On Wed, Dec 17, 2025 at 06:45:14AM +0900, Song Liu wrote: > On Sun, Dec 7, 2025 at 7:01 PM Daniel Hodges <[email protected]> wrote: > > > > Add bpf_crypto_shash module that registers a hash type with the BPF > > crypto infrastructure, enabling BPF programs to access kernel hash > > algorithms through a unified interface. > > > > Update the bpf_crypto_type interface with hash-specific callbacks: > > - alloc_tfm: Allocates crypto_shash context with proper descriptor size > > - free_tfm: Releases hash transform and context memory > > - has_algo: Checks algorithm availability via crypto_has_shash() > > - hash: Performs single-shot hashing via crypto_shash_digest() > > - digestsize: Returns the output size for the hash algorithm > > - get_flags: Exposes transform flags to BPF programs > > > > Update bpf_shash_ctx to contain crypto_shash transform and shash_desc > > descriptor to accommodate algorithm-specific descriptor requirements. > > > > Signed-off-by: Daniel Hodges <[email protected]> > > --- > > crypto/Makefile | 3 ++ > > crypto/bpf_crypto_shash.c | 95 +++++++++++++++++++++++++++++++++++++++ > > 2 files changed, 98 insertions(+) > > create mode 100644 crypto/bpf_crypto_shash.c > > > > diff --git a/crypto/Makefile b/crypto/Makefile > > index 16a35649dd91..853dff375906 100644 > > --- a/crypto/Makefile > > +++ b/crypto/Makefile > > @@ -30,6 +30,9 @@ obj-$(CONFIG_CRYPTO_ECHAINIV) += echainiv.o > > crypto_hash-y += ahash.o > > crypto_hash-y += shash.o > > obj-$(CONFIG_CRYPTO_HASH2) += crypto_hash.o > > +ifeq ($(CONFIG_BPF_SYSCALL),y) > > +obj-$(CONFIG_CRYPTO_HASH2) += bpf_crypto_shash.o > > +endif > > > > obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o > > obj-$(CONFIG_CRYPTO_SIG2) += sig.o > > diff --git a/crypto/bpf_crypto_shash.c b/crypto/bpf_crypto_shash.c > > new file mode 100644 > > index 000000000000..95c178ec0ce8 > > --- /dev/null > > +++ b/crypto/bpf_crypto_shash.c > > @@ -0,0 +1,95 @@ > > +// SPDX-License-Identifier: GPL-2.0-only > > +/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */ > > +#include <linux/types.h> > > +#include <linux/module.h> > > +#include <linux/bpf_crypto.h> > > +#include <crypto/hash.h> > > + > > +struct bpf_shash_ctx { > > + struct crypto_shash *tfm; > > + struct shash_desc desc; > > +}; > > + > > +static void *bpf_crypto_shash_alloc_tfm(const char *algo) > > +{ > > + struct bpf_shash_ctx *ctx; > > + struct crypto_shash *tfm; > > + > > + tfm = crypto_alloc_shash(algo, 0, 0); > > + if (IS_ERR(tfm)) > > + return tfm; > > + > > + ctx = kzalloc(sizeof(*ctx) + crypto_shash_descsize(tfm), > > GFP_KERNEL); > > + if (!ctx) { > > + crypto_free_shash(tfm); > > + return ERR_PTR(-ENOMEM); > > + } > > + > > + ctx->tfm = tfm; > > + ctx->desc.tfm = tfm; > > + > > + return ctx; > > +} > > What if we let bpf_crypto_shash_alloc_tfm() return a "struct shash_desc"? > shash_desc->tfm is already struct crypto_shash. This way, we don't need > bpf_shash_ctx any more. Would this work? > > Thanks, > Song Yeah, that's much cleaner than the void * return.
-Daniel
