Add a new bpf_crypto_sig module that registers signature verification algorithms with the BPF crypto type system. This enables signature operations (like ECDSA) to use the unified bpf_crypto_ctx structure instead of requiring separate context types.
Changes: - Add verify() callback to bpf_crypto_type for signature verification - Add bpf_crypto_sig module with: - alloc_tfm/free_tfm for crypto_sig transform lifecycle - has_algo to check algorithm availability - setkey for public key configuration - verify for signature verification - get_flags for crypto API flags This allows ECDSA and other signature verification operations to integrate with the existing BPF crypto infrastructure. Signed-off-by: Daniel Hodges <[email protected]> --- MAINTAINERS | 1 + crypto/Makefile | 3 ++ crypto/bpf_crypto_sig.c | 67 ++++++++++++++++++++++++++++++++++++++ include/linux/bpf_crypto.h | 2 ++ 4 files changed, 73 insertions(+) create mode 100644 crypto/bpf_crypto_sig.c diff --git a/MAINTAINERS b/MAINTAINERS index 4e9b369acd1c..62d712a1f730 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4714,6 +4714,7 @@ M: Vadim Fedorenko <[email protected]> L: [email protected] S: Maintained F: crypto/bpf_crypto_shash.c +F: crypto/bpf_crypto_sig.c F: crypto/bpf_crypto_skcipher.c F: include/linux/bpf_crypto.h F: kernel/bpf/crypto.c diff --git a/crypto/Makefile b/crypto/Makefile index 853dff375906..c9ab98b57bc0 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -36,6 +36,9 @@ endif obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o obj-$(CONFIG_CRYPTO_SIG2) += sig.o +ifeq ($(CONFIG_BPF_SYSCALL),y) +obj-$(CONFIG_CRYPTO_SIG2) += bpf_crypto_sig.o +endif obj-$(CONFIG_CRYPTO_KPP2) += kpp.o obj-$(CONFIG_CRYPTO_HKDF) += hkdf.o diff --git a/crypto/bpf_crypto_sig.c b/crypto/bpf_crypto_sig.c new file mode 100644 index 000000000000..1d6521a066be --- /dev/null +++ b/crypto/bpf_crypto_sig.c @@ -0,0 +1,67 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */ +#include <linux/types.h> +#include <linux/module.h> +#include <linux/bpf_crypto.h> +#include <linux/crypto.h> +#include <crypto/sig.h> + +static void *bpf_crypto_sig_alloc_tfm(const char *algo) +{ + return crypto_alloc_sig(algo, 0, 0); +} + +static void bpf_crypto_sig_free_tfm(void *tfm) +{ + crypto_free_sig(tfm); +} + +static int bpf_crypto_sig_has_algo(const char *algo) +{ + return crypto_has_alg(algo, CRYPTO_ALG_TYPE_SIG, CRYPTO_ALG_TYPE_MASK); +} + +static u32 bpf_crypto_sig_get_flags(void *tfm) +{ + return crypto_tfm_get_flags(crypto_sig_tfm(tfm)); +} + +static int bpf_crypto_sig_setkey(void *tfm, const u8 *key, unsigned int keylen) +{ + return crypto_sig_set_pubkey(tfm, key, keylen); +} + +static int bpf_crypto_sig_verify(void *tfm, const u8 *sig, unsigned int sig_len, + const u8 *msg, unsigned int msg_len) +{ + return crypto_sig_verify(tfm, sig, sig_len, msg, msg_len); +} + +static const struct bpf_crypto_type bpf_crypto_sig_type = { + .alloc_tfm = bpf_crypto_sig_alloc_tfm, + .free_tfm = bpf_crypto_sig_free_tfm, + .has_algo = bpf_crypto_sig_has_algo, + .get_flags = bpf_crypto_sig_get_flags, + .setkey = bpf_crypto_sig_setkey, + .verify = bpf_crypto_sig_verify, + .owner = THIS_MODULE, + .type_id = BPF_CRYPTO_TYPE_SIG, + .name = "sig", +}; + +static int __init bpf_crypto_sig_init(void) +{ + return bpf_crypto_register_type(&bpf_crypto_sig_type); +} + +static void __exit bpf_crypto_sig_exit(void) +{ + int err = bpf_crypto_unregister_type(&bpf_crypto_sig_type); + + WARN_ON_ONCE(err); +} + +module_init(bpf_crypto_sig_init); +module_exit(bpf_crypto_sig_exit); +MODULE_LICENSE("GPL"); +MODULE_DESCRIPTION("Signature algorithm support for BPF"); diff --git a/include/linux/bpf_crypto.h b/include/linux/bpf_crypto.h index cf2c66f9782b..363ed72561f4 100644 --- a/include/linux/bpf_crypto.h +++ b/include/linux/bpf_crypto.h @@ -18,6 +18,8 @@ struct bpf_crypto_type { int (*encrypt)(void *tfm, const u8 *src, u8 *dst, unsigned int len, u8 *iv); int (*decrypt)(void *tfm, const u8 *src, u8 *dst, unsigned int len, u8 *iv); int (*hash)(void *tfm, const u8 *data, u8 *out, unsigned int len); + int (*verify)(void *tfm, const u8 *sig, unsigned int sig_len, + const u8 *msg, unsigned int msg_len); unsigned int (*ivsize)(void *tfm); unsigned int (*statesize)(void *tfm); unsigned int (*digestsize)(void *tfm); -- 2.52.0
