On Wed, Feb 25, 2026 at 03:29:31PM -0500, Daniel Hodges wrote: > This patch series enhances BPF's cryptographic functionality by introducing > kernel functions for SHA hashing and ECDSA signature verification. The changes > enable BPF programs to verify data integrity and authenticity across > networking, security, and observability use cases. > > The series addresses two gaps in BPF's cryptographic toolkit: > > 1. Cryptographic hashing - supports content verification and message digest > preparation > 2. Asymmetric signature verification - allows validation of signed data > without requiring private keys in the datapath
Hi Daniel, I found your series because I was about to implement something similar like your hashing implementation. In other words, I'd be very happy to see this patchset move forward. Taking an initial look at your hashing patches, I'm wondering: the usual interface to hash/digest algorithms is to have three functions: an init() function to set up state, an update() function that can be called multiple times to hash new bytes, and a finalize() function that creates the actual hash. Depending on the algorithm, some of them (esp. finalize) may be no-ops. Often, a fourth function, like hash(), is provided as convenience, doing one init/update/finalize cycle when all data to be hashed is already available. I think we should provide the same init/update/finalize interface in bpf as well to make the API more flexible. That would require splitting out the shash_desc from the (mostly static) context. But doing so would also address the review comment from bpf-ci bot to patch 1. WDYT? Thanks, Felix
