globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;
globally replace defined(__PIE__) with defined(WC_CONTAINERIZE_THIS) to decouple containerization from -fPIE; configure.ac: * add --enable-kernel-reloc-tables as an alias for --enable-linuxkm-pie; * always activate ENABLED_ENTROPY_MEMUSE_DEFAULT when KERNEL_MODE_DEFAULTS and not RDSEED/RDRAND, regardless of FIPS presence/version; linuxkm/Kbuild: * add -DWC_CONTAINERIZE_THIS to PIE_FLAGS; * add support for NO_PIE_FLAG, which inhibits -fPIE on ENABLED_LINUXKM_PIE builds, and adds -DWC_NO_PIE_FLAG to PIE_FLAGS; linuxkm/linuxkm_wc_port.h: add setup for WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER; linuxkm/module_hooks.c: add wc_linuxkm_GenerateSeed_wolfEntropy().
This commit is contained in:
Daniel Pouzzner
@@ -106,7 +106,13 @@ ccflags-y = $(WOLFSSL_CFLAGS) $(WOLFSSL_CFLAGS_NO_VECTOR_INSNS)
|
||||
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
|
||||
# note, we need -fno-stack-protector to avoid references to
|
||||
# "__stack_chk_fail" from the wolfCrypt container.
|
||||
PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder
|
||||
PIE_FLAGS := -DWC_CONTAINERIZE_THIS -fno-stack-protector -fno-toplevel-reorder
|
||||
# some targets can't handle -fpie. E.g. ARM32 on kernel <=5.10 has no handling for R_ARM_REL32.
|
||||
ifdef NO_PIE_FLAG
|
||||
PIE_FLAGS += -DWC_NO_PIE_FLAG
|
||||
else
|
||||
PIE_FLAGS += -fPIE
|
||||
endif
|
||||
# the kernel sanitizers generate external references to
|
||||
# __ubsan_handle_out_of_bounds(), __ubsan_handle_shift_out_of_bounds(), etc.
|
||||
KASAN_SANITIZE := n
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
|
||||
/* included by wolfcrypt/src/memory.c */
|
||||
|
||||
#if defined(__PIE__) && defined(CONFIG_FORTIFY_SOURCE)
|
||||
#if defined(WC_SYM_RELOC_TABLES) && defined(CONFIG_FORTIFY_SOURCE)
|
||||
/* needed because FORTIFY_SOURCE inline implementations call fortify_panic(). */
|
||||
void __my_fortify_panic(const char *name) {
|
||||
pr_emerg("__my_fortify_panic in %s\n", name);
|
||||
|
||||
@@ -178,12 +178,21 @@
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_HASHDRBG) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6, 0, 0) && \
|
||||
#if defined(HAVE_HASHDRBG) && defined(HAVE_FIPS) && \
|
||||
defined(HAVE_ENTROPY_MEMUSE) && \
|
||||
!defined(WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER)
|
||||
#define WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER
|
||||
#elif defined(HAVE_HASHDRBG) && defined(HAVE_FIPS) && \
|
||||
(defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)) && \
|
||||
!defined(HAVE_ENTROPY_MEMUSE) && \
|
||||
!defined(WC_LINUXKM_RDSEED_IN_GLUE_LAYER)
|
||||
#define WC_LINUXKM_RDSEED_IN_GLUE_LAYER
|
||||
#endif
|
||||
#ifdef WC_LINUXKM_RDSEED_IN_GLUE_LAYER
|
||||
#if defined(WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER)
|
||||
struct OS_Seed;
|
||||
extern int wc_linuxkm_GenerateSeed_wolfEntropy(struct OS_Seed* os, unsigned char* output, unsigned int sz);
|
||||
#define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_wolfEntropy
|
||||
#elif defined(WC_LINUXKM_RDSEED_IN_GLUE_LAYER)
|
||||
struct OS_Seed;
|
||||
extern int wc_linuxkm_GenerateSeed_IntelRD(struct OS_Seed* os, unsigned char* output, unsigned int sz);
|
||||
#define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_IntelRD
|
||||
@@ -208,7 +217,7 @@
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_MIPS) && defined(WC_PIE_RELOC_TABLES)
|
||||
#if defined(CONFIG_MIPS) && defined(WC_SYM_RELOC_TABLES)
|
||||
/* __ZBOOT__ disables some unhelpful macros around the mem*() funcs in
|
||||
* legacy arch/mips/include/asm/string.h
|
||||
*/
|
||||
@@ -255,7 +264,7 @@
|
||||
|
||||
#if defined(CONFIG_FORTIFY_SOURCE) && \
|
||||
!defined(WC_FORCE_LINUXKM_FORTIFY_SOURCE) && \
|
||||
(defined(WC_PIE_RELOC_TABLES) || \
|
||||
(defined(WC_SYM_RELOC_TABLES) || \
|
||||
(LINUX_VERSION_CODE < KERNEL_VERSION(5, 18, 0)))
|
||||
/* fortify-source causes all sorts of awkward problems for the PIE
|
||||
* build, up to and including stubborn external references and multiple
|
||||
@@ -272,7 +281,7 @@
|
||||
#error WC_FORCE_LINUXKM_FORTIFY_SOURCE without CONFIG_FORTIFY_SOURCE.
|
||||
#endif
|
||||
|
||||
#if defined(__PIE__) && defined(CONFIG_ARM64)
|
||||
#if defined(WC_CONTAINERIZE_THIS) && defined(CONFIG_ARM64)
|
||||
#define alt_cb_patch_nops my__alt_cb_patch_nops
|
||||
#define queued_spin_lock_slowpath my__queued_spin_lock_slowpath
|
||||
#endif
|
||||
@@ -281,7 +290,7 @@
|
||||
#include <linux/ctype.h>
|
||||
|
||||
#if defined(CONFIG_FORTIFY_SOURCE) || defined(DEBUG_LINUXKM_FORTIFY_OVERLAY)
|
||||
#ifdef __PIE__
|
||||
#ifdef WC_CONTAINERIZE_THIS
|
||||
/* the inline definitions in fortify-string.h use non-inline
|
||||
* fortify_panic().
|
||||
*/
|
||||
@@ -412,7 +421,7 @@
|
||||
|
||||
#endif /* !CONFIG_FORTIFY_SOURCE */
|
||||
|
||||
#ifndef __PIE__
|
||||
#ifndef WC_CONTAINERIZE_THIS
|
||||
#include <linux/init.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/delay.h>
|
||||
@@ -426,7 +435,7 @@
|
||||
* mm.h. however, mm.h brings in static, but not inline, pmd_to_page(),
|
||||
* with direct references to global vmem variables.
|
||||
*/
|
||||
#ifdef __PIE__
|
||||
#ifdef WC_CONTAINERIZE_THIS
|
||||
#include <linux/mm_types.h>
|
||||
#if USE_SPLIT_PMD_PTLOCKS
|
||||
static __always_inline struct page *pmd_to_page(pmd_t *pmd);
|
||||
@@ -435,7 +444,7 @@
|
||||
#include <linux/mm.h>
|
||||
#endif
|
||||
|
||||
#ifndef __PIE__
|
||||
#ifndef WC_CONTAINERIZE_THIS
|
||||
#include <linux/kthread.h>
|
||||
#include <linux/net.h>
|
||||
#endif
|
||||
@@ -450,7 +459,7 @@
|
||||
#endif
|
||||
#include <linux/random.h>
|
||||
|
||||
#if !defined(__PIE__) && defined(CONFIG_HAVE_KPROBES)
|
||||
#if !defined(WC_CONTAINERIZE_THIS) && defined(CONFIG_HAVE_KPROBES)
|
||||
#include <linux/kprobes.h>
|
||||
#endif
|
||||
|
||||
@@ -483,7 +492,7 @@
|
||||
#define LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT
|
||||
#endif
|
||||
|
||||
#ifndef __PIE__
|
||||
#ifndef WC_CONTAINERIZE_THIS
|
||||
#include <linux/crypto.h>
|
||||
#include <linux/scatterlist.h>
|
||||
#include <crypto/scatterwalk.h>
|
||||
@@ -513,7 +522,7 @@
|
||||
}
|
||||
#endif
|
||||
#define WC_LKM_REFCOUNT_TO_INT(refcount) wc_lkm_refcount_to_int(&(refcount))
|
||||
#endif /* !__PIE__ */
|
||||
#endif /* !WC_CONTAINERIZE_THIS */
|
||||
#endif /* LINUXKM_LKCAPI_REGISTER */
|
||||
|
||||
/* benchmarks.c uses floating point math, so needs a working
|
||||
@@ -730,11 +739,11 @@
|
||||
|
||||
#endif /* !WOLFCRYPT_ONLY && !NO_CERTS */
|
||||
|
||||
#if defined(__PIE__) && !defined(WC_PIE_RELOC_TABLES)
|
||||
#error "compiling -fPIE requires PIE relocation tables."
|
||||
#if defined(WC_CONTAINERIZE_THIS) && !defined(WC_SYM_RELOC_TABLES)
|
||||
#error "compiling -DWC_CONTAINERIZE_THIS requires relocation tables."
|
||||
#endif
|
||||
|
||||
#ifdef WC_PIE_RELOC_TABLES
|
||||
#ifdef WC_SYM_RELOC_TABLES
|
||||
|
||||
#ifndef WOLFSSL_TEXT_SEGMENT_CANONICALIZER
|
||||
#define WOLFSSL_TEXT_SEGMENT_CANONICALIZER(text_in, text_in_len, text_out, cur_index_p) \
|
||||
@@ -759,6 +768,7 @@
|
||||
__wc_rwdata_end[],
|
||||
__wc_bss_start[],
|
||||
__wc_bss_end[];
|
||||
|
||||
extern const unsigned int wc_linuxkm_pie_reloc_tab[];
|
||||
extern const unsigned long wc_linuxkm_pie_reloc_tab_length;
|
||||
extern ssize_t wc_linuxkm_normalize_relocations(
|
||||
@@ -1013,7 +1023,7 @@
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_ARM64
|
||||
#ifdef __PIE__
|
||||
#ifdef WC_CONTAINERIZE_THIS
|
||||
/* alt_cb_patch_nops and queued_spin_lock_slowpath are defined early
|
||||
* to allow shimming in system headers, but now we need the native
|
||||
* ones.
|
||||
@@ -1088,7 +1098,7 @@
|
||||
#error no WC_PIE_INDIRECT_SYM method defined.
|
||||
#endif
|
||||
|
||||
#ifdef __PIE__
|
||||
#ifdef WC_CONTAINERIZE_THIS
|
||||
|
||||
#define wc_linuxkm_normalize_relocations \
|
||||
WC_PIE_INDIRECT_SYM(wc_linuxkm_normalize_relocations)
|
||||
@@ -1237,8 +1247,8 @@
|
||||
#endif
|
||||
|
||||
/* per linux/ctype.h, tolower() and toupper() are macros bound to static inlines
|
||||
* that use macros that bring in the _ctype global. for __PIE__, this needs to
|
||||
* be masked out.
|
||||
* that use macros that bring in the _ctype global. for WC_CONTAINERIZE_THIS,
|
||||
* this needs to be masked out.
|
||||
*/
|
||||
#undef tolower
|
||||
#undef toupper
|
||||
@@ -1296,9 +1306,9 @@
|
||||
#define wc_linuxkm_check_for_intr_signals WC_PIE_INDIRECT_SYM(wc_linuxkm_check_for_intr_signals)
|
||||
#define wc_linuxkm_relax_long_loop WC_PIE_INDIRECT_SYM(wc_linuxkm_relax_long_loop)
|
||||
|
||||
#endif /* __PIE__ */
|
||||
#endif /* WC_CONTAINERIZE_THIS */
|
||||
|
||||
#endif /* WC_PIE_RELOC_TABLES */
|
||||
#endif /* WC_SYM_RELOC_TABLES */
|
||||
|
||||
/* remove this multifariously conflicting macro, picked up from
|
||||
* Linux arch/<arch>/include/asm/current.h.
|
||||
@@ -1456,8 +1466,8 @@
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef __PIE__
|
||||
/* wc_lkm_LockMutex() can't be used inline in __PIE__ objects, due to
|
||||
#ifdef WC_CONTAINERIZE_THIS
|
||||
/* wc_lkm_LockMutex() can't be used inline in WC_CONTAINERIZE_THIS objects, due to
|
||||
* direct access to pv_ops.
|
||||
*/
|
||||
static __must_check __always_inline int wc_LockMutex(wolfSSL_Mutex *m)
|
||||
@@ -1465,14 +1475,14 @@
|
||||
return WC_PIE_INDIRECT_SYM(wc_lkm_LockMutex)(m);
|
||||
}
|
||||
|
||||
#else /* !__PIE__ */
|
||||
#else /* !WC_CONTAINERIZE_THIS */
|
||||
|
||||
static __must_check __always_inline int wc_LockMutex(wolfSSL_Mutex *m)
|
||||
{
|
||||
return wc_lkm_LockMutex(m);
|
||||
}
|
||||
|
||||
#endif /* !__PIE__ */
|
||||
#endif /* !WC_CONTAINERIZE_THIS */
|
||||
|
||||
static __always_inline int wc_UnLockMutex(wolfSSL_Mutex* m)
|
||||
{
|
||||
|
||||
@@ -92,7 +92,7 @@ static int libwolfssl_cleanup(void) {
|
||||
extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1];
|
||||
#endif
|
||||
|
||||
#ifdef WC_PIE_RELOC_TABLES
|
||||
#ifdef WC_SYM_RELOC_TABLES
|
||||
|
||||
#ifdef DEBUG_LINUXKM_PIE_SUPPORT
|
||||
|
||||
@@ -116,17 +116,17 @@ static int total_text_r = 0, total_rodata_r = 0, total_rwdata_r = 0,
|
||||
|
||||
#endif /* DEBUG_LINUXKM_PIE_SUPPORT */
|
||||
|
||||
#ifdef WC_PIE_RELOC_TABLES
|
||||
#ifdef WC_SYM_RELOC_TABLES
|
||||
extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table;
|
||||
static int set_up_wolfssl_linuxkm_pie_redirect_table(void);
|
||||
#endif /* WC_PIE_RELOC_TABLES */
|
||||
#endif /* WC_SYM_RELOC_TABLES */
|
||||
|
||||
#ifdef HAVE_FIPS
|
||||
extern const unsigned int wolfCrypt_FIPS_ro_start[];
|
||||
extern const unsigned int wolfCrypt_FIPS_ro_end[];
|
||||
#endif
|
||||
|
||||
#endif /* WC_PIE_RELOC_TABLES */
|
||||
#endif /* WC_SYM_RELOC_TABLES */
|
||||
|
||||
#ifdef HAVE_FIPS
|
||||
static void lkmFipsCb(int ok, int err, const char* hash)
|
||||
@@ -301,8 +301,17 @@ void wc_linuxkm_relax_long_loop(void) {
|
||||
#endif
|
||||
}
|
||||
|
||||
/* backported wc_GenerateSeed_IntelRD() for FIPS v5. */
|
||||
#ifdef WC_LINUXKM_RDSEED_IN_GLUE_LAYER
|
||||
#if defined(WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER)
|
||||
|
||||
int wc_linuxkm_GenerateSeed_wolfEntropy(OS_Seed* os, byte* output, word32 sz)
|
||||
{
|
||||
(void)os;
|
||||
return wc_Entropy_Get(MAX_ENTROPY_BITS, output, sz);
|
||||
}
|
||||
|
||||
#elif defined(WC_LINUXKM_RDSEED_IN_GLUE_LAYER)
|
||||
|
||||
/* backported wc_GenerateSeed_IntelRD() for FIPS v5, before breakout of wolfentropy.c. */
|
||||
|
||||
#include <wolfssl/wolfcrypt/cpuid.h>
|
||||
#include <wolfssl/wolfcrypt/random.h>
|
||||
@@ -497,13 +506,13 @@ static int wolfssl_init(void)
|
||||
|
||||
#endif /* HAVE_FIPS */
|
||||
|
||||
#ifdef WC_PIE_RELOC_TABLES
|
||||
#ifdef WC_SYM_RELOC_TABLES
|
||||
ret = set_up_wolfssl_linuxkm_pie_redirect_table();
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_FIPS) && defined(WC_PIE_RELOC_TABLES)
|
||||
#if defined(HAVE_FIPS) && defined(WC_SYM_RELOC_TABLES)
|
||||
if (((uintptr_t)__wc_text_start > (uintptr_t)wolfCrypt_FIPS_first) ||
|
||||
((uintptr_t)__wc_text_end < (uintptr_t)wolfCrypt_FIPS_last) ||
|
||||
((uintptr_t)__wc_rodata_start > (uintptr_t)wolfCrypt_FIPS_ro_start) ||
|
||||
@@ -514,7 +523,7 @@ static int wolfssl_init(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
|
||||
#if defined(WC_SYM_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0)
|
||||
/* see linux commit ac3b432839 */
|
||||
@@ -599,7 +608,7 @@ static int wolfssl_init(void)
|
||||
total_text_r, total_rodata_r, total_rwdata_r, total_bss_r, total_other_r);
|
||||
}
|
||||
|
||||
#endif /* WC_PIE_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT */
|
||||
#endif /* WC_SYM_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT */
|
||||
|
||||
#ifdef HAVE_FIPS
|
||||
ret = wolfCrypt_SetCb_fips(lkmFipsCb);
|
||||
@@ -608,7 +617,7 @@ static int wolfssl_init(void)
|
||||
return -ECANCELED;
|
||||
}
|
||||
|
||||
#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
|
||||
#if defined(WC_SYM_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
|
||||
total_text_r = total_rodata_r = total_rwdata_r = total_bss_r =
|
||||
total_other_r = 0;
|
||||
#endif
|
||||
@@ -620,7 +629,7 @@ static int wolfssl_init(void)
|
||||
else
|
||||
pr_err("ERROR: WC_SIG_IGNORE_BEGIN() failed.\n");
|
||||
|
||||
#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
|
||||
#if defined(WC_SYM_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
|
||||
pr_info("FIPS-bounded relocation normalizations: text=%d, rodata=%d, rwdata=%d, bss=%d, other=%d\n",
|
||||
total_text_r, total_rodata_r, total_rwdata_r, total_bss_r, total_other_r);
|
||||
#endif
|
||||
@@ -865,7 +874,7 @@ MODULE_AUTHOR("https://www.wolfssl.com/");
|
||||
MODULE_DESCRIPTION("libwolfssl cryptographic and protocol facilities");
|
||||
MODULE_VERSION(LIBWOLFSSL_VERSION_STRING);
|
||||
|
||||
#ifdef WC_PIE_RELOC_TABLES
|
||||
#ifdef WC_SYM_RELOC_TABLES
|
||||
|
||||
#define WC_TEXT_TAG (0x0 << 29)
|
||||
#define WC_RODATA_TAG (0x1U << 29)
|
||||
@@ -1508,7 +1517,7 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* WC_PIE_RELOC_TABLES */
|
||||
#endif /* WC_SYM_RELOC_TABLES */
|
||||
|
||||
#if defined(HAVE_FIPS) && defined(WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE)
|
||||
|
||||
@@ -1643,7 +1652,7 @@ static int updateFipsHash(void)
|
||||
goto out;
|
||||
}
|
||||
|
||||
#if defined(WOLFSSL_LINUXKM) && defined(WC_PIE_RELOC_TABLES)
|
||||
#if defined(WOLFSSL_LINUXKM) && defined(WC_SYM_RELOC_TABLES)
|
||||
{
|
||||
ssize_t cur_reloc_index = -1;
|
||||
const byte *text_p = (const byte *)first;
|
||||
|
||||
@@ -19,8 +19,12 @@
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
||||
*/
|
||||
|
||||
#ifndef __PIE__
|
||||
#error pie_redirect_table.c must be compiled -fPIE.
|
||||
#if !defined(WC_CONTAINERIZE_THIS)
|
||||
#error pie_redirect_table.c must be compiled -DWC_CONTAINERIZE_THIS.
|
||||
#endif
|
||||
|
||||
#if !defined(__PIE__) && !defined(WC_NO_PIE_FLAG)
|
||||
#error pie_redirect_table.c must be compiled -fPIE or -DWC_NO_PIE_FLAG.
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
|
||||
|
||||
Reference in New Issue
Block a user