From 4fda0883a47049b31e94405748469c66bdc600bb Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 25 Nov 2025 18:01:25 -0600 Subject: [PATCH] globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES; globally replace defined(__PIE__) with defined(WC_CONTAINERIZE_THIS) to decouple containerization from -fPIE; configure.ac: * add --enable-kernel-reloc-tables as an alias for --enable-linuxkm-pie; * always activate ENABLED_ENTROPY_MEMUSE_DEFAULT when KERNEL_MODE_DEFAULTS and not RDSEED/RDRAND, regardless of FIPS presence/version; linuxkm/Kbuild: * add -DWC_CONTAINERIZE_THIS to PIE_FLAGS; * add support for NO_PIE_FLAG, which inhibits -fPIE on ENABLED_LINUXKM_PIE builds, and adds -DWC_NO_PIE_FLAG to PIE_FLAGS; linuxkm/linuxkm_wc_port.h: add setup for WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER; linuxkm/module_hooks.c: add wc_linuxkm_GenerateSeed_wolfEntropy(). --- configure.ac | 16 ++++++---- linuxkm/Kbuild | 8 ++++- linuxkm/linuxkm_memory.c | 2 +- linuxkm/linuxkm_wc_port.h | 60 +++++++++++++++++++++--------------- linuxkm/module_hooks.c | 39 ++++++++++++++--------- linuxkm/pie_redirect_table.c | 8 +++-- wolfcrypt/src/wc_port.c | 2 +- wolfssl/wolfcrypt/settings.h | 8 ++++- 8 files changed, 91 insertions(+), 52 deletions(-) diff --git a/configure.ac b/configure.ac index a6538da8d..0175e0b1a 100644 --- a/configure.ac +++ b/configure.ac @@ -704,14 +704,19 @@ AC_ARG_ENABLE([benchmark], # Remainder of Linux kernel module options, continued from earlier: +ENABLED_LINUXKM_PIE=$ENABLED_FIPS + AC_ARG_ENABLE([linuxkm-pie], [AS_HELP_STRING([--enable-linuxkm-pie],[Enable relocatable object build of Linux kernel module (default: disabled)])], - [ENABLED_LINUXKM_PIE=$enableval], - [ENABLED_LINUXKM_PIE=$ENABLED_FIPS] - ) + [ENABLED_LINUXKM_PIE=$enableval]) + +AC_ARG_ENABLE([kernel-reloc-tables], + [AS_HELP_STRING([--enable-kernel-reloc-tables],[Enable containerized object build of wolfCrypt module in kernel build (default: disabled)])], + [ENABLED_LINUXKM_PIE=$enableval]) + if test "$ENABLED_LINUXKM" = "yes" && test "$ENABLED_LINUXKM_PIE" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DWC_PIE_RELOC_TABLES" + AM_CFLAGS="$AM_CFLAGS -DWC_SYM_RELOC_TABLES" fi AC_SUBST([ENABLED_LINUXKM_PIE]) @@ -5820,8 +5825,7 @@ AC_ARG_ENABLE([pwdbased], if test "$KERNEL_MODE_DEFAULTS" = "yes" && \ test "$ENABLED_AMDRDSEED" != "yes" && \ test "$ENABLED_INTELRDRAND" != "yes" && \ - test "$ENABLED_INTELRDSEED" != "yes" && \ - (test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6) + test "$ENABLED_INTELRDSEED" != "yes" then ENABLED_ENTROPY_MEMUSE_DEFAULT=yes else diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index d902e596f..e46987ad9 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -106,7 +106,13 @@ ccflags-y = $(WOLFSSL_CFLAGS) $(WOLFSSL_CFLAGS_NO_VECTOR_INSNS) ifeq "$(ENABLED_LINUXKM_PIE)" "yes" # note, we need -fno-stack-protector to avoid references to # "__stack_chk_fail" from the wolfCrypt container. - PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder + PIE_FLAGS := -DWC_CONTAINERIZE_THIS -fno-stack-protector -fno-toplevel-reorder + # some targets can't handle -fpie. E.g. ARM32 on kernel <=5.10 has no handling for R_ARM_REL32. + ifdef NO_PIE_FLAG + PIE_FLAGS += -DWC_NO_PIE_FLAG + else + PIE_FLAGS += -fPIE + endif # the kernel sanitizers generate external references to # __ubsan_handle_out_of_bounds(), __ubsan_handle_shift_out_of_bounds(), etc. KASAN_SANITIZE := n diff --git a/linuxkm/linuxkm_memory.c b/linuxkm/linuxkm_memory.c index 874064d51..aca51c6ef 100644 --- a/linuxkm/linuxkm_memory.c +++ b/linuxkm/linuxkm_memory.c @@ -21,7 +21,7 @@ /* included by wolfcrypt/src/memory.c */ -#if defined(__PIE__) && defined(CONFIG_FORTIFY_SOURCE) +#if defined(WC_SYM_RELOC_TABLES) && defined(CONFIG_FORTIFY_SOURCE) /* needed because FORTIFY_SOURCE inline implementations call fortify_panic(). */ void __my_fortify_panic(const char *name) { pr_emerg("__my_fortify_panic in %s\n", name); diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 834e95819..9e59c345d 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -178,12 +178,21 @@ #endif #endif - #if defined(HAVE_HASHDRBG) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6, 0, 0) && \ + #if defined(HAVE_HASHDRBG) && defined(HAVE_FIPS) && \ + defined(HAVE_ENTROPY_MEMUSE) && \ + !defined(WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER) + #define WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER + #elif defined(HAVE_HASHDRBG) && defined(HAVE_FIPS) && \ (defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)) && \ + !defined(HAVE_ENTROPY_MEMUSE) && \ !defined(WC_LINUXKM_RDSEED_IN_GLUE_LAYER) #define WC_LINUXKM_RDSEED_IN_GLUE_LAYER #endif - #ifdef WC_LINUXKM_RDSEED_IN_GLUE_LAYER + #if defined(WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER) + struct OS_Seed; + extern int wc_linuxkm_GenerateSeed_wolfEntropy(struct OS_Seed* os, unsigned char* output, unsigned int sz); + #define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_wolfEntropy + #elif defined(WC_LINUXKM_RDSEED_IN_GLUE_LAYER) struct OS_Seed; extern int wc_linuxkm_GenerateSeed_IntelRD(struct OS_Seed* os, unsigned char* output, unsigned int sz); #define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_IntelRD @@ -208,7 +217,7 @@ #endif #endif - #if defined(CONFIG_MIPS) && defined(WC_PIE_RELOC_TABLES) + #if defined(CONFIG_MIPS) && defined(WC_SYM_RELOC_TABLES) /* __ZBOOT__ disables some unhelpful macros around the mem*() funcs in * legacy arch/mips/include/asm/string.h */ @@ -255,7 +264,7 @@ #if defined(CONFIG_FORTIFY_SOURCE) && \ !defined(WC_FORCE_LINUXKM_FORTIFY_SOURCE) && \ - (defined(WC_PIE_RELOC_TABLES) || \ + (defined(WC_SYM_RELOC_TABLES) || \ (LINUX_VERSION_CODE < KERNEL_VERSION(5, 18, 0))) /* fortify-source causes all sorts of awkward problems for the PIE * build, up to and including stubborn external references and multiple @@ -272,7 +281,7 @@ #error WC_FORCE_LINUXKM_FORTIFY_SOURCE without CONFIG_FORTIFY_SOURCE. #endif - #if defined(__PIE__) && defined(CONFIG_ARM64) + #if defined(WC_CONTAINERIZE_THIS) && defined(CONFIG_ARM64) #define alt_cb_patch_nops my__alt_cb_patch_nops #define queued_spin_lock_slowpath my__queued_spin_lock_slowpath #endif @@ -281,7 +290,7 @@ #include #if defined(CONFIG_FORTIFY_SOURCE) || defined(DEBUG_LINUXKM_FORTIFY_OVERLAY) - #ifdef __PIE__ + #ifdef WC_CONTAINERIZE_THIS /* the inline definitions in fortify-string.h use non-inline * fortify_panic(). */ @@ -412,7 +421,7 @@ #endif /* !CONFIG_FORTIFY_SOURCE */ - #ifndef __PIE__ + #ifndef WC_CONTAINERIZE_THIS #include #include #include @@ -426,7 +435,7 @@ * mm.h. however, mm.h brings in static, but not inline, pmd_to_page(), * with direct references to global vmem variables. */ - #ifdef __PIE__ + #ifdef WC_CONTAINERIZE_THIS #include #if USE_SPLIT_PMD_PTLOCKS static __always_inline struct page *pmd_to_page(pmd_t *pmd); @@ -435,7 +444,7 @@ #include #endif -#ifndef __PIE__ +#ifndef WC_CONTAINERIZE_THIS #include #include #endif @@ -450,7 +459,7 @@ #endif #include - #if !defined(__PIE__) && defined(CONFIG_HAVE_KPROBES) + #if !defined(WC_CONTAINERIZE_THIS) && defined(CONFIG_HAVE_KPROBES) #include #endif @@ -483,7 +492,7 @@ #define LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT #endif - #ifndef __PIE__ + #ifndef WC_CONTAINERIZE_THIS #include #include #include @@ -513,7 +522,7 @@ } #endif #define WC_LKM_REFCOUNT_TO_INT(refcount) wc_lkm_refcount_to_int(&(refcount)) - #endif /* !__PIE__ */ + #endif /* !WC_CONTAINERIZE_THIS */ #endif /* LINUXKM_LKCAPI_REGISTER */ /* benchmarks.c uses floating point math, so needs a working @@ -730,11 +739,11 @@ #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ - #if defined(__PIE__) && !defined(WC_PIE_RELOC_TABLES) - #error "compiling -fPIE requires PIE relocation tables." + #if defined(WC_CONTAINERIZE_THIS) && !defined(WC_SYM_RELOC_TABLES) + #error "compiling -DWC_CONTAINERIZE_THIS requires relocation tables." #endif - #ifdef WC_PIE_RELOC_TABLES + #ifdef WC_SYM_RELOC_TABLES #ifndef WOLFSSL_TEXT_SEGMENT_CANONICALIZER #define WOLFSSL_TEXT_SEGMENT_CANONICALIZER(text_in, text_in_len, text_out, cur_index_p) \ @@ -759,6 +768,7 @@ __wc_rwdata_end[], __wc_bss_start[], __wc_bss_end[]; + extern const unsigned int wc_linuxkm_pie_reloc_tab[]; extern const unsigned long wc_linuxkm_pie_reloc_tab_length; extern ssize_t wc_linuxkm_normalize_relocations( @@ -1013,7 +1023,7 @@ #endif #ifdef CONFIG_ARM64 - #ifdef __PIE__ + #ifdef WC_CONTAINERIZE_THIS /* alt_cb_patch_nops and queued_spin_lock_slowpath are defined early * to allow shimming in system headers, but now we need the native * ones. @@ -1088,7 +1098,7 @@ #error no WC_PIE_INDIRECT_SYM method defined. #endif - #ifdef __PIE__ + #ifdef WC_CONTAINERIZE_THIS #define wc_linuxkm_normalize_relocations \ WC_PIE_INDIRECT_SYM(wc_linuxkm_normalize_relocations) @@ -1237,8 +1247,8 @@ #endif /* per linux/ctype.h, tolower() and toupper() are macros bound to static inlines - * that use macros that bring in the _ctype global. for __PIE__, this needs to - * be masked out. + * that use macros that bring in the _ctype global. for WC_CONTAINERIZE_THIS, + * this needs to be masked out. */ #undef tolower #undef toupper @@ -1296,9 +1306,9 @@ #define wc_linuxkm_check_for_intr_signals WC_PIE_INDIRECT_SYM(wc_linuxkm_check_for_intr_signals) #define wc_linuxkm_relax_long_loop WC_PIE_INDIRECT_SYM(wc_linuxkm_relax_long_loop) - #endif /* __PIE__ */ + #endif /* WC_CONTAINERIZE_THIS */ - #endif /* WC_PIE_RELOC_TABLES */ + #endif /* WC_SYM_RELOC_TABLES */ /* remove this multifariously conflicting macro, picked up from * Linux arch//include/asm/current.h. @@ -1456,8 +1466,8 @@ return 0; } - #ifdef __PIE__ - /* wc_lkm_LockMutex() can't be used inline in __PIE__ objects, due to + #ifdef WC_CONTAINERIZE_THIS + /* wc_lkm_LockMutex() can't be used inline in WC_CONTAINERIZE_THIS objects, due to * direct access to pv_ops. */ static __must_check __always_inline int wc_LockMutex(wolfSSL_Mutex *m) @@ -1465,14 +1475,14 @@ return WC_PIE_INDIRECT_SYM(wc_lkm_LockMutex)(m); } - #else /* !__PIE__ */ + #else /* !WC_CONTAINERIZE_THIS */ static __must_check __always_inline int wc_LockMutex(wolfSSL_Mutex *m) { return wc_lkm_LockMutex(m); } - #endif /* !__PIE__ */ + #endif /* !WC_CONTAINERIZE_THIS */ static __always_inline int wc_UnLockMutex(wolfSSL_Mutex* m) { diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index 89f0824bf..b070649b2 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -92,7 +92,7 @@ static int libwolfssl_cleanup(void) { extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1]; #endif -#ifdef WC_PIE_RELOC_TABLES +#ifdef WC_SYM_RELOC_TABLES #ifdef DEBUG_LINUXKM_PIE_SUPPORT @@ -116,17 +116,17 @@ static int total_text_r = 0, total_rodata_r = 0, total_rwdata_r = 0, #endif /* DEBUG_LINUXKM_PIE_SUPPORT */ -#ifdef WC_PIE_RELOC_TABLES +#ifdef WC_SYM_RELOC_TABLES extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table; static int set_up_wolfssl_linuxkm_pie_redirect_table(void); -#endif /* WC_PIE_RELOC_TABLES */ +#endif /* WC_SYM_RELOC_TABLES */ #ifdef HAVE_FIPS extern const unsigned int wolfCrypt_FIPS_ro_start[]; extern const unsigned int wolfCrypt_FIPS_ro_end[]; #endif -#endif /* WC_PIE_RELOC_TABLES */ +#endif /* WC_SYM_RELOC_TABLES */ #ifdef HAVE_FIPS static void lkmFipsCb(int ok, int err, const char* hash) @@ -301,8 +301,17 @@ void wc_linuxkm_relax_long_loop(void) { #endif } -/* backported wc_GenerateSeed_IntelRD() for FIPS v5. */ -#ifdef WC_LINUXKM_RDSEED_IN_GLUE_LAYER +#if defined(WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER) + +int wc_linuxkm_GenerateSeed_wolfEntropy(OS_Seed* os, byte* output, word32 sz) +{ + (void)os; + return wc_Entropy_Get(MAX_ENTROPY_BITS, output, sz); +} + +#elif defined(WC_LINUXKM_RDSEED_IN_GLUE_LAYER) + +/* backported wc_GenerateSeed_IntelRD() for FIPS v5, before breakout of wolfentropy.c. */ #include #include @@ -497,13 +506,13 @@ static int wolfssl_init(void) #endif /* HAVE_FIPS */ -#ifdef WC_PIE_RELOC_TABLES +#ifdef WC_SYM_RELOC_TABLES ret = set_up_wolfssl_linuxkm_pie_redirect_table(); if (ret < 0) return ret; #endif -#if defined(HAVE_FIPS) && defined(WC_PIE_RELOC_TABLES) +#if defined(HAVE_FIPS) && defined(WC_SYM_RELOC_TABLES) if (((uintptr_t)__wc_text_start > (uintptr_t)wolfCrypt_FIPS_first) || ((uintptr_t)__wc_text_end < (uintptr_t)wolfCrypt_FIPS_last) || ((uintptr_t)__wc_rodata_start > (uintptr_t)wolfCrypt_FIPS_ro_start) || @@ -514,7 +523,7 @@ static int wolfssl_init(void) } #endif -#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT) +#if defined(WC_SYM_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT) #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) /* see linux commit ac3b432839 */ @@ -599,7 +608,7 @@ static int wolfssl_init(void) total_text_r, total_rodata_r, total_rwdata_r, total_bss_r, total_other_r); } -#endif /* WC_PIE_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT */ +#endif /* WC_SYM_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT */ #ifdef HAVE_FIPS ret = wolfCrypt_SetCb_fips(lkmFipsCb); @@ -608,7 +617,7 @@ static int wolfssl_init(void) return -ECANCELED; } -#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT) +#if defined(WC_SYM_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT) total_text_r = total_rodata_r = total_rwdata_r = total_bss_r = total_other_r = 0; #endif @@ -620,7 +629,7 @@ static int wolfssl_init(void) else pr_err("ERROR: WC_SIG_IGNORE_BEGIN() failed.\n"); -#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT) +#if defined(WC_SYM_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT) pr_info("FIPS-bounded relocation normalizations: text=%d, rodata=%d, rwdata=%d, bss=%d, other=%d\n", total_text_r, total_rodata_r, total_rwdata_r, total_bss_r, total_other_r); #endif @@ -865,7 +874,7 @@ MODULE_AUTHOR("https://www.wolfssl.com/"); MODULE_DESCRIPTION("libwolfssl cryptographic and protocol facilities"); MODULE_VERSION(LIBWOLFSSL_VERSION_STRING); -#ifdef WC_PIE_RELOC_TABLES +#ifdef WC_SYM_RELOC_TABLES #define WC_TEXT_TAG (0x0 << 29) #define WC_RODATA_TAG (0x1U << 29) @@ -1508,7 +1517,7 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { return 0; } -#endif /* WC_PIE_RELOC_TABLES */ +#endif /* WC_SYM_RELOC_TABLES */ #if defined(HAVE_FIPS) && defined(WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE) @@ -1643,7 +1652,7 @@ static int updateFipsHash(void) goto out; } -#if defined(WOLFSSL_LINUXKM) && defined(WC_PIE_RELOC_TABLES) +#if defined(WOLFSSL_LINUXKM) && defined(WC_SYM_RELOC_TABLES) { ssize_t cur_reloc_index = -1; const byte *text_p = (const byte *)first; diff --git a/linuxkm/pie_redirect_table.c b/linuxkm/pie_redirect_table.c index 79e5a4373..29ae37d48 100644 --- a/linuxkm/pie_redirect_table.c +++ b/linuxkm/pie_redirect_table.c @@ -19,8 +19,12 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#ifndef __PIE__ - #error pie_redirect_table.c must be compiled -fPIE. +#if !defined(WC_CONTAINERIZE_THIS) + #error pie_redirect_table.c must be compiled -DWC_CONTAINERIZE_THIS. +#endif + +#if !defined(__PIE__) && !defined(WC_NO_PIE_FLAG) + #error pie_redirect_table.c must be compiled -fPIE or -DWC_NO_PIE_FLAG. #endif #include diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index c044b6b1c..ed8223353 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -4976,7 +4976,7 @@ char* wolfSSL_strnstr(const char* s1, const char* s2, unsigned int n) #endif /* not SINGLE_THREADED */ #if defined(WOLFSSL_LINUXKM) && defined(CONFIG_ARM64) && \ - defined(WC_PIE_RELOC_TABLES) + defined(WC_SYM_RELOC_TABLES) noinstr void my__alt_cb_patch_nops(struct alt_instr *alt, __le32 *origptr, __le32 *updptr, int nr_inst) { diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 72ec2a266..9b02060de 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3778,7 +3778,7 @@ extern void uITRON4_free(void *p) ; #define WOLFSSL_SP_DIV_WORD_HALF #endif - #ifdef WC_PIE_RELOC_TABLES + #ifdef WC_SYM_RELOC_TABLES #ifndef WC_NO_INTERNAL_FUNCTION_POINTERS #define WC_NO_INTERNAL_FUNCTION_POINTERS #endif @@ -3937,6 +3937,12 @@ extern void uITRON4_free(void *p) ; #define WOLFSSL_HAVE_MAX #endif +#if defined(WC_SYM_RELOC_TABLES) && defined(HAVE_FIPS) && \ + !defined(WC_PIE_RELOC_TABLES) + /* backward compat */ + #define WC_PIE_RELOC_TABLES +#endif + /* Place any other flags or defines here */ #if defined(WOLFSSL_MYSQL_COMPATIBLE) && defined(_WIN32) \