Skip to content

Commit 9a4fa0d

Browse files
philljjphilljj
authored
Merge pull request #9369 from douzzer/20251027-linuxkm-aarch64-fips
20251027-linuxkm-aarch64-fips
2 parents 5922b5d + 78ff205 commit 9a4fa0d

File tree

8 files changed

+281
-162
lines changed

8 files changed

+281
-162
lines changed

.wolfssl_known_macro_extras

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -622,6 +622,7 @@ WC_SHA512
622622
WC_SKIP_INCLUDED_C_FILES
623623
WC_SSIZE_TYPE
624624
WC_STRICT_SIG
625+
WC_USE_PIE_FENCEPOSTS_FOR_FIPS
625626
WC_WANT_FLAG_DONT_USE_VECTOR_OPS
626627
WC_XMSS_FULL_HASH
627628
WIFIESPAT
@@ -633,7 +634,6 @@ WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
633634
WOLFSENTRY_H
634635
WOLFSENTRY_NO_JSON
635636
WOLFSSL_32BIT_MILLI_TIME
636-
WOLFSSL_AARCH64_PRIVILEGE_MODE
637637
WOLFSSL_AESNI_BY4
638638
WOLFSSL_AESNI_BY6
639639
WOLFSSL_AES_CTR_EXAMPLE

configure.ac

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -694,9 +694,9 @@ AC_ARG_ENABLE([linuxkm-pie],
694694
[ENABLED_LINUXKM_PIE=$enableval],
695695
[ENABLED_LINUXKM_PIE=$ENABLED_FIPS]
696696
)
697-
if test "$ENABLED_LINUXKM_PIE" = "yes"
697+
if test "$ENABLED_LINUXKM" = "yes" && test "$ENABLED_LINUXKM_PIE" = "yes"
698698
then
699-
AM_CFLAGS="$AM_CFLAGS -DHAVE_LINUXKM_PIE_SUPPORT"
699+
AM_CFLAGS="$AM_CFLAGS -DWC_PIE_RELOC_TABLES"
700700
fi
701701
AC_SUBST([ENABLED_LINUXKM_PIE])
702702

linuxkm/Kbuild

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -108,7 +108,6 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
108108
# note, we need -fno-stack-protector to avoid references to
109109
# "__stack_chk_fail" from the wolfCrypt container.
110110
PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder
111-
PIE_SUPPORT_FLAGS := -DUSE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
112111
# the kernel sanitizers generate external references to
113112
# __ubsan_handle_out_of_bounds(), __ubsan_handle_shift_out_of_bounds(), etc.
114113
KASAN_SANITIZE := n
@@ -218,12 +217,17 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \
218217
$(OBJCOPY) $$($(READELF) --sections --wide "$$file" | \
219218
$(AWK) ' \
220219
{ \
221-
if (match($$0, "^ *\\[ *[0-9]+\\] +\\.(text|rodata|data|bss)(\\.[^ ]+)? ", a)) { \
222-
printf("--rename-section .%s%s=.%s_wolfcrypt ", a[1], a[2], a[1]); \
220+
if (match($$0, "^ *\\[ *[0-9]+\\] +\\.(text|rodata|data|bss)(\\.[^ ]+)? ", a)) \
221+
{ \
222+
printf("--rename-section .%s%s=.%s_wolfcrypt ", \
223+
a[1], a[2], a[1]); \
224+
} \
225+
else if (match($$0, "^ *\\[ *[0-9]+\\] +\\.([^ ]+)\\.(text|rodata|data|bss) ", a)) \
226+
{ \
227+
printf("--rename-section .%s.%s=.%s_wolfcrypt ", a[1], a[2], a[2]); \
223228
} \
224229
}') "$$file" || exit $$?; \
225230
done; \
226-
[ "$(KERNEL_ARCH_X86)" != "yes" ] || \
227231
{ $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) | \
228232
$(AWK) -v obj="$(obj)" ' \
229233
/^File:/ { \

linuxkm/Makefile

Lines changed: 21 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,10 @@ ifeq "$(ENABLED_LINUXKM_BENCHMARKS)" "yes"
5656
endif
5757

5858
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
59-
WOLFCRYPT_PIE_FILES := $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o
59+
WOLFCRYPT_PIE_FILES := \
60+
$(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) \
61+
linuxkm/pie_redirect_table.o \
62+
linuxkm/wc_linuxkm_pie_reloc_tab.o
6063
WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES))
6164
endif
6265

@@ -100,12 +103,12 @@ ifndef MAKE_TMPDIR
100103
MAKE_TMPDIR := $(TMPDIR)
101104
endif
102105

103-
GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko | \
104-
$(AWK) 'BEGIN { \
106+
GENERATE_RELOC_TAB := $(AWK) 'BEGIN { \
105107
n=0; \
106108
bad_relocs=0; \
109+
print "\#include <wolfssl/wolfcrypt/libwolfssl_sources.h>"; \
107110
printf("%s\n ", \
108-
"const unsigned int wc_linuxkm_pie_reloc_tab[] = { "); \
111+
"WOLFSSL_LOCAL const unsigned int wc_linuxkm_pie_reloc_tab[] = { "); \
109112
} \
110113
/^Relocation section '\''\.rela\.text_wolfcrypt'\''/ { \
111114
p=1; \
@@ -130,7 +133,7 @@ GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko | \
130133
print "Found " bad_relocs " unexpected relocations." >"/dev/stderr"; \
131134
exit(1); \
132135
} \
133-
print "~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];";\
136+
print "~0U };\nWOLFSSL_LOCAL const unsigned long wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];";\
134137
}'
135138

136139
ifeq "$(V)" "1"
@@ -139,29 +142,31 @@ endif
139142

140143
.PHONY: libwolfssl.ko
141144
libwolfssl.ko:
145+
@function resolved_link_is_equal() { [[ -L "$$1" && ("$$(readlink -f "$$1")" == "$$(readlink -f "$$2")") ]] }
142146
@if test -z '$(KERNEL_ROOT)'; then echo '$$KERNEL_ROOT is unset' >&2; exit 1; fi
143147
@if test -z '$(AM_CFLAGS)$(CFLAGS)'; then echo '$$AM_CFLAGS and $$CFLAGS are both unset.' >&2; exit 1; fi
144148
@if test -z '$(src_libwolfssl_la_OBJECTS)'; then echo '$$src_libwolfssl_la_OBJECTS is unset.' >&2; exit 1; fi
145149
# after commit 9a0ebe5011 (6.10), sources must be in $(obj). work around this by making links to all needed sources:
146150
@mkdir -p '$(MODULE_TOP)/linuxkm'
147-
@test '$(MODULE_TOP)/module_hooks.c' -ef '$(MODULE_TOP)/linuxkm/module_hooks.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
148-
@test '$(SRC_TOP)/wolfcrypt/src/wc_port.c' -ef '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
149-
@test '$(SRC_TOP)/src/wolfio.c' -ef '$(MODULE_TOP)/src/wolfio.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
151+
@resolved_link_is_equal '$(MODULE_TOP)/linuxkm/module_hooks.c' '$(MODULE_TOP)/module_hooks.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
152+
@resolved_link_is_equal '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' '$(SRC_TOP)/wolfcrypt/src/wc_port.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
153+
@resolved_link_is_equal '$(MODULE_TOP)/src/wolfio.c' '$(SRC_TOP)/src/wolfio.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
150154
ifeq "$(FIPS_OPTEST)" "1"
151-
@test '$(SRC_TOP)/../fips/optest-140-3/linuxkm_optest_wrapper.c' -ef '$(MODULE_TOP)/linuxkm/optest-140-3/linuxkm_optest_wrapper.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/../fips/optest-140-3' '$(MODULE_TOP)/linuxkm'
155+
@resolved_link_is_equal '$(MODULE_TOP)/linuxkm/optest-140-3/linuxkm_optest_wrapper.c' '$(SRC_TOP)/../fips/optest-140-3/linuxkm_optest_wrapper.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/../fips/optest-140-3' '$(MODULE_TOP)/linuxkm'
152156
endif
153157
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
158+
@[[ -f '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' ]] || \
159+
{ $(RM) -f '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' && $(GENERATE_RELOC_TAB) < /dev/null > '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c'; }
154160
@$(eval RELOC_TMP := $(shell mktemp "$(MAKE_TMPDIR)/wc_linuxkm_pie_reloc_tab.c.XXXXXX"))
155-
@[[ -f wc_linuxkm_pie_reloc_tab.c ]] || echo -e "const unsigned int wc_linuxkm_pie_reloc_tab[] = { ~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = 1;" > wc_linuxkm_pie_reloc_tab.c
156-
@if [[ -f libwolfssl.ko ]]; then touch -r libwolfssl.ko "$(RELOC_TMP)"; fi
161+
@if [[ -f libwolfssl.ko ]]; then touch -r libwolfssl.ko '$(RELOC_TMP)'; fi
157162
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
158163
# if the above make didn't build a fresh libwolfssl.ko, then the module is already up to date and we leave it untouched, assuring stability for purposes of module-update-fips-hash.
159-
@if [[ ! libwolfssl.ko -nt "$(RELOC_TMP)" ]]; then rm "$(RELOC_TMP)"; exit 0; fi
160-
@$(GENERATE_RELOC_TAB) >| wc_linuxkm_pie_reloc_tab.c
164+
@if [[ ! libwolfssl.ko -nt '$(RELOC_TMP)' ]]; then rm '$(RELOC_TMP)'; exit 0; fi
165+
@$(READELF) --wide -r libwolfssl.ko | $(GENERATE_RELOC_TAB) >| '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c'
161166
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
162-
@$(GENERATE_RELOC_TAB) >| $(RELOC_TMP)
163-
@if diff wc_linuxkm_pie_reloc_tab.c $(RELOC_TMP); then echo " Relocation table is stable."; else echo "PIE failed: relocation table is unstable." 1>&2; rm $(RELOC_TMP); exit 1; fi
164-
@rm $(RELOC_TMP)
167+
@$(READELF) --wide -r libwolfssl.ko | $(GENERATE_RELOC_TAB) >| '$(RELOC_TMP)'
168+
@if diff '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' '$(RELOC_TMP)'; then echo " Relocation table is stable."; else echo "PIE failed: relocation table is unstable." 1>&2; rm '$(RELOC_TMP)'; exit 1; fi
169+
@rm '$(RELOC_TMP)'
165170
else
166171
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS)
167172
endif

0 commit comments

Comments
 (0)