• Daniel Borkmann's avatar
    bpf: add prog_digest and expose it via fdinfo/netlink · 7bd509e3
    Daniel Borkmann authored
    When loading a BPF program via bpf(2), calculate the digest over
    the program's instruction stream and store it in struct bpf_prog's
    digest member. This is done at a point in time before any instructions
    are rewritten by the verifier. Any unstable map file descriptor
    number part of the imm field will be zeroed for the hash.
    
    fdinfo example output for progs:
    
      # cat /proc/1590/fdinfo/5
      pos:          0
      flags:        02000002
      mnt_id:       11
      prog_type:    1
      prog_jited:   1
      prog_digest:  b27e8b06da22707513aa97363dfb11c7c3675d28
      memlock:      4096
    
    When programs are pinned and retrieved by an ELF loader, the loader
    can check the program's digest through fdinfo and compare it against
    one that was generated over the ELF file's program section to see
    if the program needs to be reloaded. Furthermore, this can also be
    exposed through other means such as netlink in case of a tc cls/act
    dump (or xdp in future), but also through tracepoints or other
    facilities to identify the program. Other than that, the digest can
    also serve as a base name for the work in progress kallsyms support
    of programs. The digest doesn't depend/select the crypto layer, since
    we need to keep dependencies to a minimum. iproute2 will get support
    for this facility.
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    7bd509e3
verifier.c 92.7 KB