From 78ff20569e07634af0d5f556df505809c74c2e9e Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 31 Oct 2025 16:03:51 -0500 Subject: [PATCH] linuxkm: globally rename+unify: * HAVE_LINUXKM_PIE_SUPPORT and USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE under gate WC_PIE_RELOC_TABLES * WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY as WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY * WC_LKM_INDIRECT_SYM_BY_DIRECT_TABLE_READ as WC_PIE_INDIRECT_SYM_BY_DIRECT_TABLE_READ * WC_LKM_INDIRECT_SYM() as WC_PIE_INDIRECT_SYM; linuxkm/linuxkm_wc_port.h: * implement pointer-caching inline wolfssl_linuxkm_get_pie_redirect_table_local() for the WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY path; * for FIPS_VERSION3_GE(6,0,0), add wolfCrypt_FIPS_*_ro_sanity pointers to struct wolfssl_linuxkm_pie_redirect_table, and corresponding ad hoc prototypes; linuxkm/Makefile and linuxkm/module_hooks.c: move wc_linuxkm_pie_reloc_tab into the wolfCrypt PIE container; linuxkm/module_hooks.c and linuxkm/linuxkm_wc_port.h: harmonize the types of __wc_{text,rodata}_{start,end} with wolfCrypt_FIPS_{first,last,ro_start,ro_end} to allow drop-in use of the all-inclusive ELF fenceposts, activated by WC_USE_PIE_FENCEPOSTS_FOR_FIPS. --- .wolfssl_known_macro_extras | 2 +- configure.ac | 4 +- linuxkm/Kbuild | 12 +- linuxkm/Makefile | 37 ++--- linuxkm/linuxkm_wc_port.h | 259 +++++++++++++++++++++-------------- linuxkm/module_hooks.c | 118 ++++++++++++---- wolfcrypt/src/wc_port.c | 6 +- wolfssl/wolfcrypt/settings.h | 5 +- 8 files changed, 281 insertions(+), 162 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index ca514a928..2c273d4dd 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -622,6 +622,7 @@ WC_SHA512 WC_SKIP_INCLUDED_C_FILES WC_SSIZE_TYPE WC_STRICT_SIG +WC_USE_PIE_FENCEPOSTS_FOR_FIPS WC_WANT_FLAG_DONT_USE_VECTOR_OPS WC_XMSS_FULL_HASH WIFIESPAT @@ -633,7 +634,6 @@ WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE WOLFSENTRY_H WOLFSENTRY_NO_JSON WOLFSSL_32BIT_MILLI_TIME -WOLFSSL_AARCH64_PRIVILEGE_MODE WOLFSSL_AESNI_BY4 WOLFSSL_AESNI_BY6 WOLFSSL_AES_CTR_EXAMPLE diff --git a/configure.ac b/configure.ac index c7ea564fa..218dc57dc 100644 --- a/configure.ac +++ b/configure.ac @@ -694,9 +694,9 @@ AC_ARG_ENABLE([linuxkm-pie], [ENABLED_LINUXKM_PIE=$enableval], [ENABLED_LINUXKM_PIE=$ENABLED_FIPS] ) -if test "$ENABLED_LINUXKM_PIE" = "yes" +if test "$ENABLED_LINUXKM" = "yes" && test "$ENABLED_LINUXKM_PIE" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DHAVE_LINUXKM_PIE_SUPPORT" + AM_CFLAGS="$AM_CFLAGS -DWC_PIE_RELOC_TABLES" fi AC_SUBST([ENABLED_LINUXKM_PIE]) diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index 54986a6ab..16c6d6b40 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -108,7 +108,6 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes" # note, we need -fno-stack-protector to avoid references to # "__stack_chk_fail" from the wolfCrypt container. PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder - PIE_SUPPORT_FLAGS := -DUSE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE # the kernel sanitizers generate external references to # __ubsan_handle_out_of_bounds(), __ubsan_handle_shift_out_of_bounds(), etc. KASAN_SANITIZE := n @@ -218,12 +217,17 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \ $(OBJCOPY) $$($(READELF) --sections --wide "$$file" | \ $(AWK) ' \ { \ - if (match($$0, "^ *\\[ *[0-9]+\\] +\\.(text|rodata|data|bss)(\\.[^ ]+)? ", a)) { \ - printf("--rename-section .%s%s=.%s_wolfcrypt ", a[1], a[2], a[1]); \ + if (match($$0, "^ *\\[ *[0-9]+\\] +\\.(text|rodata|data|bss)(\\.[^ ]+)? ", a)) \ + { \ + printf("--rename-section .%s%s=.%s_wolfcrypt ", \ + a[1], a[2], a[1]); \ + } \ + else if (match($$0, "^ *\\[ *[0-9]+\\] +\\.([^ ]+)\\.(text|rodata|data|bss) ", a)) \ + { \ + printf("--rename-section .%s.%s=.%s_wolfcrypt ", a[1], a[2], a[2]); \ } \ }') "$$file" || exit $$?; \ done; \ - [ "$(KERNEL_ARCH_X86)" != "yes" ] || \ { $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) | \ $(AWK) -v obj="$(obj)" ' \ /^File:/ { \ diff --git a/linuxkm/Makefile b/linuxkm/Makefile index e3bcba401..c2445be74 100644 --- a/linuxkm/Makefile +++ b/linuxkm/Makefile @@ -56,7 +56,10 @@ ifeq "$(ENABLED_LINUXKM_BENCHMARKS)" "yes" endif ifeq "$(ENABLED_LINUXKM_PIE)" "yes" - WOLFCRYPT_PIE_FILES := $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o + WOLFCRYPT_PIE_FILES := \ + $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) \ + linuxkm/pie_redirect_table.o \ + linuxkm/wc_linuxkm_pie_reloc_tab.o WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES)) endif @@ -100,12 +103,12 @@ ifndef MAKE_TMPDIR MAKE_TMPDIR := $(TMPDIR) endif -GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko | \ - $(AWK) 'BEGIN { \ +GENERATE_RELOC_TAB := $(AWK) 'BEGIN { \ n=0; \ bad_relocs=0; \ + print "\#include "; \ printf("%s\n ", \ - "const unsigned int wc_linuxkm_pie_reloc_tab[] = { "); \ + "WOLFSSL_LOCAL const unsigned int wc_linuxkm_pie_reloc_tab[] = { "); \ } \ /^Relocation section '\''\.rela\.text_wolfcrypt'\''/ { \ p=1; \ @@ -130,7 +133,7 @@ GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko | \ print "Found " bad_relocs " unexpected relocations." >"/dev/stderr"; \ exit(1); \ } \ - print "~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];";\ + print "~0U };\nWOLFSSL_LOCAL const unsigned long wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];";\ }' ifeq "$(V)" "1" @@ -139,29 +142,31 @@ endif .PHONY: libwolfssl.ko libwolfssl.ko: + @function resolved_link_is_equal() { [[ -L "$$1" && ("$$(readlink -f "$$1")" == "$$(readlink -f "$$2")") ]] } @if test -z '$(KERNEL_ROOT)'; then echo '$$KERNEL_ROOT is unset' >&2; exit 1; fi @if test -z '$(AM_CFLAGS)$(CFLAGS)'; then echo '$$AM_CFLAGS and $$CFLAGS are both unset.' >&2; exit 1; fi @if test -z '$(src_libwolfssl_la_OBJECTS)'; then echo '$$src_libwolfssl_la_OBJECTS is unset.' >&2; exit 1; fi # after commit 9a0ebe5011 (6.10), sources must be in $(obj). work around this by making links to all needed sources: @mkdir -p '$(MODULE_TOP)/linuxkm' - @test '$(MODULE_TOP)/module_hooks.c' -ef '$(MODULE_TOP)/linuxkm/module_hooks.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/' - @test '$(SRC_TOP)/wolfcrypt/src/wc_port.c' -ef '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/' - @test '$(SRC_TOP)/src/wolfio.c' -ef '$(MODULE_TOP)/src/wolfio.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/' + @resolved_link_is_equal '$(MODULE_TOP)/linuxkm/module_hooks.c' '$(MODULE_TOP)/module_hooks.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/' + @resolved_link_is_equal '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' '$(SRC_TOP)/wolfcrypt/src/wc_port.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/' + @resolved_link_is_equal '$(MODULE_TOP)/src/wolfio.c' '$(SRC_TOP)/src/wolfio.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/' ifeq "$(FIPS_OPTEST)" "1" - @test '$(SRC_TOP)/../fips/optest-140-3/linuxkm_optest_wrapper.c' -ef '$(MODULE_TOP)/linuxkm/optest-140-3/linuxkm_optest_wrapper.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/../fips/optest-140-3' '$(MODULE_TOP)/linuxkm' + @resolved_link_is_equal '$(MODULE_TOP)/linuxkm/optest-140-3/linuxkm_optest_wrapper.c' '$(SRC_TOP)/../fips/optest-140-3/linuxkm_optest_wrapper.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/../fips/optest-140-3' '$(MODULE_TOP)/linuxkm' endif ifeq "$(ENABLED_LINUXKM_PIE)" "yes" + @[[ -f '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' ]] || \ + { $(RM) -f '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' && $(GENERATE_RELOC_TAB) < /dev/null > '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c'; } @$(eval RELOC_TMP := $(shell mktemp "$(MAKE_TMPDIR)/wc_linuxkm_pie_reloc_tab.c.XXXXXX")) - @[[ -f wc_linuxkm_pie_reloc_tab.c ]] || echo -e "const unsigned int wc_linuxkm_pie_reloc_tab[] = { ~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = 1;" > wc_linuxkm_pie_reloc_tab.c - @if [[ -f libwolfssl.ko ]]; then touch -r libwolfssl.ko "$(RELOC_TMP)"; fi + @if [[ -f libwolfssl.ko ]]; then touch -r libwolfssl.ko '$(RELOC_TMP)'; fi +$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE= # if the above make didn't build a fresh libwolfssl.ko, then the module is already up to date and we leave it untouched, assuring stability for purposes of module-update-fips-hash. - @if [[ ! libwolfssl.ko -nt "$(RELOC_TMP)" ]]; then rm "$(RELOC_TMP)"; exit 0; fi - @$(GENERATE_RELOC_TAB) >| wc_linuxkm_pie_reloc_tab.c + @if [[ ! libwolfssl.ko -nt '$(RELOC_TMP)' ]]; then rm '$(RELOC_TMP)'; exit 0; fi + @$(READELF) --wide -r libwolfssl.ko | $(GENERATE_RELOC_TAB) >| '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' +$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE= - @$(GENERATE_RELOC_TAB) >| $(RELOC_TMP) - @if diff wc_linuxkm_pie_reloc_tab.c $(RELOC_TMP); then echo " Relocation table is stable."; else echo "PIE failed: relocation table is unstable." 1>&2; rm $(RELOC_TMP); exit 1; fi - @rm $(RELOC_TMP) + @$(READELF) --wide -r libwolfssl.ko | $(GENERATE_RELOC_TAB) >| '$(RELOC_TMP)' + @if diff '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' '$(RELOC_TMP)'; then echo " Relocation table is stable."; else echo "PIE failed: relocation table is unstable." 1>&2; rm '$(RELOC_TMP)'; exit 1; fi + @rm '$(RELOC_TMP)' else +$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) endif diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index a8a1ce177..62daebb11 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -208,7 +208,7 @@ #endif #endif - #if defined(CONFIG_MIPS) && defined(HAVE_LINUXKM_PIE_SUPPORT) + #if defined(CONFIG_MIPS) && defined(WC_PIE_RELOC_TABLES) /* __ZBOOT__ disables some unhelpful macros around the mem*() funcs in * legacy arch/mips/include/asm/string.h */ @@ -255,7 +255,7 @@ #if defined(CONFIG_FORTIFY_SOURCE) && \ !defined(WC_FORCE_LINUXKM_FORTIFY_SOURCE) && \ - (defined(HAVE_LINUXKM_PIE_SUPPORT) || \ + (defined(WC_PIE_RELOC_TABLES) || \ (LINUX_VERSION_CODE < KERNEL_VERSION(5, 18, 0))) /* fortify-source causes all sorts of awkward problems for the PIE * build, up to and including stubborn external references and multiple @@ -621,51 +621,70 @@ #ifdef HAVE_FIPS extern int wolfCrypt_FIPS_first(void); extern int wolfCrypt_FIPS_last(void); + extern const unsigned int wolfCrypt_FIPS_ro_start[]; + extern const unsigned int wolfCrypt_FIPS_ro_end[]; #if FIPS_VERSION3_GE(6,0,0) #ifndef NO_AES extern int wolfCrypt_FIPS_AES_sanity(void); + extern const unsigned int wolfCrypt_FIPS_aes_ro_sanity[2]; #if defined(WOLFSSL_CMAC) && defined(WOLFSSL_AES_DIRECT) extern int wolfCrypt_FIPS_CMAC_sanity(void); + extern const unsigned int wolfCrypt_FIPS_cmac_ro_sanity[2]; #endif #endif #ifndef NO_DH extern int wolfCrypt_FIPS_DH_sanity(void); + extern const unsigned int wolfCrypt_FIPS_dh_ro_sanity[2]; #endif #ifdef HAVE_ECC extern int wolfCrypt_FIPS_ECC_sanity(void); + extern const unsigned int wolfCrypt_FIPS_ecc_ro_sanity[2]; #endif #ifdef HAVE_ED25519 extern int wolfCrypt_FIPS_ED25519_sanity(void); + extern const unsigned int wolfCrypt_FIPS_ed25519_ro_sanity[2]; #endif #ifdef HAVE_ED448 extern int wolfCrypt_FIPS_ED448_sanity(void); + extern const unsigned int wolfCrypt_FIPS_ed448_ro_sanity[2]; #endif extern int wolfCrypt_FIPS_HMAC_sanity(void); + extern const unsigned int wolfCrypt_FIPS_hmac_ro_sanity[2]; #ifndef NO_KDF extern int wolfCrypt_FIPS_KDF_sanity(void); + extern const unsigned int wolfCrypt_FIPS_kdf_ro_sanity[2]; #endif #ifdef HAVE_PBKDF2 extern int wolfCrypt_FIPS_PBKDF_sanity(void); + extern const unsigned int wolfCrypt_FIPS_pbkdf_ro_sanity[2]; #endif #ifdef HAVE_HASHDRBG extern int wolfCrypt_FIPS_DRBG_sanity(void); + extern const unsigned int wolfCrypt_FIPS_drbg_ro_sanity[2]; #endif #ifndef NO_RSA extern int wolfCrypt_FIPS_RSA_sanity(void); + extern const unsigned int wolfCrypt_FIPS_rsa_ro_sanity[2]; #endif #ifndef NO_SHA extern int wolfCrypt_FIPS_SHA_sanity(void); + extern const unsigned int wolfCrypt_FIPS_sha_ro_sanity[2]; #endif #ifndef NO_SHA256 extern int wolfCrypt_FIPS_SHA256_sanity(void); + extern const unsigned int wolfCrypt_FIPS_sha256_ro_sanity[2]; #endif #ifdef WOLFSSL_SHA512 extern int wolfCrypt_FIPS_SHA512_sanity(void); + extern const unsigned int wolfCrypt_FIPS_sha512_ro_sanity[2]; #endif #ifdef WOLFSSL_SHA3 extern int wolfCrypt_FIPS_SHA3_sanity(void); + extern const unsigned int wolfCrypt_FIPS_sha3_ro_sanity[2]; #endif extern int wolfCrypt_FIPS_FT_sanity(void); + extern const unsigned int wolfCrypt_FIPS_ft_ro_sanity[2]; + extern const unsigned int wolfCrypt_FIPS_f_ro_sanity[2]; extern int wc_RunAllCast_fips(void); #endif #endif @@ -698,11 +717,11 @@ #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ - #if defined(__PIE__) && !defined(USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE) - #error "compiling -fPIE requires PIE redirect table." + #if defined(__PIE__) && !defined(WC_PIE_RELOC_TABLES) + #error "compiling -fPIE requires PIE relocation tables." #endif - #ifdef HAVE_LINUXKM_PIE_SUPPORT + #ifdef WC_PIE_RELOC_TABLES #ifndef WOLFSSL_TEXT_SEGMENT_CANONICALIZER #define WOLFSSL_TEXT_SEGMENT_CANONICALIZER(text_in, text_in_len, text_out, cur_index_p) \ @@ -710,11 +729,19 @@ #define WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ 8192 #endif + extern __attribute__((error("uncallable fencepost"))) int __wc_text_start(void); + extern __attribute__((error("uncallable fencepost"))) int __wc_text_end(void); + #ifdef HAVE_FIPS + static_assert(__builtin_types_compatible_p(typeof(__wc_text_start), typeof(wolfCrypt_FIPS_first))); + static_assert(__builtin_types_compatible_p(typeof(__wc_text_end), typeof(wolfCrypt_FIPS_last))); + #endif + extern const unsigned int __wc_rodata_start[], __wc_rodata_end[]; + #ifdef HAVE_FIPS + static_assert(__builtin_types_compatible_p(typeof(__wc_rodata_start), typeof(wolfCrypt_FIPS_ro_start))); + static_assert(__builtin_types_compatible_p(typeof(__wc_rodata_end), typeof(wolfCrypt_FIPS_ro_end))); + #endif + extern const u8 - __wc_text_start[], - __wc_text_end[], - __wc_rodata_start[], - __wc_rodata_end[], __wc_rwdata_start[], __wc_rwdata_end[], __wc_bss_start[], @@ -726,9 +753,6 @@ size_t text_in_len, u8 *text_out, ssize_t *cur_index_p); - #endif /* HAVE_LINUXKM_PIE_SUPPORT */ - - #ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE #ifdef CONFIG_MIPS #undef __ARCH_MEMCMP_NO_REDIRECT @@ -883,51 +907,70 @@ #ifdef HAVE_FIPS typeof(wolfCrypt_FIPS_first) *wolfCrypt_FIPS_first; typeof(wolfCrypt_FIPS_last) *wolfCrypt_FIPS_last; + typeof(wolfCrypt_FIPS_ro_start) *wolfCrypt_FIPS_ro_start; + typeof(wolfCrypt_FIPS_ro_end) *wolfCrypt_FIPS_ro_end; #if FIPS_VERSION3_GE(6,0,0) #ifndef NO_AES typeof(wolfCrypt_FIPS_AES_sanity) *wolfCrypt_FIPS_AES_sanity; + typeof(wolfCrypt_FIPS_aes_ro_sanity) *wolfCrypt_FIPS_aes_ro_sanity; #if defined(WOLFSSL_CMAC) && defined(WOLFSSL_AES_DIRECT) typeof(wolfCrypt_FIPS_CMAC_sanity) *wolfCrypt_FIPS_CMAC_sanity; + typeof(wolfCrypt_FIPS_cmac_ro_sanity) *wolfCrypt_FIPS_cmac_ro_sanity; #endif #endif #ifndef NO_DH typeof(wolfCrypt_FIPS_DH_sanity) *wolfCrypt_FIPS_DH_sanity; + typeof(wolfCrypt_FIPS_dh_ro_sanity) *wolfCrypt_FIPS_dh_ro_sanity; #endif #ifdef HAVE_ECC typeof(wolfCrypt_FIPS_ECC_sanity) *wolfCrypt_FIPS_ECC_sanity; + typeof(wolfCrypt_FIPS_ecc_ro_sanity) *wolfCrypt_FIPS_ecc_ro_sanity; #endif #ifdef HAVE_ED25519 typeof(wolfCrypt_FIPS_ED25519_sanity) *wolfCrypt_FIPS_ED25519_sanity; + typeof(wolfCrypt_FIPS_ed25519_ro_sanity) *wolfCrypt_FIPS_ed25519_ro_sanity; #endif #ifdef HAVE_ED448 typeof(wolfCrypt_FIPS_ED448_sanity) *wolfCrypt_FIPS_ED448_sanity; + typeof(wolfCrypt_FIPS_ed448_ro_sanity) *wolfCrypt_FIPS_ed448_ro_sanity; #endif typeof(wolfCrypt_FIPS_HMAC_sanity) *wolfCrypt_FIPS_HMAC_sanity; + typeof(wolfCrypt_FIPS_hmac_ro_sanity) *wolfCrypt_FIPS_hmac_ro_sanity; #ifndef NO_KDF typeof(wolfCrypt_FIPS_KDF_sanity) *wolfCrypt_FIPS_KDF_sanity; + typeof(wolfCrypt_FIPS_kdf_ro_sanity) *wolfCrypt_FIPS_kdf_ro_sanity; #endif #ifdef HAVE_PBKDF2 typeof(wolfCrypt_FIPS_PBKDF_sanity) *wolfCrypt_FIPS_PBKDF_sanity; + typeof(wolfCrypt_FIPS_pbkdf_ro_sanity) *wolfCrypt_FIPS_pbkdf_ro_sanity; #endif #ifdef HAVE_HASHDRBG typeof(wolfCrypt_FIPS_DRBG_sanity) *wolfCrypt_FIPS_DRBG_sanity; + typeof(wolfCrypt_FIPS_drbg_ro_sanity) *wolfCrypt_FIPS_drbg_ro_sanity; #endif #ifndef NO_RSA typeof(wolfCrypt_FIPS_RSA_sanity) *wolfCrypt_FIPS_RSA_sanity; + typeof(wolfCrypt_FIPS_rsa_ro_sanity) *wolfCrypt_FIPS_rsa_ro_sanity; #endif #ifndef NO_SHA typeof(wolfCrypt_FIPS_SHA_sanity) *wolfCrypt_FIPS_SHA_sanity; + typeof(wolfCrypt_FIPS_sha_ro_sanity) *wolfCrypt_FIPS_sha_ro_sanity; #endif #ifndef NO_SHA256 typeof(wolfCrypt_FIPS_SHA256_sanity) *wolfCrypt_FIPS_SHA256_sanity; + typeof(wolfCrypt_FIPS_sha256_ro_sanity) *wolfCrypt_FIPS_sha256_ro_sanity; #endif #ifdef WOLFSSL_SHA512 typeof(wolfCrypt_FIPS_SHA512_sanity) *wolfCrypt_FIPS_SHA512_sanity; + typeof(wolfCrypt_FIPS_sha512_ro_sanity) *wolfCrypt_FIPS_sha512_ro_sanity; #endif #ifdef WOLFSSL_SHA3 typeof(wolfCrypt_FIPS_SHA3_sanity) *wolfCrypt_FIPS_SHA3_sanity; + typeof(wolfCrypt_FIPS_sha3_ro_sanity) *wolfCrypt_FIPS_sha3_ro_sanity; #endif typeof(wolfCrypt_FIPS_FT_sanity) *wolfCrypt_FIPS_FT_sanity; + typeof(wolfCrypt_FIPS_ft_ro_sanity) *wolfCrypt_FIPS_ft_ro_sanity; + typeof(wolfCrypt_FIPS_f_ro_sanity) *wolfCrypt_FIPS_f_ro_sanity; typeof(wc_RunAllCast_fips) *wc_RunAllCast_fips; #endif #endif @@ -999,179 +1042,185 @@ extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table; - #if defined(WC_LKM_INDIRECT_SYM) + #if defined(WC_PIE_INDIRECT_SYM) /* keep user-supplied override definition. */ - #elif defined(WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY) || \ - defined(WC_LKM_INDIRECT_SYM_BY_DIRECT_TABLE_READ) + #elif defined(WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY) || \ + defined(WC_PIE_INDIRECT_SYM_BY_DIRECT_TABLE_READ) /* keep user-supplied override method. */ #elif defined(CONFIG_X86) - #define WC_LKM_INDIRECT_SYM_BY_DIRECT_TABLE_READ + #define WC_PIE_INDIRECT_SYM_BY_DIRECT_TABLE_READ #elif defined(CONFIG_ARM64) /* direct access to wolfssl_linuxkm_pie_redirect_table.x on aarch64 * produces GOT relocations, e.g. R_AARCH64_LD64_GOT_LO12_NC. */ - #define WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY + #define WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY #else /* for other archs, by default use the safe way. */ - #define WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY + #define WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY #endif - #if defined(WC_LKM_INDIRECT_SYM) + #if defined(WC_PIE_INDIRECT_SYM) /* keep user-supplied override definition. */ - #elif defined(WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY) - #define WC_LKM_INDIRECT_SYM(x) (wolfssl_linuxkm_get_pie_redirect_table()->x) - #elif defined(WC_LKM_INDIRECT_SYM_BY_DIRECT_TABLE_READ) - #define WC_LKM_INDIRECT_SYM(x) (wolfssl_linuxkm_pie_redirect_table.x) + #elif defined(WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY) + static const struct wolfssl_linuxkm_pie_redirect_table *wolfssl_linuxkm_pie_redirect_table_local_ptr = NULL; + static inline const struct wolfssl_linuxkm_pie_redirect_table *wolfssl_linuxkm_get_pie_redirect_table_local(void) { + if (wolfssl_linuxkm_pie_redirect_table_local_ptr == NULL) + wolfssl_linuxkm_pie_redirect_table_local_ptr = wolfssl_linuxkm_get_pie_redirect_table(); + return wolfssl_linuxkm_pie_redirect_table_local_ptr; + } + #define WC_PIE_INDIRECT_SYM(x) (wolfssl_linuxkm_get_pie_redirect_table_local()->x) + #elif defined(WC_PIE_INDIRECT_SYM_BY_DIRECT_TABLE_READ) + #define WC_PIE_INDIRECT_SYM(x) (wolfssl_linuxkm_pie_redirect_table.x) #else - #error no WC_LKM_INDIRECT_SYM method defined. + #error no WC_PIE_INDIRECT_SYM method defined. #endif #ifdef __PIE__ #define wc_linuxkm_normalize_relocations \ - WC_LKM_INDIRECT_SYM(wc_linuxkm_normalize_relocations) + WC_PIE_INDIRECT_SYM(wc_linuxkm_normalize_relocations) #ifndef __ARCH_MEMCMP_NO_REDIRECT - #define memcmp WC_LKM_INDIRECT_SYM(memcmp) + #define memcmp WC_PIE_INDIRECT_SYM(memcmp) #endif #ifndef __ARCH_MEMCPY_NO_REDIRECT - #define memcpy WC_LKM_INDIRECT_SYM(memcpy) + #define memcpy WC_PIE_INDIRECT_SYM(memcpy) #endif #ifndef __ARCH_MEMSET_NO_REDIRECT - #define memset WC_LKM_INDIRECT_SYM(memset) + #define memset WC_PIE_INDIRECT_SYM(memset) #endif #ifndef __ARCH_MEMMOVE_NO_REDIRECT - #define memmove WC_LKM_INDIRECT_SYM(memmove) + #define memmove WC_PIE_INDIRECT_SYM(memmove) #endif #ifndef __ARCH_STRCMP_NO_REDIRECT - #define strcmp WC_LKM_INDIRECT_SYM(strcmp) + #define strcmp WC_PIE_INDIRECT_SYM(strcmp) #endif #ifndef __ARCH_STRNCMP_NO_REDIRECT - #define strncmp WC_LKM_INDIRECT_SYM(strncmp) + #define strncmp WC_PIE_INDIRECT_SYM(strncmp) #endif #ifndef __ARCH_STRCASECMP_NO_REDIRECT - #define strcasecmp WC_LKM_INDIRECT_SYM(strcasecmp) + #define strcasecmp WC_PIE_INDIRECT_SYM(strcasecmp) #endif #ifndef __ARCH_STRNCASECMP_NO_REDIRECT - #define strncasecmp WC_LKM_INDIRECT_SYM(strncasecmp) + #define strncasecmp WC_PIE_INDIRECT_SYM(strncasecmp) #endif #ifndef __ARCH_STRLEN_NO_REDIRECT - #define strlen WC_LKM_INDIRECT_SYM(strlen) + #define strlen WC_PIE_INDIRECT_SYM(strlen) #endif #ifndef __ARCH_STRSTR_NO_REDIRECT - #define strstr WC_LKM_INDIRECT_SYM(strstr) + #define strstr WC_PIE_INDIRECT_SYM(strstr) #endif #ifndef __ARCH_STRNCPY_NO_REDIRECT - #define strncpy WC_LKM_INDIRECT_SYM(strncpy) + #define strncpy WC_PIE_INDIRECT_SYM(strncpy) #endif #ifndef __ARCH_STRNCAT_NO_REDIRECT - #define strncat WC_LKM_INDIRECT_SYM(strncat) + #define strncat WC_PIE_INDIRECT_SYM(strncat) #endif - #define kstrtoll WC_LKM_INDIRECT_SYM(kstrtoll) + #define kstrtoll WC_PIE_INDIRECT_SYM(kstrtoll) #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)) || \ (defined(RHEL_MAJOR) && \ ((RHEL_MAJOR > 9) || ((RHEL_MAJOR == 9) && (RHEL_MINOR >= 5)))) - #define _printk WC_LKM_INDIRECT_SYM(_printk) + #define _printk WC_PIE_INDIRECT_SYM(_printk) #else - #define printk WC_LKM_INDIRECT_SYM(printk) + #define printk WC_PIE_INDIRECT_SYM(printk) #endif #ifdef CONFIG_FORTIFY_SOURCE - #define __warn_printk WC_LKM_INDIRECT_SYM(__warn_printk) + #define __warn_printk WC_PIE_INDIRECT_SYM(__warn_printk) #endif - #define snprintf WC_LKM_INDIRECT_SYM(snprintf) + #define snprintf WC_PIE_INDIRECT_SYM(snprintf) - #define _ctype WC_LKM_INDIRECT_SYM(_ctype) + #define _ctype WC_PIE_INDIRECT_SYM(_ctype) #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 18, 0) /* see include/linux/alloc_tag.h and include/linux/slab.h */ - #define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof) - #define krealloc_node_align_noprof WC_LKM_INDIRECT_SYM(krealloc_node_align_noprof) - #define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof) - #define __kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(__kvmalloc_node_noprof) - #define __kmalloc_cache_noprof WC_LKM_INDIRECT_SYM(__kmalloc_cache_noprof) + #define kmalloc_noprof WC_PIE_INDIRECT_SYM(kmalloc_noprof) + #define krealloc_node_align_noprof WC_PIE_INDIRECT_SYM(krealloc_node_align_noprof) + #define kzalloc_noprof WC_PIE_INDIRECT_SYM(kzalloc_noprof) + #define __kvmalloc_node_noprof WC_PIE_INDIRECT_SYM(__kvmalloc_node_noprof) + #define __kmalloc_cache_noprof WC_PIE_INDIRECT_SYM(__kmalloc_cache_noprof) #ifdef HAVE_KVREALLOC - #define kvrealloc_node_align_noprof WC_LKM_INDIRECT_SYM(kvrealloc_node_align_noprof) + #define kvrealloc_node_align_noprof WC_PIE_INDIRECT_SYM(kvrealloc_node_align_noprof) #endif #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0) /* see include/linux/alloc_tag.h and include/linux/slab.h */ - #define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof) - #define krealloc_noprof WC_LKM_INDIRECT_SYM(krealloc_noprof) - #define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof) - #define __kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(__kvmalloc_node_noprof) - #define __kmalloc_cache_noprof WC_LKM_INDIRECT_SYM(__kmalloc_cache_noprof) + #define kmalloc_noprof WC_PIE_INDIRECT_SYM(kmalloc_noprof) + #define krealloc_noprof WC_PIE_INDIRECT_SYM(krealloc_noprof) + #define kzalloc_noprof WC_PIE_INDIRECT_SYM(kzalloc_noprof) + #define __kvmalloc_node_noprof WC_PIE_INDIRECT_SYM(__kvmalloc_node_noprof) + #define __kmalloc_cache_noprof WC_PIE_INDIRECT_SYM(__kmalloc_cache_noprof) #ifdef HAVE_KVREALLOC - #define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) + #define kvrealloc_noprof WC_PIE_INDIRECT_SYM(kvrealloc_noprof) #endif #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) /* see include/linux/alloc_tag.h and include/linux/slab.h */ - #define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof) - #define krealloc_noprof WC_LKM_INDIRECT_SYM(krealloc_noprof) - #define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof) - #define kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(kvmalloc_node_noprof) - #define kmalloc_trace_noprof WC_LKM_INDIRECT_SYM(kmalloc_trace_noprof) + #define kmalloc_noprof WC_PIE_INDIRECT_SYM(kmalloc_noprof) + #define krealloc_noprof WC_PIE_INDIRECT_SYM(krealloc_noprof) + #define kzalloc_noprof WC_PIE_INDIRECT_SYM(kzalloc_noprof) + #define kvmalloc_node_noprof WC_PIE_INDIRECT_SYM(kvmalloc_node_noprof) + #define kmalloc_trace_noprof WC_PIE_INDIRECT_SYM(kmalloc_trace_noprof) #ifdef HAVE_KVREALLOC - #define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) + #define kvrealloc_noprof WC_PIE_INDIRECT_SYM(kvrealloc_noprof) #endif #else /* <6.10.0 */ - #define kmalloc WC_LKM_INDIRECT_SYM(kmalloc) - #define krealloc WC_LKM_INDIRECT_SYM(krealloc) + #define kmalloc WC_PIE_INDIRECT_SYM(kmalloc) + #define krealloc WC_PIE_INDIRECT_SYM(krealloc) #define kzalloc(size, flags) kmalloc(size, (flags) | __GFP_ZERO) #ifdef HAVE_KVMALLOC - #define kvmalloc_node WC_LKM_INDIRECT_SYM(kvmalloc_node) + #define kvmalloc_node WC_PIE_INDIRECT_SYM(kvmalloc_node) #endif #ifdef HAVE_KVREALLOC - #define kvrealloc WC_LKM_INDIRECT_SYM(kvrealloc) + #define kvrealloc WC_PIE_INDIRECT_SYM(kvrealloc) #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) || \ (defined(RHEL_MAJOR) && \ ((RHEL_MAJOR > 9) || ((RHEL_MAJOR == 9) && (RHEL_MINOR >= 5)))) - #define kmalloc_trace WC_LKM_INDIRECT_SYM(kmalloc_trace) + #define kmalloc_trace WC_PIE_INDIRECT_SYM(kmalloc_trace) #else - #define kmem_cache_alloc_trace WC_LKM_INDIRECT_SYM(kmem_cache_alloc_trace) - #define kmalloc_order_trace WC_LKM_INDIRECT_SYM(kmalloc_order_trace) + #define kmem_cache_alloc_trace WC_PIE_INDIRECT_SYM(kmem_cache_alloc_trace) + #define kmalloc_order_trace WC_PIE_INDIRECT_SYM(kmalloc_order_trace) #endif #endif /* <6.10.0 */ - #define kfree WC_LKM_INDIRECT_SYM(kfree) + #define kfree WC_PIE_INDIRECT_SYM(kfree) #ifdef HAVE_KVMALLOC - #define kvfree WC_LKM_INDIRECT_SYM(kvfree) + #define kvfree WC_PIE_INDIRECT_SYM(kvfree) #endif - #define ksize WC_LKM_INDIRECT_SYM(ksize) + #define ksize WC_PIE_INDIRECT_SYM(ksize) - #define get_random_bytes WC_LKM_INDIRECT_SYM(get_random_bytes) + #define get_random_bytes WC_PIE_INDIRECT_SYM(get_random_bytes) #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) - #define getnstimeofday WC_LKM_INDIRECT_SYM(getnstimeofday) + #define getnstimeofday WC_PIE_INDIRECT_SYM(getnstimeofday) #elif LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) - #define current_kernel_time64 WC_LKM_INDIRECT_SYM(current_kernel_time64) + #define current_kernel_time64 WC_PIE_INDIRECT_SYM(current_kernel_time64) #else - #define ktime_get_coarse_real_ts64 WC_LKM_INDIRECT_SYM(ktime_get_coarse_real_ts64) + #define ktime_get_coarse_real_ts64 WC_PIE_INDIRECT_SYM(ktime_get_coarse_real_ts64) #endif #undef get_current - #define get_current WC_LKM_INDIRECT_SYM(get_current) + #define get_current WC_PIE_INDIRECT_SYM(get_current) #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(CONFIG_X86) - #define allocate_wolfcrypt_linuxkm_fpu_states WC_LKM_INDIRECT_SYM(allocate_wolfcrypt_linuxkm_fpu_states) - #define wc_can_save_vector_registers_x86 WC_LKM_INDIRECT_SYM(wc_can_save_vector_registers_x86) - #define free_wolfcrypt_linuxkm_fpu_states WC_LKM_INDIRECT_SYM(free_wolfcrypt_linuxkm_fpu_states) - #define wc_restore_vector_registers_x86 WC_LKM_INDIRECT_SYM(wc_restore_vector_registers_x86) - #define wc_save_vector_registers_x86 WC_LKM_INDIRECT_SYM(wc_save_vector_registers_x86) + #define allocate_wolfcrypt_linuxkm_fpu_states WC_PIE_INDIRECT_SYM(allocate_wolfcrypt_linuxkm_fpu_states) + #define wc_can_save_vector_registers_x86 WC_PIE_INDIRECT_SYM(wc_can_save_vector_registers_x86) + #define free_wolfcrypt_linuxkm_fpu_states WC_PIE_INDIRECT_SYM(free_wolfcrypt_linuxkm_fpu_states) + #define wc_restore_vector_registers_x86 WC_PIE_INDIRECT_SYM(wc_restore_vector_registers_x86) + #define wc_save_vector_registers_x86 WC_PIE_INDIRECT_SYM(wc_save_vector_registers_x86) #elif defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) #error WOLFSSL_USE_SAVE_VECTOR_REGISTERS is set for an unimplemented architecture. #endif /* WOLFSSL_USE_SAVE_VECTOR_REGISTERS */ - #define __mutex_init WC_LKM_INDIRECT_SYM(__mutex_init) + #define __mutex_init WC_PIE_INDIRECT_SYM(__mutex_init) #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) - #define mutex_lock_nested WC_LKM_INDIRECT_SYM(mutex_lock_nested) + #define mutex_lock_nested WC_PIE_INDIRECT_SYM(mutex_lock_nested) #else - #define mutex_lock WC_LKM_INDIRECT_SYM(mutex_lock) + #define mutex_lock WC_PIE_INDIRECT_SYM(mutex_lock) #endif - #define mutex_unlock WC_LKM_INDIRECT_SYM(mutex_unlock) + #define mutex_unlock WC_PIE_INDIRECT_SYM(mutex_unlock) #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) - #define mutex_destroy WC_LKM_INDIRECT_SYM(mutex_destroy) + #define mutex_destroy WC_PIE_INDIRECT_SYM(mutex_destroy) #endif /* per linux/ctype.h, tolower() and toupper() are macros bound to static inlines @@ -1184,59 +1233,59 @@ #define toupper(c) (isupper(c) ? (c) : ((c) - ('a'-'A'))) #if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS) - #define GetCA WC_LKM_INDIRECT_SYM(GetCA) + #define GetCA WC_PIE_INDIRECT_SYM(GetCA) #ifndef NO_SKID - #define GetCAByName WC_LKM_INDIRECT_SYM(GetCAByName) + #define GetCAByName WC_PIE_INDIRECT_SYM(GetCAByName) #ifdef HAVE_OCSP - #define GetCAByKeyHash WC_LKM_INDIRECT_SYM(GetCAByKeyHash) + #define GetCAByKeyHash WC_PIE_INDIRECT_SYM(GetCAByKeyHash) #endif /* HAVE_OCSP */ #endif /* NO_SKID */ #ifdef WOLFSSL_AKID_NAME - #define GetCAByAKID WC_LKM_INDIRECT_SYM(GetCAByAKID) + #define GetCAByAKID WC_PIE_INDIRECT_SYM(GetCAByAKID) #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - #define wolfSSL_X509_NAME_add_entry_by_NID WC_LKM_INDIRECT_SYM(wolfSSL_X509_NAME_add_entry_by_NID) - #define wolfSSL_X509_NAME_free WC_LKM_INDIRECT_SYM(wolfSSL_X509_NAME_free) - #define wolfSSL_X509_NAME_new_ex WC_LKM_INDIRECT_SYM(wolfSSL_X509_NAME_new_ex) + #define wolfSSL_X509_NAME_add_entry_by_NID WC_PIE_INDIRECT_SYM(wolfSSL_X509_NAME_add_entry_by_NID) + #define wolfSSL_X509_NAME_free WC_PIE_INDIRECT_SYM(wolfSSL_X509_NAME_free) + #define wolfSSL_X509_NAME_new_ex WC_PIE_INDIRECT_SYM(wolfSSL_X509_NAME_new_ex) #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ #ifdef WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES - #define dump_stack WC_LKM_INDIRECT_SYM(dump_stack) + #define dump_stack WC_PIE_INDIRECT_SYM(dump_stack) #endif #undef preempt_count /* just in case -- not a macro on x86. */ - #define preempt_count WC_LKM_INDIRECT_SYM(preempt_count) + #define preempt_count WC_PIE_INDIRECT_SYM(preempt_count) #ifndef WOLFSSL_LINUXKM_USE_MUTEXES #ifndef _raw_spin_lock_irqsave - #define _raw_spin_lock_irqsave WC_LKM_INDIRECT_SYM(_raw_spin_lock_irqsave) + #define _raw_spin_lock_irqsave WC_PIE_INDIRECT_SYM(_raw_spin_lock_irqsave) #endif #ifndef _raw_spin_trylock - #define _raw_spin_trylock WC_LKM_INDIRECT_SYM(_raw_spin_trylock) + #define _raw_spin_trylock WC_PIE_INDIRECT_SYM(_raw_spin_trylock) #endif #ifndef _raw_spin_unlock_irqrestore - #define _raw_spin_unlock_irqrestore WC_LKM_INDIRECT_SYM(_raw_spin_unlock_irqrestore) + #define _raw_spin_unlock_irqrestore WC_PIE_INDIRECT_SYM(_raw_spin_unlock_irqrestore) #endif #endif - #define _cond_resched WC_LKM_INDIRECT_SYM(_cond_resched) + #define _cond_resched WC_PIE_INDIRECT_SYM(_cond_resched) /* this is defined in linux/spinlock.h as an inline that calls the unshimmed * raw_spin_unlock_irqrestore(). use a macro here to supersede it. */ #define spin_unlock_irqrestore(lock, flags) raw_spin_unlock_irqrestore(&((lock)->rlock), flags) - #define wc_linuxkm_sig_ignore_begin WC_LKM_INDIRECT_SYM(wc_linuxkm_sig_ignore_begin); - #define wc_linuxkm_sig_ignore_end WC_LKM_INDIRECT_SYM(wc_linuxkm_sig_ignore_end); - #define wc_linuxkm_check_for_intr_signals WC_LKM_INDIRECT_SYM(wc_linuxkm_check_for_intr_signals) - #define wc_linuxkm_relax_long_loop WC_LKM_INDIRECT_SYM(wc_linuxkm_relax_long_loop) + #define wc_linuxkm_sig_ignore_begin WC_PIE_INDIRECT_SYM(wc_linuxkm_sig_ignore_begin); + #define wc_linuxkm_sig_ignore_end WC_PIE_INDIRECT_SYM(wc_linuxkm_sig_ignore_end); + #define wc_linuxkm_check_for_intr_signals WC_PIE_INDIRECT_SYM(wc_linuxkm_check_for_intr_signals) + #define wc_linuxkm_relax_long_loop WC_PIE_INDIRECT_SYM(wc_linuxkm_relax_long_loop) #endif /* __PIE__ */ - #endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */ + #endif /* WC_PIE_RELOC_TABLES */ /* remove this multifariously conflicting macro, picked up from * Linux arch//include/asm/current.h. @@ -1396,7 +1445,7 @@ */ static __always_inline int wc_LockMutex(wolfSSL_Mutex *m) { - return WC_LKM_INDIRECT_SYM(wc_lkm_LockMutex)(m); + return WC_PIE_INDIRECT_SYM(wc_lkm_LockMutex)(m); } #else /* !__PIE__ */ diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index 65922b614..26a8a5456 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -89,7 +89,7 @@ static int libwolfssl_cleanup(void) { extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1]; #endif -#ifdef HAVE_LINUXKM_PIE_SUPPORT +#ifdef WC_PIE_RELOC_TABLES #ifdef DEBUG_LINUXKM_PIE_SUPPORT @@ -113,17 +113,17 @@ static int total_text_r = 0, total_rodata_r = 0, total_rwdata_r = 0, #endif /* DEBUG_LINUXKM_PIE_SUPPORT */ -#ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE +#ifdef WC_PIE_RELOC_TABLES extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table; static int set_up_wolfssl_linuxkm_pie_redirect_table(void); -#endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */ +#endif /* WC_PIE_RELOC_TABLES */ #ifdef HAVE_FIPS extern const unsigned int wolfCrypt_FIPS_ro_start[]; extern const unsigned int wolfCrypt_FIPS_ro_end[]; #endif -#endif /* HAVE_LINUXKM_PIE_SUPPORT */ +#endif /* WC_PIE_RELOC_TABLES */ #ifdef HAVE_FIPS static void lkmFipsCb(int ok, int err, const char* hash) @@ -491,13 +491,13 @@ static int wolfssl_init(void) #endif /* HAVE_FIPS */ -#ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE +#ifdef WC_PIE_RELOC_TABLES ret = set_up_wolfssl_linuxkm_pie_redirect_table(); if (ret < 0) return ret; #endif -#if defined(HAVE_FIPS) && defined(HAVE_LINUXKM_PIE_SUPPORT) +#if defined(HAVE_FIPS) && defined(WC_PIE_RELOC_TABLES) if (((uintptr_t)__wc_text_start > (uintptr_t)wolfCrypt_FIPS_first) || ((uintptr_t)__wc_text_end < (uintptr_t)wolfCrypt_FIPS_last) || ((uintptr_t)__wc_rodata_start > (uintptr_t)wolfCrypt_FIPS_ro_start) || @@ -508,7 +508,7 @@ static int wolfssl_init(void) } #endif -#if defined(HAVE_LINUXKM_PIE_SUPPORT) && defined(DEBUG_LINUXKM_PIE_SUPPORT) +#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT) #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) /* see linux commit ac3b432839 */ @@ -529,11 +529,11 @@ static int wolfssl_init(void) #endif { - unsigned int text_hash = hash_span(__wc_text_start, __wc_text_end, 1); - unsigned int rodata_hash = hash_span(__wc_rodata_start, __wc_rodata_end, 1); + unsigned int text_hash = hash_span((const u8 *)__wc_text_start, (const u8 *)__wc_text_end, 1); + unsigned int rodata_hash = hash_span((const u8 *)__wc_rodata_start, (const u8 *)__wc_rodata_end, 1); u8 *canon_buf = malloc(WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ); ssize_t cur_reloc_index = -1; - const byte *text_p = __wc_text_start; + const u8 *text_p = (const u8 *)__wc_text_start; unsigned int stabilized_text_hash = 1; if (! canon_buf) { @@ -544,12 +544,12 @@ static int wolfssl_init(void) total_text_r = total_rodata_r = total_rwdata_r = total_bss_r = total_other_r = 0; - while (text_p < __wc_text_end) { + while (text_p < (const u8 *)__wc_text_end) { ssize_t progress = WOLFSSL_TEXT_SEGMENT_CANONICALIZER( text_p, min(WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ, - (word32)(__wc_text_end - text_p)), + (word32)((const u8 *)__wc_text_end - text_p)), canon_buf, &cur_reloc_index); if (progress <= 0) { pr_err("ERROR: progress=%ld from WOLFSSL_TEXT_SEGMENT_CANONICALIZER() at offset %x (text=%x-%x).\n", @@ -572,10 +572,10 @@ static int wolfssl_init(void) * attacker. */ pr_info("wolfCrypt segment hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu), offset %c0x%lx, canon text 0x%x\n", - text_hash, __wc_text_end - __wc_text_start, + text_hash, (uintptr_t)__wc_text_end - (uintptr_t)__wc_text_start, rodata_hash, __wc_rodata_end - __wc_rodata_start, - &__wc_text_start[0] < &__wc_rodata_start[0] ? '+' : '-', - &__wc_text_start[0] < &__wc_rodata_start[0] ? &__wc_rodata_start[0] - &__wc_text_start[0] : &__wc_text_start[0] - &__wc_rodata_start[0], + (uintptr_t)__wc_text_start < (uintptr_t)&__wc_rodata_start[0] ? '+' : '-', + (uintptr_t)__wc_text_start < (uintptr_t)&__wc_rodata_start[0] ? (uintptr_t)&__wc_rodata_start[0] - (uintptr_t)__wc_text_start : (uintptr_t)__wc_text_start - (uintptr_t)&__wc_rodata_start[0], stabilized_text_hash); pr_info("wolfCrypt segments: text=%x-%x, rodata=%x-%x, " @@ -593,7 +593,7 @@ static int wolfssl_init(void) total_text_r, total_rodata_r, total_rwdata_r, total_bss_r, total_other_r); } -#endif /* HAVE_LINUXKM_PIE_SUPPORT && DEBUG_LINUXKM_PIE_SUPPORT */ +#endif /* WC_PIE_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT */ #ifdef HAVE_FIPS ret = wolfCrypt_SetCb_fips(lkmFipsCb); @@ -602,7 +602,7 @@ static int wolfssl_init(void) return -ECANCELED; } -#if defined(HAVE_LINUXKM_PIE_SUPPORT) && defined(DEBUG_LINUXKM_PIE_SUPPORT) +#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT) total_text_r = total_rodata_r = total_rwdata_r = total_bss_r = total_other_r = 0; #endif @@ -614,7 +614,7 @@ static int wolfssl_init(void) else pr_err("ERROR: WC_SIG_IGNORE_BEGIN() failed.\n"); -#if defined(HAVE_LINUXKM_PIE_SUPPORT) && defined(DEBUG_LINUXKM_PIE_SUPPORT) +#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT) pr_info("FIPS-bounded relocation normalizations: text=%d, rodata=%d, rwdata=%d, bss=%d, other=%d\n", total_text_r, total_rodata_r, total_rwdata_r, total_bss_r, total_other_r); #endif @@ -859,9 +859,7 @@ MODULE_AUTHOR("https://www.wolfssl.com/"); MODULE_DESCRIPTION("libwolfssl cryptographic and protocol facilities"); MODULE_VERSION(LIBWOLFSSL_VERSION_STRING); -#ifdef HAVE_LINUXKM_PIE_SUPPORT - -#include "linuxkm/wc_linuxkm_pie_reloc_tab.c" +#ifdef WC_PIE_RELOC_TABLES static inline int find_reloc_tab_offset(size_t text_in_offset) { int ret, hop; @@ -936,8 +934,8 @@ ssize_t wc_linuxkm_normalize_relocations( #endif if ((text_in_len == 0) || - (text_in < __wc_text_start) || - (text_in + text_in_len > __wc_text_end)) + ((uintptr_t)text_in < (uintptr_t)__wc_text_start) || + ((uintptr_t)(text_in + text_in_len) > (uintptr_t)__wc_text_end)) { #ifdef DEBUG_LINUXKM_PIE_SUPPORT pr_err("ERROR: %s returning -1 at L %d with span %x-%x versus segment %x-%x.\n", __FUNCTION__, __LINE__, (unsigned)(uintptr_t)text_in, (unsigned)(uintptr_t)(text_in + text_in_len), (unsigned)(uintptr_t)__wc_text_start, (unsigned)(uintptr_t)__wc_text_end); @@ -1109,10 +1107,6 @@ ssize_t wc_linuxkm_normalize_relocations( return (ssize_t)text_in_len; } -#endif /* HAVE_LINUXKM_PIE_SUPPORT */ - -#ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE - /* get_current() is an inline or macro, depending on the target -- sidestep the * whole issue with a wrapper func. */ @@ -1284,71 +1278,129 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { #endif #ifdef HAVE_FIPS + +#ifdef WC_USE_PIE_FENCEPOSTS_FOR_FIPS + /* use __wc_text_start and __wc_text_end, not wolfCrypt_FIPS_first and + * wolfCrypt_FIPS_last, thereby including the whole container in the HMAC + * span. Note there are runtime asserts at entry to wolfssl_init() above + * confirming that __wc_*_{start,end} correctly contain the wolfCrypt_FIPS_* + * fenceposts. + */ + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_first = + __wc_text_start; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_last = + __wc_text_end; + /* ditto for wolfCrypt_FIPS_ro_start and wolfCrypt_FIPS_ro_end. */ + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ro_start = + &__wc_rodata_start; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ro_end = + &__wc_rodata_end; +#else wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_first = wolfCrypt_FIPS_first; wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_last = wolfCrypt_FIPS_last; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ro_start = + &wolfCrypt_FIPS_ro_start; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ro_end = + &wolfCrypt_FIPS_ro_end; +#endif + #if FIPS_VERSION3_GE(6,0,0) #ifndef NO_AES wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_AES_sanity = wolfCrypt_FIPS_AES_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_aes_ro_sanity = + &wolfCrypt_FIPS_aes_ro_sanity; #if defined(WOLFSSL_CMAC) && defined(WOLFSSL_AES_DIRECT) wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_CMAC_sanity = wolfCrypt_FIPS_CMAC_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_cmac_ro_sanity = + &wolfCrypt_FIPS_cmac_ro_sanity; #endif #endif #ifndef NO_DH wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DH_sanity = wolfCrypt_FIPS_DH_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_dh_ro_sanity = + &wolfCrypt_FIPS_dh_ro_sanity; #endif #ifdef HAVE_ECC wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ECC_sanity = wolfCrypt_FIPS_ECC_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ecc_ro_sanity = + &wolfCrypt_FIPS_ecc_ro_sanity; #endif #ifdef HAVE_ED25519 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED25519_sanity = wolfCrypt_FIPS_ED25519_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ed25519_ro_sanity = + &wolfCrypt_FIPS_ed25519_ro_sanity; #endif #ifdef HAVE_ED448 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED448_sanity = wolfCrypt_FIPS_ED448_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ed448_ro_sanity = + &wolfCrypt_FIPS_ed448_ro_sanity; #endif wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_HMAC_sanity = wolfCrypt_FIPS_HMAC_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_hmac_ro_sanity = + &wolfCrypt_FIPS_hmac_ro_sanity; #ifndef NO_KDF wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_KDF_sanity = wolfCrypt_FIPS_KDF_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_kdf_ro_sanity = + &wolfCrypt_FIPS_kdf_ro_sanity; #endif #ifdef HAVE_PBKDF2 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_PBKDF_sanity = wolfCrypt_FIPS_PBKDF_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_pbkdf_ro_sanity = + &wolfCrypt_FIPS_pbkdf_ro_sanity; #endif #ifdef HAVE_HASHDRBG wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DRBG_sanity = wolfCrypt_FIPS_DRBG_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_drbg_ro_sanity = + &wolfCrypt_FIPS_drbg_ro_sanity; #endif #ifndef NO_RSA wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_RSA_sanity = wolfCrypt_FIPS_RSA_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_rsa_ro_sanity = + &wolfCrypt_FIPS_rsa_ro_sanity; #endif #ifndef NO_SHA wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA_sanity = wolfCrypt_FIPS_SHA_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_sha_ro_sanity = + &wolfCrypt_FIPS_sha_ro_sanity; #endif #ifndef NO_SHA256 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA256_sanity = wolfCrypt_FIPS_SHA256_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_sha256_ro_sanity = + &wolfCrypt_FIPS_sha256_ro_sanity; #endif #ifdef WOLFSSL_SHA512 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA512_sanity = wolfCrypt_FIPS_SHA512_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_sha512_ro_sanity = + &wolfCrypt_FIPS_sha512_ro_sanity; #endif #ifdef WOLFSSL_SHA3 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA3_sanity = wolfCrypt_FIPS_SHA3_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_sha3_ro_sanity = + &wolfCrypt_FIPS_sha3_ro_sanity; #endif wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_FT_sanity = wolfCrypt_FIPS_FT_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ft_ro_sanity = + &wolfCrypt_FIPS_ft_ro_sanity; + wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_f_ro_sanity = + &wolfCrypt_FIPS_f_ro_sanity; wolfssl_linuxkm_pie_redirect_table.wc_RunAllCast_fips = wc_RunAllCast_fips; #endif @@ -1421,7 +1473,7 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { return 0; } -#endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */ +#endif /* WC_PIE_RELOC_TABLES */ #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE @@ -1457,11 +1509,17 @@ static int updateFipsHash(void) byte *binCoreKey = NULL; byte *binVerify = NULL; +#ifdef WC_USE_PIE_FENCEPOSTS_FOR_FIPS + fips_address_function first = __wc_text_start; + fips_address_function last = __wc_text_end; + char* start = (char*)__wc_rodata_start; + char* end = (char*)__wc_rodata_end; +#else fips_address_function first = wolfCrypt_FIPS_first; fips_address_function last = wolfCrypt_FIPS_last; - char* start = (char*)wolfCrypt_FIPS_ro_start; char* end = (char*)wolfCrypt_FIPS_ro_end; +#endif unsigned long code_sz = (unsigned long)last - (unsigned long)first; unsigned long data_sz = (unsigned long)end - (unsigned long)start; @@ -1550,7 +1608,7 @@ static int updateFipsHash(void) goto out; } -#if defined(WOLFSSL_LINUXKM) && defined(USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE) +#if defined(WOLFSSL_LINUXKM) && defined(WC_PIE_RELOC_TABLES) { ssize_t cur_reloc_index = -1; const byte *text_p = (const byte *)first; diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 0d0a78226..abf01a4c0 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -4836,17 +4836,17 @@ char* wolfSSL_strnstr(const char* s1, const char* s2, unsigned int n) #endif /* not SINGLE_THREADED */ #if defined(WOLFSSL_LINUXKM) && defined(CONFIG_ARM64) && \ - defined(USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE) + defined(WC_PIE_RELOC_TABLES) noinstr void my__alt_cb_patch_nops(struct alt_instr *alt, __le32 *origptr, __le32 *updptr, int nr_inst) { - return WC_LKM_INDIRECT_SYM(alt_cb_patch_nops) + return WC_PIE_INDIRECT_SYM(alt_cb_patch_nops) (alt, origptr, updptr, nr_inst); } void my__queued_spin_lock_slowpath(struct qspinlock *lock, u32 val) { - return WC_LKM_INDIRECT_SYM(queued_spin_lock_slowpath) + return WC_PIE_INDIRECT_SYM(queued_spin_lock_slowpath) (lock, val); } #endif diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 9bd17919d..4b2e4e42c 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3776,7 +3776,7 @@ extern void uITRON4_free(void *p) ; #define WOLFSSL_SP_DIV_WORD_HALF #endif - #ifdef HAVE_LINUXKM_PIE_SUPPORT + #ifdef WC_PIE_RELOC_TABLES #ifndef WC_NO_INTERNAL_FUNCTION_POINTERS #define WC_NO_INTERNAL_FUNCTION_POINTERS #endif @@ -3828,6 +3828,9 @@ extern void uITRON4_free(void *p) ; #define WC_RESEED_INTERVAL (((word64)1UL)<<48UL) #endif #endif + #if defined(__aarch64__) && !defined(WOLFSSL_AARCH64_PRIVILEGE_MODE) + #define WOLFSSL_AARCH64_PRIVILEGE_MODE + #endif #endif /* Place any other flags or defines here */