add WOLFSSL_API_PREFIX_MAP -- when defined, exported symbols otherwise missing wc_ or wolfSSL_ prefixes are remapped with the appropriate prefix;

define WOLFSSL_API_PREFIX_MAP in WOLFSSL_LINUXKM setup in settings.h; fix gates on WOLFSSL_HAVE_PRF and WOLFSSL_NO_CT_OPS setup in settings.h; linuxkm/: add support for FIPS_OPTEST.
2025-10-08 13:15:22 -05:00
parent 7c64292851
commit f4d929593f
16 changed files with 285 additions and 19 deletions
--- a/linuxkm/Kbuild
+++ b/linuxkm/Kbuild
@@ -86,6 +86,10 @@ MAX_STACK_FRAME_SIZE=$(shell echo $$(( $(KERNEL_THREAD_STACK_SIZE) / 4)))

 libwolfssl-y := $(WOLFSSL_OBJ_FILES) linuxkm/module_hooks.o linuxkm/module_exports.o

+ifeq "$(FIPS_OPTEST)" "1"
+libwolfssl-y += linuxkm/optest-140-3/linuxkm_optest_wrapper.o
+endif
+
 WOLFSSL_CFLAGS_NO_VECTOR_INSNS := $(CFLAGS_SIMD_DISABLE) $(CFLAGS_FPU_DISABLE)
 ifeq "$(ENABLED_ASM)" "yes"
    WOLFSSL_CFLAGS_YES_VECTOR_INSNS := $(CFLAGS_SIMD_ENABLE) $(CFLAGS_FPU_DISABLE) $(CFLAGS_AUTO_VECTORIZE_DISABLE)
--- a/linuxkm/Makefile
+++ b/linuxkm/Makefile
@@ -35,6 +35,9 @@ WOLFSSL_CFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CPPFLAGS) $(
 ifdef KERNEL_EXTRA_CFLAGS
    WOLFSSL_CFLAGS += $(KERNEL_EXTRA_CFLAGS)
 endif
+ifeq "$(FIPS_OPTEST)" "1"
+    WOLFSSL_CFLAGS += -DFIPS_OPTEST
+endif

 WOLFSSL_ASFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CCASFLAGS) $(CCASFLAGS)

@@ -130,6 +133,10 @@ GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko |				\
 	    print "~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];";\
 	}'

+ifeq "$(V)" "1"
+    vflag := --verbose
+endif
+
 .PHONY: libwolfssl.ko
 libwolfssl.ko:
 	@if test -z '$(KERNEL_ROOT)'; then echo '$$KERNEL_ROOT is unset' >&2; exit 1; fi
@@ -137,9 +144,12 @@ libwolfssl.ko:
 	@if test -z '$(src_libwolfssl_la_OBJECTS)'; then echo '$$src_libwolfssl_la_OBJECTS is unset.' >&2; exit 1; fi
        # after commit 9a0ebe5011 (6.10), sources must be in $(obj).  work around this by making links to all needed sources:
 	@mkdir -p '$(MODULE_TOP)/linuxkm'
-	@test '$(MODULE_TOP)/module_hooks.c' -ef '$(MODULE_TOP)/linuxkm/module_hooks.c' || cp --verbose --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
-	@test '$(SRC_TOP)/wolfcrypt/src/wc_port.c' -ef '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' || cp --verbose --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
-	@test '$(SRC_TOP)/src/wolfio.c' -ef '$(MODULE_TOP)/src/wolfio.c' || cp --verbose --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
+	@test '$(MODULE_TOP)/module_hooks.c' -ef '$(MODULE_TOP)/linuxkm/module_hooks.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
+	@test '$(SRC_TOP)/wolfcrypt/src/wc_port.c' -ef '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
+	@test '$(SRC_TOP)/src/wolfio.c' -ef '$(MODULE_TOP)/src/wolfio.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
+ifeq "$(FIPS_OPTEST)" "1"
+	@test '$(SRC_TOP)/../fips/optest-140-3/linuxkm_optest_wrapper.c' -ef '$(MODULE_TOP)/linuxkm/optest-140-3/linuxkm_optest_wrapper.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/../fips/optest-140-3' '$(MODULE_TOP)/linuxkm'
+endif
 ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
 	@$(eval RELOC_TMP := $(shell mktemp "$(MAKE_TMPDIR)/wc_linuxkm_pie_reloc_tab.c.XXXXXX"))
 	@[[ -f wc_linuxkm_pie_reloc_tab.c ]] || echo -e "const unsigned int wc_linuxkm_pie_reloc_tab[] = { ~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = 1;" > wc_linuxkm_pie_reloc_tab.c
--- a/linuxkm/module_exports.c.template
+++ b/linuxkm/module_exports.c.template
@@ -46,6 +46,7 @@
 #include <wolfssl/wolfcrypt/wc_port.h>
 #include <wolfssl/wolfcrypt/logging.h>
 #include <wolfssl/wolfcrypt/types.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
 #include <wolfssl/wolfcrypt/wolfmath.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/md2.h>
--- a/linuxkm/module_hooks.c
+++ b/linuxkm/module_hooks.c
@@ -371,6 +371,10 @@ int wc_linuxkm_GenerateSeed_IntelRD(struct OS_Seed* os, byte* output, word32 sz)
    #include "linuxkm/x86_vector_register_glue.c"
 #endif

+#ifdef FIPS_OPTEST
+extern int linuxkm_op_test_wrapper(void);
+#endif
+
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
 static int __init wolfssl_init(void)
 #else
@@ -587,6 +591,10 @@ static int wolfssl_init(void)
        );
 #endif /* HAVE_FIPS && FIPS_VERSION3_GT(5,2,0) */

+#ifdef FIPS_OPTEST
+    (void)linuxkm_op_test_wrapper();
+#endif
+
 #ifndef NO_CRYPT_TEST
    ret = wolfcrypt_test(NULL);
    if (ret < 0) {