Cyclic0007/wolfssl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

linuxkm:

Browse Source 
globally rename+unify:
* HAVE_LINUXKM_PIE_SUPPORT and USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE under gate WC_PIE_RELOC_TABLES
* WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY as WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY
* WC_LKM_INDIRECT_SYM_BY_DIRECT_TABLE_READ as WC_PIE_INDIRECT_SYM_BY_DIRECT_TABLE_READ
* WC_LKM_INDIRECT_SYM() as WC_PIE_INDIRECT_SYM;

linuxkm/linuxkm_wc_port.h:
* implement pointer-caching inline wolfssl_linuxkm_get_pie_redirect_table_local() for the WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY path;
* for FIPS_VERSION3_GE(6,0,0), add wolfCrypt_FIPS_*_ro_sanity pointers to struct wolfssl_linuxkm_pie_redirect_table, and corresponding ad hoc prototypes;

linuxkm/Makefile and linuxkm/module_hooks.c: move wc_linuxkm_pie_reloc_tab into the wolfCrypt PIE container;

linuxkm/module_hooks.c and linuxkm/linuxkm_wc_port.h: harmonize the types of __wc_{text,rodata}_{start,end} with wolfCrypt_FIPS_{first,last,ro_start,ro_end} to allow drop-in use of the all-inclusive ELF fenceposts, activated by WC_USE_PIE_FENCEPOSTS_FOR_FIPS.
This commit is contained in:
Daniel Pouzzner
2025-10-31 16:03:51 -05:00
parent b6cfdcb758
commit 78ff20569e
8 changed files with 281 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
linuxkm/Kbuild
View File

@@ -108,7 +108,6 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
# note, we need -fno-stack-protector to avoid references to
# "__stack_chk_fail" from the wolfCrypt container.
PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder
PIE_SUPPORT_FLAGS := -DUSE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
# the kernel sanitizers generate external references to
# __ubsan_handle_out_of_bounds(), __ubsan_handle_shift_out_of_bounds(), etc.
KASAN_SANITIZE := n
@@ -218,12 +217,17 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \
$(OBJCOPY) $$($(READELF) --sections --wide "$$file" | \
$(AWK) ' \
{ \
if (match($$0, "^ *\\[ *[0-9]+\\] +\\.(text|rodata|data|bss)(\\.[^ ]+)? ", a)) { \
printf("--rename-section .%s%s=.%s_wolfcrypt ", a[1], a[2], a[1]); \
if (match($$0, "^ *\\[ *[0-9]+\\] +\\.(text|rodata|data|bss)(\\.[^ ]+)? ", a)) \
{ \
printf("--rename-section .%s%s=.%s_wolfcrypt ", \
a[1], a[2], a[1]); \
} \
else if (match($$0, "^ *\\[ *[0-9]+\\] +\\.([^ ]+)\\.(text|rodata|data|bss) ", a)) \
{ \
printf("--rename-section .%s.%s=.%s_wolfcrypt ", a[1], a[2], a[2]); \
} \
}') "$$file" || exit $$?; \
done; \
[ "$(KERNEL_ARCH_X86)" != "yes" ] || \
{ $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) | \
$(AWK) -v obj="$(obj)" ' \
/^File:/ { \

37
linuxkm/Makefile
View File

@@ -56,7 +56,10 @@ ifeq "$(ENABLED_LINUXKM_BENCHMARKS)" "yes"
endif
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
WOLFCRYPT_PIE_FILES := $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o
WOLFCRYPT_PIE_FILES := \
$(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) \
linuxkm/pie_redirect_table.o \
linuxkm/wc_linuxkm_pie_reloc_tab.o
WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES))
endif
@@ -100,12 +103,12 @@ ifndef MAKE_TMPDIR
MAKE_TMPDIR := $(TMPDIR)
endif
GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko | \
$(AWK) 'BEGIN { \
GENERATE_RELOC_TAB := $(AWK) 'BEGIN { \
n=0; \
bad_relocs=0; \
print "\#include <wolfssl/wolfcrypt/libwolfssl_sources.h>"; \
printf("%s\n ", \
"const unsigned int wc_linuxkm_pie_reloc_tab[] = { "); \
"WOLFSSL_LOCAL const unsigned int wc_linuxkm_pie_reloc_tab[] = { "); \
} \
/^Relocation section '\''\.rela\.text_wolfcrypt'\''/ { \
p=1; \
@@ -130,7 +133,7 @@ GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko | \
print "Found " bad_relocs " unexpected relocations." >"/dev/stderr"; \
exit(1); \
} \
print "~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];";\
print "~0U };\nWOLFSSL_LOCAL const unsigned long wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];";\
}'
ifeq "$(V)" "1"
@@ -139,29 +142,31 @@ endif
.PHONY: libwolfssl.ko
libwolfssl.ko:
@function resolved_link_is_equal() { [[ -L "$$1" && ("$$(readlink -f "$$1")" == "$$(readlink -f "$$2")") ]] }
@if test -z '$(KERNEL_ROOT)'; then echo '$$KERNEL_ROOT is unset' >&2; exit 1; fi
@if test -z '$(AM_CFLAGS)$(CFLAGS)'; then echo '$$AM_CFLAGS and $$CFLAGS are both unset.' >&2; exit 1; fi
@if test -z '$(src_libwolfssl_la_OBJECTS)'; then echo '$$src_libwolfssl_la_OBJECTS is unset.' >&2; exit 1; fi
# after commit 9a0ebe5011 (6.10), sources must be in $(obj). work around this by making links to all needed sources:
@mkdir -p '$(MODULE_TOP)/linuxkm'
@test '$(MODULE_TOP)/module_hooks.c' -ef '$(MODULE_TOP)/linuxkm/module_hooks.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
@test '$(SRC_TOP)/wolfcrypt/src/wc_port.c' -ef '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
@test '$(SRC_TOP)/src/wolfio.c' -ef '$(MODULE_TOP)/src/wolfio.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
@resolved_link_is_equal '$(MODULE_TOP)/linuxkm/module_hooks.c' '$(MODULE_TOP)/module_hooks.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
@resolved_link_is_equal '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' '$(SRC_TOP)/wolfcrypt/src/wc_port.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
@resolved_link_is_equal '$(MODULE_TOP)/src/wolfio.c' '$(SRC_TOP)/src/wolfio.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
ifeq "$(FIPS_OPTEST)" "1"
@test '$(SRC_TOP)/../fips/optest-140-3/linuxkm_optest_wrapper.c' -ef '$(MODULE_TOP)/linuxkm/optest-140-3/linuxkm_optest_wrapper.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/../fips/optest-140-3' '$(MODULE_TOP)/linuxkm'
@resolved_link_is_equal '$(MODULE_TOP)/linuxkm/optest-140-3/linuxkm_optest_wrapper.c' '$(SRC_TOP)/../fips/optest-140-3/linuxkm_optest_wrapper.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/../fips/optest-140-3' '$(MODULE_TOP)/linuxkm'
endif
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
@[[ -f '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' ]] || \
{ $(RM) -f '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' && $(GENERATE_RELOC_TAB) < /dev/null > '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c'; }
@$(eval RELOC_TMP := $(shell mktemp "$(MAKE_TMPDIR)/wc_linuxkm_pie_reloc_tab.c.XXXXXX"))
@[[ -f wc_linuxkm_pie_reloc_tab.c ]] || echo -e "const unsigned int wc_linuxkm_pie_reloc_tab[] = { ~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = 1;" > wc_linuxkm_pie_reloc_tab.c
@if [[ -f libwolfssl.ko ]]; then touch -r libwolfssl.ko "$(RELOC_TMP)"; fi
@if [[ -f libwolfssl.ko ]]; then touch -r libwolfssl.ko '$(RELOC_TMP)'; fi
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
# if the above make didn't build a fresh libwolfssl.ko, then the module is already up to date and we leave it untouched, assuring stability for purposes of module-update-fips-hash.
@if [[ ! libwolfssl.ko -nt "$(RELOC_TMP)" ]]; then rm "$(RELOC_TMP)"; exit 0; fi
@$(GENERATE_RELOC_TAB) >| wc_linuxkm_pie_reloc_tab.c
@if [[ ! libwolfssl.ko -nt '$(RELOC_TMP)' ]]; then rm '$(RELOC_TMP)'; exit 0; fi
@$(READELF) --wide -r libwolfssl.ko | $(GENERATE_RELOC_TAB) >| '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c'
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
@$(GENERATE_RELOC_TAB) >| $(RELOC_TMP)
@if diff wc_linuxkm_pie_reloc_tab.c $(RELOC_TMP); then echo " Relocation table is stable."; else echo "PIE failed: relocation table is unstable." 1>&2; rm $(RELOC_TMP); exit 1; fi
@rm $(RELOC_TMP)
@$(READELF) --wide -r libwolfssl.ko | $(GENERATE_RELOC_TAB) >| '$(RELOC_TMP)'
@if diff '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' '$(RELOC_TMP)'; then echo " Relocation table is stable."; else echo "PIE failed: relocation table is unstable." 1>&2; rm '$(RELOC_TMP)'; exit 1; fi
@rm '$(RELOC_TMP)'
else
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS)
endif

259
linuxkm/linuxkm_wc_port.h
View File

@@ -208,7 +208,7 @@
#endif
#endif
#if defined(CONFIG_MIPS) && defined(HAVE_LINUXKM_PIE_SUPPORT)
#if defined(CONFIG_MIPS) && defined(WC_PIE_RELOC_TABLES)
/* __ZBOOT__ disables some unhelpful macros around the mem*() funcs in
* legacy arch/mips/include/asm/string.h
*/
@@ -255,7 +255,7 @@
#if defined(CONFIG_FORTIFY_SOURCE) && \
!defined(WC_FORCE_LINUXKM_FORTIFY_SOURCE) && \
(defined(HAVE_LINUXKM_PIE_SUPPORT) || \
(defined(WC_PIE_RELOC_TABLES) || \
(LINUX_VERSION_CODE < KERNEL_VERSION(5, 18, 0)))
/* fortify-source causes all sorts of awkward problems for the PIE
* build, up to and including stubborn external references and multiple
@@ -621,51 +621,70 @@
#ifdef HAVE_FIPS
extern int wolfCrypt_FIPS_first(void);
extern int wolfCrypt_FIPS_last(void);
extern const unsigned int wolfCrypt_FIPS_ro_start[];
extern const unsigned int wolfCrypt_FIPS_ro_end[];
#if FIPS_VERSION3_GE(6,0,0)
#ifndef NO_AES
extern int wolfCrypt_FIPS_AES_sanity(void);
extern const unsigned int wolfCrypt_FIPS_aes_ro_sanity[2];
#if defined(WOLFSSL_CMAC) && defined(WOLFSSL_AES_DIRECT)
extern int wolfCrypt_FIPS_CMAC_sanity(void);
extern const unsigned int wolfCrypt_FIPS_cmac_ro_sanity[2];
#endif
#endif
#ifndef NO_DH
extern int wolfCrypt_FIPS_DH_sanity(void);
extern const unsigned int wolfCrypt_FIPS_dh_ro_sanity[2];
#endif
#ifdef HAVE_ECC
extern int wolfCrypt_FIPS_ECC_sanity(void);
extern const unsigned int wolfCrypt_FIPS_ecc_ro_sanity[2];
#endif
#ifdef HAVE_ED25519
extern int wolfCrypt_FIPS_ED25519_sanity(void);
extern const unsigned int wolfCrypt_FIPS_ed25519_ro_sanity[2];
#endif
#ifdef HAVE_ED448
extern int wolfCrypt_FIPS_ED448_sanity(void);
extern const unsigned int wolfCrypt_FIPS_ed448_ro_sanity[2];
#endif
extern int wolfCrypt_FIPS_HMAC_sanity(void);
extern const unsigned int wolfCrypt_FIPS_hmac_ro_sanity[2];
#ifndef NO_KDF
extern int wolfCrypt_FIPS_KDF_sanity(void);
extern const unsigned int wolfCrypt_FIPS_kdf_ro_sanity[2];
#endif
#ifdef HAVE_PBKDF2
extern int wolfCrypt_FIPS_PBKDF_sanity(void);
extern const unsigned int wolfCrypt_FIPS_pbkdf_ro_sanity[2];
#endif
#ifdef HAVE_HASHDRBG
extern int wolfCrypt_FIPS_DRBG_sanity(void);
extern const unsigned int wolfCrypt_FIPS_drbg_ro_sanity[2];
#endif
#ifndef NO_RSA
extern int wolfCrypt_FIPS_RSA_sanity(void);
extern const unsigned int wolfCrypt_FIPS_rsa_ro_sanity[2];
#endif
#ifndef NO_SHA
extern int wolfCrypt_FIPS_SHA_sanity(void);
extern const unsigned int wolfCrypt_FIPS_sha_ro_sanity[2];
#endif
#ifndef NO_SHA256
extern int wolfCrypt_FIPS_SHA256_sanity(void);
extern const unsigned int wolfCrypt_FIPS_sha256_ro_sanity[2];
#endif
#ifdef WOLFSSL_SHA512
extern int wolfCrypt_FIPS_SHA512_sanity(void);
extern const unsigned int wolfCrypt_FIPS_sha512_ro_sanity[2];
#endif
#ifdef WOLFSSL_SHA3
extern int wolfCrypt_FIPS_SHA3_sanity(void);
extern const unsigned int wolfCrypt_FIPS_sha3_ro_sanity[2];
#endif
extern int wolfCrypt_FIPS_FT_sanity(void);
extern const unsigned int wolfCrypt_FIPS_ft_ro_sanity[2];
extern const unsigned int wolfCrypt_FIPS_f_ro_sanity[2];
extern int wc_RunAllCast_fips(void);
#endif
#endif
@@ -698,11 +717,11 @@
#endif /* !WOLFCRYPT_ONLY && !NO_CERTS */
#if defined(__PIE__) && !defined(USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE)
#error "compiling -fPIE requires PIE redirect table."
#if defined(__PIE__) && !defined(WC_PIE_RELOC_TABLES)
#error "compiling -fPIE requires PIE relocation tables."
#endif
#ifdef HAVE_LINUXKM_PIE_SUPPORT
#ifdef WC_PIE_RELOC_TABLES
#ifndef WOLFSSL_TEXT_SEGMENT_CANONICALIZER
#define WOLFSSL_TEXT_SEGMENT_CANONICALIZER(text_in, text_in_len, text_out, cur_index_p) \
@@ -710,11 +729,19 @@
#define WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ 8192
#endif
extern __attribute__((error("uncallable fencepost"))) int __wc_text_start(void);
extern __attribute__((error("uncallable fencepost"))) int __wc_text_end(void);
#ifdef HAVE_FIPS
static_assert(__builtin_types_compatible_p(typeof(__wc_text_start), typeof(wolfCrypt_FIPS_first)));
static_assert(__builtin_types_compatible_p(typeof(__wc_text_end), typeof(wolfCrypt_FIPS_last)));
#endif
extern const unsigned int __wc_rodata_start[], __wc_rodata_end[];
#ifdef HAVE_FIPS
static_assert(__builtin_types_compatible_p(typeof(__wc_rodata_start), typeof(wolfCrypt_FIPS_ro_start)));
static_assert(__builtin_types_compatible_p(typeof(__wc_rodata_end), typeof(wolfCrypt_FIPS_ro_end)));
#endif
extern const u8
__wc_text_start[],
__wc_text_end[],
__wc_rodata_start[],
__wc_rodata_end[],
__wc_rwdata_start[],
__wc_rwdata_end[],
__wc_bss_start[],
@@ -726,9 +753,6 @@
size_t text_in_len,
u8 *text_out,
ssize_t *cur_index_p);
#endif /* HAVE_LINUXKM_PIE_SUPPORT */
#ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
#ifdef CONFIG_MIPS
#undef __ARCH_MEMCMP_NO_REDIRECT
@@ -883,51 +907,70 @@
#ifdef HAVE_FIPS
typeof(wolfCrypt_FIPS_first) *wolfCrypt_FIPS_first;
typeof(wolfCrypt_FIPS_last) *wolfCrypt_FIPS_last;
typeof(wolfCrypt_FIPS_ro_start) *wolfCrypt_FIPS_ro_start;
typeof(wolfCrypt_FIPS_ro_end) *wolfCrypt_FIPS_ro_end;
#if FIPS_VERSION3_GE(6,0,0)
#ifndef NO_AES
typeof(wolfCrypt_FIPS_AES_sanity) *wolfCrypt_FIPS_AES_sanity;
typeof(wolfCrypt_FIPS_aes_ro_sanity) *wolfCrypt_FIPS_aes_ro_sanity;
#if defined(WOLFSSL_CMAC) && defined(WOLFSSL_AES_DIRECT)
typeof(wolfCrypt_FIPS_CMAC_sanity) *wolfCrypt_FIPS_CMAC_sanity;
typeof(wolfCrypt_FIPS_cmac_ro_sanity) *wolfCrypt_FIPS_cmac_ro_sanity;
#endif
#endif
#ifndef NO_DH
typeof(wolfCrypt_FIPS_DH_sanity) *wolfCrypt_FIPS_DH_sanity;
typeof(wolfCrypt_FIPS_dh_ro_sanity) *wolfCrypt_FIPS_dh_ro_sanity;
#endif
#ifdef HAVE_ECC
typeof(wolfCrypt_FIPS_ECC_sanity) *wolfCrypt_FIPS_ECC_sanity;
typeof(wolfCrypt_FIPS_ecc_ro_sanity) *wolfCrypt_FIPS_ecc_ro_sanity;
#endif
#ifdef HAVE_ED25519
typeof(wolfCrypt_FIPS_ED25519_sanity) *wolfCrypt_FIPS_ED25519_sanity;
typeof(wolfCrypt_FIPS_ed25519_ro_sanity) *wolfCrypt_FIPS_ed25519_ro_sanity;
#endif
#ifdef HAVE_ED448
typeof(wolfCrypt_FIPS_ED448_sanity) *wolfCrypt_FIPS_ED448_sanity;
typeof(wolfCrypt_FIPS_ed448_ro_sanity) *wolfCrypt_FIPS_ed448_ro_sanity;
#endif
typeof(wolfCrypt_FIPS_HMAC_sanity) *wolfCrypt_FIPS_HMAC_sanity;
typeof(wolfCrypt_FIPS_hmac_ro_sanity) *wolfCrypt_FIPS_hmac_ro_sanity;
#ifndef NO_KDF
typeof(wolfCrypt_FIPS_KDF_sanity) *wolfCrypt_FIPS_KDF_sanity;
typeof(wolfCrypt_FIPS_kdf_ro_sanity) *wolfCrypt_FIPS_kdf_ro_sanity;
#endif
#ifdef HAVE_PBKDF2
typeof(wolfCrypt_FIPS_PBKDF_sanity) *wolfCrypt_FIPS_PBKDF_sanity;
typeof(wolfCrypt_FIPS_pbkdf_ro_sanity) *wolfCrypt_FIPS_pbkdf_ro_sanity;
#endif
#ifdef HAVE_HASHDRBG
typeof(wolfCrypt_FIPS_DRBG_sanity) *wolfCrypt_FIPS_DRBG_sanity;
typeof(wolfCrypt_FIPS_drbg_ro_sanity) *wolfCrypt_FIPS_drbg_ro_sanity;
#endif
#ifndef NO_RSA
typeof(wolfCrypt_FIPS_RSA_sanity) *wolfCrypt_FIPS_RSA_sanity;
typeof(wolfCrypt_FIPS_rsa_ro_sanity) *wolfCrypt_FIPS_rsa_ro_sanity;
#endif
#ifndef NO_SHA
typeof(wolfCrypt_FIPS_SHA_sanity) *wolfCrypt_FIPS_SHA_sanity;
typeof(wolfCrypt_FIPS_sha_ro_sanity) *wolfCrypt_FIPS_sha_ro_sanity;
#endif
#ifndef NO_SHA256
typeof(wolfCrypt_FIPS_SHA256_sanity) *wolfCrypt_FIPS_SHA256_sanity;
typeof(wolfCrypt_FIPS_sha256_ro_sanity) *wolfCrypt_FIPS_sha256_ro_sanity;
#endif
#ifdef WOLFSSL_SHA512
typeof(wolfCrypt_FIPS_SHA512_sanity) *wolfCrypt_FIPS_SHA512_sanity;
typeof(wolfCrypt_FIPS_sha512_ro_sanity) *wolfCrypt_FIPS_sha512_ro_sanity;
#endif
#ifdef WOLFSSL_SHA3
typeof(wolfCrypt_FIPS_SHA3_sanity) *wolfCrypt_FIPS_SHA3_sanity;
typeof(wolfCrypt_FIPS_sha3_ro_sanity) *wolfCrypt_FIPS_sha3_ro_sanity;
#endif
typeof(wolfCrypt_FIPS_FT_sanity) *wolfCrypt_FIPS_FT_sanity;
typeof(wolfCrypt_FIPS_ft_ro_sanity) *wolfCrypt_FIPS_ft_ro_sanity;
typeof(wolfCrypt_FIPS_f_ro_sanity) *wolfCrypt_FIPS_f_ro_sanity;
typeof(wc_RunAllCast_fips) *wc_RunAllCast_fips;
#endif
#endif
@@ -999,179 +1042,185 @@
extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table;
#if defined(WC_LKM_INDIRECT_SYM)
#if defined(WC_PIE_INDIRECT_SYM)
/* keep user-supplied override definition. */
#elif defined(WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY) || \
defined(WC_LKM_INDIRECT_SYM_BY_DIRECT_TABLE_READ)
#elif defined(WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY) || \
defined(WC_PIE_INDIRECT_SYM_BY_DIRECT_TABLE_READ)
/* keep user-supplied override method. */
#elif defined(CONFIG_X86)
#define WC_LKM_INDIRECT_SYM_BY_DIRECT_TABLE_READ
#define WC_PIE_INDIRECT_SYM_BY_DIRECT_TABLE_READ
#elif defined(CONFIG_ARM64)
/* direct access to wolfssl_linuxkm_pie_redirect_table.x on aarch64
* produces GOT relocations, e.g. R_AARCH64_LD64_GOT_LO12_NC.
*/
#define WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY
#define WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY
#else
/* for other archs, by default use the safe way. */
#define WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY
#define WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY
#endif
#if defined(WC_LKM_INDIRECT_SYM)
#if defined(WC_PIE_INDIRECT_SYM)
/* keep user-supplied override definition. */
#elif defined(WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY)
#define WC_LKM_INDIRECT_SYM(x) (wolfssl_linuxkm_get_pie_redirect_table()->x)
#elif defined(WC_LKM_INDIRECT_SYM_BY_DIRECT_TABLE_READ)
#define WC_LKM_INDIRECT_SYM(x) (wolfssl_linuxkm_pie_redirect_table.x)
#elif defined(WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY)
static const struct wolfssl_linuxkm_pie_redirect_table *wolfssl_linuxkm_pie_redirect_table_local_ptr = NULL;
static inline const struct wolfssl_linuxkm_pie_redirect_table *wolfssl_linuxkm_get_pie_redirect_table_local(void) {
if (wolfssl_linuxkm_pie_redirect_table_local_ptr == NULL)
wolfssl_linuxkm_pie_redirect_table_local_ptr = wolfssl_linuxkm_get_pie_redirect_table();
return wolfssl_linuxkm_pie_redirect_table_local_ptr;
}
#define WC_PIE_INDIRECT_SYM(x) (wolfssl_linuxkm_get_pie_redirect_table_local()->x)
#elif defined(WC_PIE_INDIRECT_SYM_BY_DIRECT_TABLE_READ)
#define WC_PIE_INDIRECT_SYM(x) (wolfssl_linuxkm_pie_redirect_table.x)
#else
#error no WC_LKM_INDIRECT_SYM method defined.
#error no WC_PIE_INDIRECT_SYM method defined.
#endif
#ifdef __PIE__
#define wc_linuxkm_normalize_relocations \
WC_LKM_INDIRECT_SYM(wc_linuxkm_normalize_relocations)
WC_PIE_INDIRECT_SYM(wc_linuxkm_normalize_relocations)
#ifndef __ARCH_MEMCMP_NO_REDIRECT
#define memcmp WC_LKM_INDIRECT_SYM(memcmp)
#define memcmp WC_PIE_INDIRECT_SYM(memcmp)
#endif
#ifndef __ARCH_MEMCPY_NO_REDIRECT
#define memcpy WC_LKM_INDIRECT_SYM(memcpy)
#define memcpy WC_PIE_INDIRECT_SYM(memcpy)
#endif
#ifndef __ARCH_MEMSET_NO_REDIRECT
#define memset WC_LKM_INDIRECT_SYM(memset)
#define memset WC_PIE_INDIRECT_SYM(memset)
#endif
#ifndef __ARCH_MEMMOVE_NO_REDIRECT
#define memmove WC_LKM_INDIRECT_SYM(memmove)
#define memmove WC_PIE_INDIRECT_SYM(memmove)
#endif
#ifndef __ARCH_STRCMP_NO_REDIRECT
#define strcmp WC_LKM_INDIRECT_SYM(strcmp)
#define strcmp WC_PIE_INDIRECT_SYM(strcmp)
#endif
#ifndef __ARCH_STRNCMP_NO_REDIRECT
#define strncmp WC_LKM_INDIRECT_SYM(strncmp)
#define strncmp WC_PIE_INDIRECT_SYM(strncmp)
#endif
#ifndef __ARCH_STRCASECMP_NO_REDIRECT
#define strcasecmp WC_LKM_INDIRECT_SYM(strcasecmp)
#define strcasecmp WC_PIE_INDIRECT_SYM(strcasecmp)
#endif
#ifndef __ARCH_STRNCASECMP_NO_REDIRECT
#define strncasecmp WC_LKM_INDIRECT_SYM(strncasecmp)
#define strncasecmp WC_PIE_INDIRECT_SYM(strncasecmp)
#endif
#ifndef __ARCH_STRLEN_NO_REDIRECT
#define strlen WC_LKM_INDIRECT_SYM(strlen)
#define strlen WC_PIE_INDIRECT_SYM(strlen)
#endif
#ifndef __ARCH_STRSTR_NO_REDIRECT
#define strstr WC_LKM_INDIRECT_SYM(strstr)
#define strstr WC_PIE_INDIRECT_SYM(strstr)
#endif
#ifndef __ARCH_STRNCPY_NO_REDIRECT
#define strncpy WC_LKM_INDIRECT_SYM(strncpy)
#define strncpy WC_PIE_INDIRECT_SYM(strncpy)
#endif
#ifndef __ARCH_STRNCAT_NO_REDIRECT
#define strncat WC_LKM_INDIRECT_SYM(strncat)
#define strncat WC_PIE_INDIRECT_SYM(strncat)
#endif
#define kstrtoll WC_LKM_INDIRECT_SYM(kstrtoll)
#define kstrtoll WC_PIE_INDIRECT_SYM(kstrtoll)
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)) || \
(defined(RHEL_MAJOR) && \
((RHEL_MAJOR > 9) || ((RHEL_MAJOR == 9) && (RHEL_MINOR >= 5))))
#define _printk WC_LKM_INDIRECT_SYM(_printk)
#define _printk WC_PIE_INDIRECT_SYM(_printk)
#else
#define printk WC_LKM_INDIRECT_SYM(printk)
#define printk WC_PIE_INDIRECT_SYM(printk)
#endif
#ifdef CONFIG_FORTIFY_SOURCE
#define __warn_printk WC_LKM_INDIRECT_SYM(__warn_printk)
#define __warn_printk WC_PIE_INDIRECT_SYM(__warn_printk)
#endif
#define snprintf WC_LKM_INDIRECT_SYM(snprintf)
#define snprintf WC_PIE_INDIRECT_SYM(snprintf)
#define _ctype WC_LKM_INDIRECT_SYM(_ctype)
#define _ctype WC_PIE_INDIRECT_SYM(_ctype)
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 18, 0)
/* see include/linux/alloc_tag.h and include/linux/slab.h */
#define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof)
#define krealloc_node_align_noprof WC_LKM_INDIRECT_SYM(krealloc_node_align_noprof)
#define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof)
#define __kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(__kvmalloc_node_noprof)
#define __kmalloc_cache_noprof WC_LKM_INDIRECT_SYM(__kmalloc_cache_noprof)
#define kmalloc_noprof WC_PIE_INDIRECT_SYM(kmalloc_noprof)
#define krealloc_node_align_noprof WC_PIE_INDIRECT_SYM(krealloc_node_align_noprof)
#define kzalloc_noprof WC_PIE_INDIRECT_SYM(kzalloc_noprof)
#define __kvmalloc_node_noprof WC_PIE_INDIRECT_SYM(__kvmalloc_node_noprof)
#define __kmalloc_cache_noprof WC_PIE_INDIRECT_SYM(__kmalloc_cache_noprof)
#ifdef HAVE_KVREALLOC
#define kvrealloc_node_align_noprof WC_LKM_INDIRECT_SYM(kvrealloc_node_align_noprof)
#define kvrealloc_node_align_noprof WC_PIE_INDIRECT_SYM(kvrealloc_node_align_noprof)
#endif
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0)
/* see include/linux/alloc_tag.h and include/linux/slab.h */
#define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof)
#define krealloc_noprof WC_LKM_INDIRECT_SYM(krealloc_noprof)
#define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof)
#define __kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(__kvmalloc_node_noprof)
#define __kmalloc_cache_noprof WC_LKM_INDIRECT_SYM(__kmalloc_cache_noprof)
#define kmalloc_noprof WC_PIE_INDIRECT_SYM(kmalloc_noprof)
#define krealloc_noprof WC_PIE_INDIRECT_SYM(krealloc_noprof)
#define kzalloc_noprof WC_PIE_INDIRECT_SYM(kzalloc_noprof)
#define __kvmalloc_node_noprof WC_PIE_INDIRECT_SYM(__kvmalloc_node_noprof)
#define __kmalloc_cache_noprof WC_PIE_INDIRECT_SYM(__kmalloc_cache_noprof)
#ifdef HAVE_KVREALLOC
#define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof)
#define kvrealloc_noprof WC_PIE_INDIRECT_SYM(kvrealloc_noprof)
#endif
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0)
/* see include/linux/alloc_tag.h and include/linux/slab.h */
#define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof)
#define krealloc_noprof WC_LKM_INDIRECT_SYM(krealloc_noprof)
#define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof)
#define kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(kvmalloc_node_noprof)
#define kmalloc_trace_noprof WC_LKM_INDIRECT_SYM(kmalloc_trace_noprof)
#define kmalloc_noprof WC_PIE_INDIRECT_SYM(kmalloc_noprof)
#define krealloc_noprof WC_PIE_INDIRECT_SYM(krealloc_noprof)
#define kzalloc_noprof WC_PIE_INDIRECT_SYM(kzalloc_noprof)
#define kvmalloc_node_noprof WC_PIE_INDIRECT_SYM(kvmalloc_node_noprof)
#define kmalloc_trace_noprof WC_PIE_INDIRECT_SYM(kmalloc_trace_noprof)
#ifdef HAVE_KVREALLOC
#define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof)
#define kvrealloc_noprof WC_PIE_INDIRECT_SYM(kvrealloc_noprof)
#endif
#else /* <6.10.0 */
#define kmalloc WC_LKM_INDIRECT_SYM(kmalloc)
#define krealloc WC_LKM_INDIRECT_SYM(krealloc)
#define kmalloc WC_PIE_INDIRECT_SYM(kmalloc)
#define krealloc WC_PIE_INDIRECT_SYM(krealloc)
#define kzalloc(size, flags) kmalloc(size, (flags) | __GFP_ZERO)
#ifdef HAVE_KVMALLOC
#define kvmalloc_node WC_LKM_INDIRECT_SYM(kvmalloc_node)
#define kvmalloc_node WC_PIE_INDIRECT_SYM(kvmalloc_node)
#endif
#ifdef HAVE_KVREALLOC
#define kvrealloc WC_LKM_INDIRECT_SYM(kvrealloc)
#define kvrealloc WC_PIE_INDIRECT_SYM(kvrealloc)
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) || \
(defined(RHEL_MAJOR) && \
((RHEL_MAJOR > 9) || ((RHEL_MAJOR == 9) && (RHEL_MINOR >= 5))))
#define kmalloc_trace WC_LKM_INDIRECT_SYM(kmalloc_trace)
#define kmalloc_trace WC_PIE_INDIRECT_SYM(kmalloc_trace)
#else
#define kmem_cache_alloc_trace WC_LKM_INDIRECT_SYM(kmem_cache_alloc_trace)
#define kmalloc_order_trace WC_LKM_INDIRECT_SYM(kmalloc_order_trace)
#define kmem_cache_alloc_trace WC_PIE_INDIRECT_SYM(kmem_cache_alloc_trace)
#define kmalloc_order_trace WC_PIE_INDIRECT_SYM(kmalloc_order_trace)
#endif
#endif /* <6.10.0 */
#define kfree WC_LKM_INDIRECT_SYM(kfree)
#define kfree WC_PIE_INDIRECT_SYM(kfree)
#ifdef HAVE_KVMALLOC
#define kvfree WC_LKM_INDIRECT_SYM(kvfree)
#define kvfree WC_PIE_INDIRECT_SYM(kvfree)
#endif
#define ksize WC_LKM_INDIRECT_SYM(ksize)
#define ksize WC_PIE_INDIRECT_SYM(ksize)
#define get_random_bytes WC_LKM_INDIRECT_SYM(get_random_bytes)
#define get_random_bytes WC_PIE_INDIRECT_SYM(get_random_bytes)
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
#define getnstimeofday WC_LKM_INDIRECT_SYM(getnstimeofday)
#define getnstimeofday WC_PIE_INDIRECT_SYM(getnstimeofday)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
#define current_kernel_time64 WC_LKM_INDIRECT_SYM(current_kernel_time64)
#define current_kernel_time64 WC_PIE_INDIRECT_SYM(current_kernel_time64)
#else
#define ktime_get_coarse_real_ts64 WC_LKM_INDIRECT_SYM(ktime_get_coarse_real_ts64)
#define ktime_get_coarse_real_ts64 WC_PIE_INDIRECT_SYM(ktime_get_coarse_real_ts64)
#endif
#undef get_current
#define get_current WC_LKM_INDIRECT_SYM(get_current)
#define get_current WC_PIE_INDIRECT_SYM(get_current)
#if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(CONFIG_X86)
#define allocate_wolfcrypt_linuxkm_fpu_states WC_LKM_INDIRECT_SYM(allocate_wolfcrypt_linuxkm_fpu_states)
#define wc_can_save_vector_registers_x86 WC_LKM_INDIRECT_SYM(wc_can_save_vector_registers_x86)
#define free_wolfcrypt_linuxkm_fpu_states WC_LKM_INDIRECT_SYM(free_wolfcrypt_linuxkm_fpu_states)
#define wc_restore_vector_registers_x86 WC_LKM_INDIRECT_SYM(wc_restore_vector_registers_x86)
#define wc_save_vector_registers_x86 WC_LKM_INDIRECT_SYM(wc_save_vector_registers_x86)
#define allocate_wolfcrypt_linuxkm_fpu_states WC_PIE_INDIRECT_SYM(allocate_wolfcrypt_linuxkm_fpu_states)
#define wc_can_save_vector_registers_x86 WC_PIE_INDIRECT_SYM(wc_can_save_vector_registers_x86)
#define free_wolfcrypt_linuxkm_fpu_states WC_PIE_INDIRECT_SYM(free_wolfcrypt_linuxkm_fpu_states)
#define wc_restore_vector_registers_x86 WC_PIE_INDIRECT_SYM(wc_restore_vector_registers_x86)
#define wc_save_vector_registers_x86 WC_PIE_INDIRECT_SYM(wc_save_vector_registers_x86)
#elif defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS)
#error WOLFSSL_USE_SAVE_VECTOR_REGISTERS is set for an unimplemented architecture.
#endif /* WOLFSSL_USE_SAVE_VECTOR_REGISTERS */
#define __mutex_init WC_LKM_INDIRECT_SYM(__mutex_init)
#define __mutex_init WC_PIE_INDIRECT_SYM(__mutex_init)
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
#define mutex_lock_nested WC_LKM_INDIRECT_SYM(mutex_lock_nested)
#define mutex_lock_nested WC_PIE_INDIRECT_SYM(mutex_lock_nested)
#else
#define mutex_lock WC_LKM_INDIRECT_SYM(mutex_lock)
#define mutex_lock WC_PIE_INDIRECT_SYM(mutex_lock)
#endif
#define mutex_unlock WC_LKM_INDIRECT_SYM(mutex_unlock)
#define mutex_unlock WC_PIE_INDIRECT_SYM(mutex_unlock)
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
#define mutex_destroy WC_LKM_INDIRECT_SYM(mutex_destroy)
#define mutex_destroy WC_PIE_INDIRECT_SYM(mutex_destroy)
#endif
/* per linux/ctype.h, tolower() and toupper() are macros bound to static inlines
@@ -1184,59 +1233,59 @@
#define toupper(c) (isupper(c) ? (c) : ((c) - ('a'-'A')))
#if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS)
#define GetCA WC_LKM_INDIRECT_SYM(GetCA)
#define GetCA WC_PIE_INDIRECT_SYM(GetCA)
#ifndef NO_SKID
#define GetCAByName WC_LKM_INDIRECT_SYM(GetCAByName)
#define GetCAByName WC_PIE_INDIRECT_SYM(GetCAByName)
#ifdef HAVE_OCSP
#define GetCAByKeyHash WC_LKM_INDIRECT_SYM(GetCAByKeyHash)
#define GetCAByKeyHash WC_PIE_INDIRECT_SYM(GetCAByKeyHash)
#endif /* HAVE_OCSP */
#endif /* NO_SKID */
#ifdef WOLFSSL_AKID_NAME
#define GetCAByAKID WC_LKM_INDIRECT_SYM(GetCAByAKID)
#define GetCAByAKID WC_PIE_INDIRECT_SYM(GetCAByAKID)
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
#define wolfSSL_X509_NAME_add_entry_by_NID WC_LKM_INDIRECT_SYM(wolfSSL_X509_NAME_add_entry_by_NID)
#define wolfSSL_X509_NAME_free WC_LKM_INDIRECT_SYM(wolfSSL_X509_NAME_free)
#define wolfSSL_X509_NAME_new_ex WC_LKM_INDIRECT_SYM(wolfSSL_X509_NAME_new_ex)
#define wolfSSL_X509_NAME_add_entry_by_NID WC_PIE_INDIRECT_SYM(wolfSSL_X509_NAME_add_entry_by_NID)
#define wolfSSL_X509_NAME_free WC_PIE_INDIRECT_SYM(wolfSSL_X509_NAME_free)
#define wolfSSL_X509_NAME_new_ex WC_PIE_INDIRECT_SYM(wolfSSL_X509_NAME_new_ex)
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
#endif /* !WOLFCRYPT_ONLY && !NO_CERTS */
#ifdef WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES
#define dump_stack WC_LKM_INDIRECT_SYM(dump_stack)
#define dump_stack WC_PIE_INDIRECT_SYM(dump_stack)
#endif
#undef preempt_count /* just in case -- not a macro on x86. */
#define preempt_count WC_LKM_INDIRECT_SYM(preempt_count)
#define preempt_count WC_PIE_INDIRECT_SYM(preempt_count)
#ifndef WOLFSSL_LINUXKM_USE_MUTEXES
#ifndef _raw_spin_lock_irqsave
#define _raw_spin_lock_irqsave WC_LKM_INDIRECT_SYM(_raw_spin_lock_irqsave)
#define _raw_spin_lock_irqsave WC_PIE_INDIRECT_SYM(_raw_spin_lock_irqsave)
#endif
#ifndef _raw_spin_trylock
#define _raw_spin_trylock WC_LKM_INDIRECT_SYM(_raw_spin_trylock)
#define _raw_spin_trylock WC_PIE_INDIRECT_SYM(_raw_spin_trylock)
#endif
#ifndef _raw_spin_unlock_irqrestore
#define _raw_spin_unlock_irqrestore WC_LKM_INDIRECT_SYM(_raw_spin_unlock_irqrestore)
#define _raw_spin_unlock_irqrestore WC_PIE_INDIRECT_SYM(_raw_spin_unlock_irqrestore)
#endif
#endif
#define _cond_resched WC_LKM_INDIRECT_SYM(_cond_resched)
#define _cond_resched WC_PIE_INDIRECT_SYM(_cond_resched)
/* this is defined in linux/spinlock.h as an inline that calls the unshimmed
* raw_spin_unlock_irqrestore(). use a macro here to supersede it.
*/
#define spin_unlock_irqrestore(lock, flags) raw_spin_unlock_irqrestore(&((lock)->rlock), flags)
#define wc_linuxkm_sig_ignore_begin WC_LKM_INDIRECT_SYM(wc_linuxkm_sig_ignore_begin);
#define wc_linuxkm_sig_ignore_end WC_LKM_INDIRECT_SYM(wc_linuxkm_sig_ignore_end);
#define wc_linuxkm_check_for_intr_signals WC_LKM_INDIRECT_SYM(wc_linuxkm_check_for_intr_signals)
#define wc_linuxkm_relax_long_loop WC_LKM_INDIRECT_SYM(wc_linuxkm_relax_long_loop)
#define wc_linuxkm_sig_ignore_begin WC_PIE_INDIRECT_SYM(wc_linuxkm_sig_ignore_begin);
#define wc_linuxkm_sig_ignore_end WC_PIE_INDIRECT_SYM(wc_linuxkm_sig_ignore_end);
#define wc_linuxkm_check_for_intr_signals WC_PIE_INDIRECT_SYM(wc_linuxkm_check_for_intr_signals)
#define wc_linuxkm_relax_long_loop WC_PIE_INDIRECT_SYM(wc_linuxkm_relax_long_loop)
#endif /* __PIE__ */
#endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
#endif /* WC_PIE_RELOC_TABLES */
/* remove this multifariously conflicting macro, picked up from
* Linux arch/<arch>/include/asm/current.h.
@@ -1396,7 +1445,7 @@
*/
static __always_inline int wc_LockMutex(wolfSSL_Mutex *m)
{
return WC_LKM_INDIRECT_SYM(wc_lkm_LockMutex)(m);
return WC_PIE_INDIRECT_SYM(wc_lkm_LockMutex)(m);
}
#else /* !__PIE__ */

118
linuxkm/module_hooks.c
View File

@@ -89,7 +89,7 @@ static int libwolfssl_cleanup(void) {
extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1];
#endif
#ifdef HAVE_LINUXKM_PIE_SUPPORT
#ifdef WC_PIE_RELOC_TABLES
#ifdef DEBUG_LINUXKM_PIE_SUPPORT
@@ -113,17 +113,17 @@ static int total_text_r = 0, total_rodata_r = 0, total_rwdata_r = 0,
#endif /* DEBUG_LINUXKM_PIE_SUPPORT */
#ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
#ifdef WC_PIE_RELOC_TABLES
extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table;
static int set_up_wolfssl_linuxkm_pie_redirect_table(void);
#endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
#endif /* WC_PIE_RELOC_TABLES */
#ifdef HAVE_FIPS
extern const unsigned int wolfCrypt_FIPS_ro_start[];
extern const unsigned int wolfCrypt_FIPS_ro_end[];
#endif
#endif /* HAVE_LINUXKM_PIE_SUPPORT */
#endif /* WC_PIE_RELOC_TABLES */
#ifdef HAVE_FIPS
static void lkmFipsCb(int ok, int err, const char* hash)
@@ -491,13 +491,13 @@ static int wolfssl_init(void)
#endif /* HAVE_FIPS */
#ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
#ifdef WC_PIE_RELOC_TABLES
ret = set_up_wolfssl_linuxkm_pie_redirect_table();
if (ret < 0)
return ret;
#endif
#if defined(HAVE_FIPS) && defined(HAVE_LINUXKM_PIE_SUPPORT)
#if defined(HAVE_FIPS) && defined(WC_PIE_RELOC_TABLES)
if (((uintptr_t)__wc_text_start > (uintptr_t)wolfCrypt_FIPS_first) ||
((uintptr_t)__wc_text_end < (uintptr_t)wolfCrypt_FIPS_last) ||
((uintptr_t)__wc_rodata_start > (uintptr_t)wolfCrypt_FIPS_ro_start) ||
@@ -508,7 +508,7 @@ static int wolfssl_init(void)
}
#endif
#if defined(HAVE_LINUXKM_PIE_SUPPORT) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0)
/* see linux commit ac3b432839 */
@@ -529,11 +529,11 @@ static int wolfssl_init(void)
#endif
{
unsigned int text_hash = hash_span(__wc_text_start, __wc_text_end, 1);
unsigned int rodata_hash = hash_span(__wc_rodata_start, __wc_rodata_end, 1);
unsigned int text_hash = hash_span((const u8 *)__wc_text_start, (const u8 *)__wc_text_end, 1);
unsigned int rodata_hash = hash_span((const u8 *)__wc_rodata_start, (const u8 *)__wc_rodata_end, 1);
u8 *canon_buf = malloc(WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ);
ssize_t cur_reloc_index = -1;
const byte *text_p = __wc_text_start;
const u8 *text_p = (const u8 *)__wc_text_start;
unsigned int stabilized_text_hash = 1;
if (! canon_buf) {
@@ -544,12 +544,12 @@ static int wolfssl_init(void)
total_text_r = total_rodata_r = total_rwdata_r = total_bss_r =
total_other_r = 0;
while (text_p < __wc_text_end) {
while (text_p < (const u8 *)__wc_text_end) {
ssize_t progress =
WOLFSSL_TEXT_SEGMENT_CANONICALIZER(
text_p,
min(WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ,
(word32)(__wc_text_end - text_p)),
(word32)((const u8 *)__wc_text_end - text_p)),
canon_buf, &cur_reloc_index);
if (progress <= 0) {
pr_err("ERROR: progress=%ld from WOLFSSL_TEXT_SEGMENT_CANONICALIZER() at offset %x (text=%x-%x).\n",
@@ -572,10 +572,10 @@ static int wolfssl_init(void)
* attacker.
*/
pr_info("wolfCrypt segment hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu), offset %c0x%lx, canon text 0x%x\n",
text_hash, __wc_text_end - __wc_text_start,
text_hash, (uintptr_t)__wc_text_end - (uintptr_t)__wc_text_start,
rodata_hash, __wc_rodata_end - __wc_rodata_start,
&__wc_text_start[0] < &__wc_rodata_start[0] ? '+' : '-',
&__wc_text_start[0] < &__wc_rodata_start[0] ? &__wc_rodata_start[0] - &__wc_text_start[0] : &__wc_text_start[0] - &__wc_rodata_start[0],
(uintptr_t)__wc_text_start < (uintptr_t)&__wc_rodata_start[0] ? '+' : '-',
(uintptr_t)__wc_text_start < (uintptr_t)&__wc_rodata_start[0] ? (uintptr_t)&__wc_rodata_start[0] - (uintptr_t)__wc_text_start : (uintptr_t)__wc_text_start - (uintptr_t)&__wc_rodata_start[0],
stabilized_text_hash);
pr_info("wolfCrypt segments: text=%x-%x, rodata=%x-%x, "
@@ -593,7 +593,7 @@ static int wolfssl_init(void)
total_text_r, total_rodata_r, total_rwdata_r, total_bss_r, total_other_r);
}
#endif /* HAVE_LINUXKM_PIE_SUPPORT && DEBUG_LINUXKM_PIE_SUPPORT */
#endif /* WC_PIE_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT */
#ifdef HAVE_FIPS
ret = wolfCrypt_SetCb_fips(lkmFipsCb);
@@ -602,7 +602,7 @@ static int wolfssl_init(void)
return -ECANCELED;
}
#if defined(HAVE_LINUXKM_PIE_SUPPORT) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
total_text_r = total_rodata_r = total_rwdata_r = total_bss_r =
total_other_r = 0;
#endif
@@ -614,7 +614,7 @@ static int wolfssl_init(void)
else
pr_err("ERROR: WC_SIG_IGNORE_BEGIN() failed.\n");
#if defined(HAVE_LINUXKM_PIE_SUPPORT) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
pr_info("FIPS-bounded relocation normalizations: text=%d, rodata=%d, rwdata=%d, bss=%d, other=%d\n",
total_text_r, total_rodata_r, total_rwdata_r, total_bss_r, total_other_r);
#endif
@@ -859,9 +859,7 @@ MODULE_AUTHOR("https://www.wolfssl.com/");
MODULE_DESCRIPTION("libwolfssl cryptographic and protocol facilities");
MODULE_VERSION(LIBWOLFSSL_VERSION_STRING);
#ifdef HAVE_LINUXKM_PIE_SUPPORT
#include "linuxkm/wc_linuxkm_pie_reloc_tab.c"
#ifdef WC_PIE_RELOC_TABLES
static inline int find_reloc_tab_offset(size_t text_in_offset) {
int ret, hop;
@@ -936,8 +934,8 @@ ssize_t wc_linuxkm_normalize_relocations(
#endif
if ((text_in_len == 0) ||
(text_in < __wc_text_start) ||
(text_in + text_in_len > __wc_text_end))
((uintptr_t)text_in < (uintptr_t)__wc_text_start) ||
((uintptr_t)(text_in + text_in_len) > (uintptr_t)__wc_text_end))
{
#ifdef DEBUG_LINUXKM_PIE_SUPPORT
pr_err("ERROR: %s returning -1 at L %d with span %x-%x versus segment %x-%x.\n", __FUNCTION__, __LINE__, (unsigned)(uintptr_t)text_in, (unsigned)(uintptr_t)(text_in + text_in_len), (unsigned)(uintptr_t)__wc_text_start, (unsigned)(uintptr_t)__wc_text_end);
@@ -1109,10 +1107,6 @@ ssize_t wc_linuxkm_normalize_relocations(
return (ssize_t)text_in_len;
}
#endif /* HAVE_LINUXKM_PIE_SUPPORT */
#ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
/* get_current() is an inline or macro, depending on the target -- sidestep the
* whole issue with a wrapper func.
*/
@@ -1284,71 +1278,129 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) {
#endif
#ifdef HAVE_FIPS
#ifdef WC_USE_PIE_FENCEPOSTS_FOR_FIPS
/* use __wc_text_start and __wc_text_end, not wolfCrypt_FIPS_first and
* wolfCrypt_FIPS_last, thereby including the whole container in the HMAC
* span. Note there are runtime asserts at entry to wolfssl_init() above
* confirming that __wc_*_{start,end} correctly contain the wolfCrypt_FIPS_*
* fenceposts.
*/
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_first =
__wc_text_start;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_last =
__wc_text_end;
/* ditto for wolfCrypt_FIPS_ro_start and wolfCrypt_FIPS_ro_end. */
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ro_start =
&__wc_rodata_start;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ro_end =
&__wc_rodata_end;
#else
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_first =
wolfCrypt_FIPS_first;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_last =
wolfCrypt_FIPS_last;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ro_start =
&wolfCrypt_FIPS_ro_start;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ro_end =
&wolfCrypt_FIPS_ro_end;
#endif
#if FIPS_VERSION3_GE(6,0,0)
#ifndef NO_AES
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_AES_sanity =
wolfCrypt_FIPS_AES_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_aes_ro_sanity =
&wolfCrypt_FIPS_aes_ro_sanity;
#if defined(WOLFSSL_CMAC) && defined(WOLFSSL_AES_DIRECT)
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_CMAC_sanity =
wolfCrypt_FIPS_CMAC_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_cmac_ro_sanity =
&wolfCrypt_FIPS_cmac_ro_sanity;
#endif
#endif
#ifndef NO_DH
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DH_sanity =
wolfCrypt_FIPS_DH_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_dh_ro_sanity =
&wolfCrypt_FIPS_dh_ro_sanity;
#endif
#ifdef HAVE_ECC
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ECC_sanity =
wolfCrypt_FIPS_ECC_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ecc_ro_sanity =
&wolfCrypt_FIPS_ecc_ro_sanity;
#endif
#ifdef HAVE_ED25519
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED25519_sanity =
wolfCrypt_FIPS_ED25519_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ed25519_ro_sanity =
&wolfCrypt_FIPS_ed25519_ro_sanity;
#endif
#ifdef HAVE_ED448
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED448_sanity =
wolfCrypt_FIPS_ED448_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ed448_ro_sanity =
&wolfCrypt_FIPS_ed448_ro_sanity;
#endif
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_HMAC_sanity =
wolfCrypt_FIPS_HMAC_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_hmac_ro_sanity =
&wolfCrypt_FIPS_hmac_ro_sanity;
#ifndef NO_KDF
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_KDF_sanity =
wolfCrypt_FIPS_KDF_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_kdf_ro_sanity =
&wolfCrypt_FIPS_kdf_ro_sanity;
#endif
#ifdef HAVE_PBKDF2
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_PBKDF_sanity =
wolfCrypt_FIPS_PBKDF_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_pbkdf_ro_sanity =
&wolfCrypt_FIPS_pbkdf_ro_sanity;
#endif
#ifdef HAVE_HASHDRBG
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DRBG_sanity =
wolfCrypt_FIPS_DRBG_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_drbg_ro_sanity =
&wolfCrypt_FIPS_drbg_ro_sanity;
#endif
#ifndef NO_RSA
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_RSA_sanity =
wolfCrypt_FIPS_RSA_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_rsa_ro_sanity =
&wolfCrypt_FIPS_rsa_ro_sanity;
#endif
#ifndef NO_SHA
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA_sanity =
wolfCrypt_FIPS_SHA_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_sha_ro_sanity =
&wolfCrypt_FIPS_sha_ro_sanity;
#endif
#ifndef NO_SHA256
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA256_sanity =
wolfCrypt_FIPS_SHA256_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_sha256_ro_sanity =
&wolfCrypt_FIPS_sha256_ro_sanity;
#endif
#ifdef WOLFSSL_SHA512
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA512_sanity =
wolfCrypt_FIPS_SHA512_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_sha512_ro_sanity =
&wolfCrypt_FIPS_sha512_ro_sanity;
#endif
#ifdef WOLFSSL_SHA3
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA3_sanity =
wolfCrypt_FIPS_SHA3_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_sha3_ro_sanity =
&wolfCrypt_FIPS_sha3_ro_sanity;
#endif
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_FT_sanity =
wolfCrypt_FIPS_FT_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ft_ro_sanity =
&wolfCrypt_FIPS_ft_ro_sanity;
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_f_ro_sanity =
&wolfCrypt_FIPS_f_ro_sanity;
wolfssl_linuxkm_pie_redirect_table.wc_RunAllCast_fips =
wc_RunAllCast_fips;
#endif
@@ -1421,7 +1473,7 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) {
return 0;
}
#endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
#endif /* WC_PIE_RELOC_TABLES */
#ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
@@ -1457,11 +1509,17 @@ static int updateFipsHash(void)
byte *binCoreKey = NULL;
byte *binVerify = NULL;
#ifdef WC_USE_PIE_FENCEPOSTS_FOR_FIPS
fips_address_function first = __wc_text_start;
fips_address_function last = __wc_text_end;
char* start = (char*)__wc_rodata_start;
char* end = (char*)__wc_rodata_end;
#else
fips_address_function first = wolfCrypt_FIPS_first;
fips_address_function last = wolfCrypt_FIPS_last;
char* start = (char*)wolfCrypt_FIPS_ro_start;
char* end = (char*)wolfCrypt_FIPS_ro_end;
#endif
unsigned long code_sz = (unsigned long)last - (unsigned long)first;
unsigned long data_sz = (unsigned long)end - (unsigned long)start;
@@ -1550,7 +1608,7 @@ static int updateFipsHash(void)
goto out;
}
#if defined(WOLFSSL_LINUXKM) && defined(USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE)
#if defined(WOLFSSL_LINUXKM) && defined(WC_PIE_RELOC_TABLES)
{
ssize_t cur_reloc_index = -1;
const byte *text_p = (const byte *)first;