Signed BPF + IPE Policies

[kernel-patches-daemon-bpf]

Pull request for series with
subject: Signed BPF + IPE Policies
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1099102

[kernel-patches-daemon-bpf]

Upstream branch: 254f496
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1099102
version: 1

Pull request is NOT updated. Failed to apply https://patchwork.kernel.org/project/netdevbpf/list/?series=1099102
error message:

Cmd('git') failed due to: exit code(128)
  cmdline: git am --3way
  stdout: 'Applying: bpf: expose signature verdict to LSMs via bpf_prog_aux
Applying: bpf: include prog BTF in the signed loader signature scope
Applying: bpf, libbpf: load prog BTF in the skel_internal loader
Applying: bpf: add bpf_loader_verify_metadata kfunc
Applying: bpf: compute prog->digest at BPF_PROG_LOAD entry
Applying: bpf: resolve loader-style kfunc CALLs against prog BTF
Applying: libbpf: generate prog BTF for loader programs
Using index info to reconstruct a base tree...
M	tools/lib/bpf/gen_loader.c
Falling back to patching base and 3-way merge...
Auto-merging tools/lib/bpf/gen_loader.c
CONFLICT (content): Merge conflict in tools/lib/bpf/gen_loader.c
Patch failed at 0007 libbpf: generate prog BTF for loader programs'
  stderr: 'error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"'

conflict:

diff --cc tools/lib/bpf/gen_loader.c
index cd5c2543f54d,48ac25c058e3..000000000000
--- a/tools/lib/bpf/gen_loader.c
+++ b/tools/lib/bpf/gen_loader.c
@@@ -585,21 -660,34 +660,52 @@@ static void emit_verify_metadata(struc
  	__s64 off;
  	int i;
  
++<<<<<<< HEAD
 +	for (i = 0; i < SHA256_DWORD_SIZE; i++) {
 +		emit2(gen, BPF_LD_IMM64_RAW_FULL(BPF_REG_1, BPF_PSEUDO_MAP_IDX,
 +						 0, 0, 0, 0));
 +		emit(gen, BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, i * sizeof(__u64)));
 +		gen->hash_insn_offset[i] = gen->insn_cur - gen->insn_start;
 +		emit2(gen, BPF_LD_IMM64_RAW_FULL(BPF_REG_3, 0, 0, 0, 0, 0));
 +
 +		off =  -(gen->insn_cur - gen->insn_start - gen->cleanup_label) / 8 - 1;
 +		if (is_simm16(off)) {
 +			emit(gen, BPF_MOV64_IMM(BPF_REG_7, -EINVAL));
 +			emit(gen, BPF_JMP_REG(BPF_JNE, BPF_REG_2, BPF_REG_3, off));
 +		} else {
 +			gen->error = -ERANGE;
 +			emit(gen, BPF_JMP_IMM(BPF_JA, 0, 0, -1));
 +		}
++=======
+ 	/* arg1: metadata struct bpf_map */
+ 	emit2(gen, BPF_LD_IMM64_RAW_FULL(BPF_REG_1, BPF_PSEUDO_MAP_IDX,
+ 					 0, 0, 0, 0));
+ 
+ 	/* arg2: hash buffer on our BPF stack, populated from ld_imm64
+ 	 * immediates patched in by compute_sha_update_offsets() before signing.
+ 	 */
+ 	emit(gen, BPF_MOV64_REG(BPF_REG_2, BPF_REG_10));
+ 	emit(gen, BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, stack_off(metadata_hash)));
+ 	for (i = 0; i < SHA256_DWORD_SIZE; i++) {
+ 		gen->hash_insn_offset[i] = gen->insn_cur - gen->insn_start;
+ 		emit2(gen, BPF_LD_IMM64_RAW_FULL(BPF_REG_3, 0, 0, 0, 0, 0));
+ 		emit(gen, BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3,
+ 				      i * sizeof(__u64)));
+ 	}
+ 
+ 	/* arg3: hash length */
+ 	emit(gen, BPF_MOV64_IMM(BPF_REG_3, SHA256_DWORD_SIZE * sizeof(__u64)));
+ 
+ 	emit(gen, BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0,
+ 			       BPF_PSEUDO_KFUNC_CALL_PROG_BTF, 0,
+ 			       gen->loader_btf_func_id));
+ 	emit(gen, BPF_MOV64_REG(BPF_REG_7, BPF_REG_0));
+ 	off = -(gen->insn_cur - gen->insn_start - gen->cleanup_label) / 8 - 1;
+ 	if (is_simm16(off)) {
+ 		emit(gen, BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, off));
+ 	} else {
+ 		gen->error = -ERANGE;
++>>>>>>> libbpf: generate prog BTF for loader programs
  	}
  }