff375906..c9ab98b57bc0 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -36,6 +36,9 @@ endif
obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o
obj-$(CONFIG_CRYPTO_SIG2) += sig.o
+ifeq ($(CONFIG_BPF_SYSCALL),y)
+obj-$(CONFIG_CRYPTO_SIG2) += bpf_crypto_sig.o
+endif
obj-$(CONFIG_CRYPTO_KPP2) += kpp.o
obj-$(CONFIG_CRYPTO_HKDF) += hkdf.o
diff --git a/crypto/bpf_crypto_sig.c b/crypto/bpf_crypto_sig.c
new file mode 100644
index 000000000000..1d6521a066be
--- /dev/null
+++ b/crypto/bpf_crypto_sig.c
@@ -0,0 +1,67 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */
+#include <linux/types.h>
+#include <linux/module.h>
+#include <linux/bpf_crypto.h>
+#include <linux/crypto.h>
+#include <crypto/sig.h>
+
+static void *bpf_crypto_sig_alloc_tfm(const char *algo)
+{
+ return crypto_alloc_sig(algo, 0, 0);
+}
+
+static void bpf_crypto_sig_free_tfm(void *tfm)
+{
+ crypto_free_sig(tfm);
+}
+
+static int bpf_crypto_sig_has_algo(const char *algo)
+{
+ return crypto_has_alg(algo, CRYPTO_ALG_TYPE_SIG, CRYPTO_ALG_TYPE_MASK);
+}
+
+static u32 bpf_crypto_sig_get_flags(void *tfm)
+{
+ return crypto_tfm_get_flags(crypto_sig_tfm(tfm));
+}
+
+static int bpf_crypto_sig_setkey(void *tfm, const u8 *key, unsigned int keylen)
+{
+ return crypto_sig_set_pubkey(tfm, key, keylen);
+}
+
+static int bpf_crypto_sig_verify(void *tfm, const u8 *sig, unsigned int sig_len,
+ const u8 *msg, unsigned int msg_len)
+{
+ return crypto_sig_verify(tfm, sig, sig_len, msg, msg_len);
+}
+
+static const struct bpf_crypto_type bpf_crypto_sig_type = {
+ .alloc_tfm = bpf_crypto_sig_alloc_tfm,
+ .free_tfm = bpf_crypto_sig_free_tfm,
+ .has_algo = bpf_crypto_sig_has_algo,
+ .get_flags = bpf_crypto_sig_get_flags,
+ .setkey = bpf_crypto_sig_setkey,
+ .verify = bpf_crypto_sig_verify,
+ .owner = THIS_MODULE,
+ .type_id = BPF_CRYPTO_TYPE_SIG,
+ .name = "sig",
+};
+
+static int __init bpf_crypto_sig_init(void)
+{
+ return bpf_crypto_register_type(&bpf_crypto_sig_type);
+}
+
+static void __exit bpf_crypto_sig_exit(void)
+{
+ int err = bpf_crypto_unregister_type(&bpf_crypto_sig_type);
+
+ WARN_ON_ONCE(err);
+}
+
+module_init(bpf_crypto_sig_init);
+module_exit(bpf_crypto_sig_exit);
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Signature algorithm support for BPF");
diff --git a/include/linux/bpf_crypto.h b/include/linux/bpf_crypto.h
index cf2c66f9782b..363ed72561f4 100644
--- a/include/linux/bpf_crypto.h
+++ b/include/linux/bpf_crypto.h
@@ -18,6 +18,8 @@ struct bpf_crypto_type {
int (*encrypt)(void *tfm, const u8 *src, u8 *dst, unsigned int len, u8 *iv);
int (*decrypt)(void *tfm, const u8 *src, u8 *dst, unsigned int len, u8 *iv);
int (*hash)(void *tfm, const u8 *data, u8 *out, unsigned int len);
+ int (*verify)(void *tfm, const u8 *sig, unsigned int sig_len,
+ const u8 *msg, unsigned int msg_len);
unsigned int (*ivsize)(void *tfm);
unsigned int (*statesize)(void *tfm);
unsigned int (*digestsize)(void *tfm);
--
2.52.0
Powered by blists - more mailing lists