wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-26 15:12:22 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
wolfEntropy2d
wolfssl/linuxkm/Kbuild

340 lines
12 KiB
Plaintext
Raw Permalink Normal View History

linuxkm: dial in SIMD options in Kbuild; add boilerplate at the top of all files added for linuxkm.
2020-08-31 20:53:58 -05:00
# Linux kernel-native Makefile ("Kbuild") for libwolfssl.ko
#
update copyright date
2025-01-21 09:55:03 -07:00
# Copyright (C) 2006-2025 wolfSSL Inc.
linuxkm: dial in SIMD options in Kbuild; add boilerplate at the top of all files added for linuxkm.
2020-08-31 20:53:58 -05:00
#
# This file is part of wolfSSL.
#
# wolfSSL is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
updating license from GPLv2 to GPLv3
2025-07-10 16:01:52 -06:00
# the Free Software Foundation; either version 3 of the License, or
linuxkm: dial in SIMD options in Kbuild; add boilerplate at the top of all files added for linuxkm.
2020-08-31 20:53:58 -05:00
# (at your option) any later version.
#
# wolfSSL is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
initial buildability of full libwolfssl.ko loadable kernel module for Linux via ./configure --enable-linuxkm && make.
2020-08-18 14:17:44 -05:00
linuxkm/Kbuild and linuxkm/module_exports.c.template: refactor using .ONESHELL, and in recipe for generating linuxkm/module_exports.c, render the namespace with a literal, with or without quotes as dictated by target kernel version. remove EXPORT_SYMBOL_NS_Q(), which didn't work right on old (pre-6.13) kernels with namespace support. wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, define NO_OLD_WC_NAMES, OPENSSL_COEXIST, etc., to avoid collisions with in-tree crypto in application sources that include both wolfssl and linux kernel native headers.
2025-02-23 15:33:46 -06:00
.ONESHELL:
linuxkm: initial support for cross-compilation. also, additional backward-compatibility measures around cp and clean recipe in linuxkm/Makefile. also, in sp_int.c, tweak DECL_DYN_SP_INT_ARRAY() to use an explicit XMEMSET() to clear n[], to avoid unshimmable implicit memset() from gcc on aarch64.
2024-07-16 14:24:37 -05:00
SHELL=bash
initial buildability of full libwolfssl.ko loadable kernel module for Linux via ./configure --enable-linuxkm && make.
2020-08-18 14:17:44 -05:00
linuxkm/Kbuild: treat KERNEL_ARCH "x86_64" as "x86" and remove inapt -mpreferred-stack-boundary=4 from x86 WOLFSSL_CFLAGS; linuxkm/linuxkm_wc_port.h: use >=6.9.0 as the gate for 5-arg fortify_panic(); in lkm_printf() definition, use _printk on >5.15.0; linuxkm/module_hooks.c: raise MAX_FIPS_DATA_SZ and MAX_FIPS_CODE_SZ to accommodate growth.
2025-04-10 17:23:17 +00:00
ifeq "$(KERNEL_ARCH)" "x86"
KERNEL_ARCH_X86 := yes
else ifeq "$(KERNEL_ARCH)" "x86_64"
KERNEL_ARCH_X86 := yes
else
KERNEL_ARCH_X86 := no
endif
initial buildability of full libwolfssl.ko loadable kernel module for Linux via ./configure --enable-linuxkm && make.
2020-08-18 14:17:44 -05:00
ifeq "$(WOLFSSL_OBJ_FILES)" ""
linuxkm: dial in SIMD options in Kbuild; add boilerplate at the top of all files added for linuxkm.
2020-08-31 20:53:58 -05:00
$(error $$WOLFSSL_OBJ_FILES is unset.)
initial buildability of full libwolfssl.ko loadable kernel module for Linux via ./configure --enable-linuxkm && make.
2020-08-18 14:17:44 -05:00
endif
ifeq "$(WOLFSSL_CFLAGS)" ""
linuxkm: dial in SIMD options in Kbuild; add boilerplate at the top of all files added for linuxkm.
2020-08-31 20:53:58 -05:00
$(error $$WOLFSSL_CFLAGS is unset.)
initial buildability of full libwolfssl.ko loadable kernel module for Linux via ./configure --enable-linuxkm && make.
2020-08-18 14:17:44 -05:00
endif
linuxkm: relocate WOLFSSL_LINUXKM code in wolfssl/wolfcrypt/wc_port.h and wolfcrypt/src/memory.c to linuxkm/{linuxkm_wc_port.h,linuxkm_memory.c}, and gate SIMD in IRQ handlers on -DLINUXKM_SIMD_IRQ in prep for Linux 5.16; linuxkm: when -DWOLFCRYPT_ONLY, don't include ssl.h in module_exports.c.template and module_hooks.c, and fix gating to work right with that; wolfssl/wolfcrypt/types.h: add support for a WOLFSSL_XFREE_NO_NULLNESS_CHECK gate (used in cppcheck analysis).
2022-01-07 22:39:38 -06:00
WOLFSSL_CFLAGS += -ffreestanding -Wframe-larger-than=$(MAX_STACK_FRAME_SIZE) -isystem $(shell $(CC) -print-file-name=include)
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
linuxkm/Kbuild: treat KERNEL_ARCH "x86_64" as "x86" and remove inapt -mpreferred-stack-boundary=4 from x86 WOLFSSL_CFLAGS; linuxkm/linuxkm_wc_port.h: use >=6.9.0 as the gate for 5-arg fortify_panic(); in lkm_printf() definition, use _printk on >5.15.0; linuxkm/module_hooks.c: raise MAX_FIPS_DATA_SZ and MAX_FIPS_CODE_SZ to accommodate growth.
2025-04-10 17:23:17 +00:00
ifeq "$(KERNEL_ARCH)" "aarch64"
linuxkm: spruce up arch-dependent CFLAGS setup in linuxkm/Kbuild; add "failed:" to error messages in km_AesGcmEncrypt() and km_AesGcmDecrypt().
2024-01-31 11:49:46 -06:00
WOLFSSL_CFLAGS += -mno-outline-atomics
else ifeq "$(KERNEL_ARCH)" "arm64"
WOLFSSL_CFLAGS += -mno-outline-atomics
linuxkm/: fixes for ARMv7, and miscellaneous fixes for Makefile and FIPS logic.
2025-11-19 17:20:14 -06:00
else ifeq "$(KERNEL_ARCH)" "arm"
# avoids R_ARM_THM_JUMP11 relocations, including a stubborn tail recursion
# optimization from wc_sp_cmp to wc_sp_cmp_mag:
WOLFSSL_CFLAGS += -fno-optimize-sibling-calls -Os
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
endif
linuxkm: override-disable SIMD instructions for all .c.o's, with exceptions enumerated in Kbuild (currently only aes.c), and couple -msse with -fno-builtin-functions; export ENABLED_ASM for use as a pivot in Kbuild; use asm/i387.h, not asm/simd.h, for kernel_fpu_{begin,end}() protos.
2020-08-31 18:37:04 -05:00
linuxkm: add linuxkm/module_exports.c.template, and autogenerate linuxkm/module_exports.c.
2020-08-28 10:32:30 -05:00
obj-m := libwolfssl.o
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
WOLFSSL_OBJ_TARGETS := $(patsubst %, $(obj)/%, $(WOLFSSL_OBJ_FILES))
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
WOLFCRYPT_PIE_FILES := $(patsubst %, $(obj)/%, $(WOLFCRYPT_PIE_FILES))
endif
linuxkm: add linuxkm/module_exports.c.template, and autogenerate linuxkm/module_exports.c.
2020-08-28 10:32:30 -05:00
$(obj)/linuxkm/module_exports.o: $(WOLFSSL_OBJ_TARGETS)
linuxkm: initial support for cross-compilation. also, additional backward-compatibility measures around cp and clean recipe in linuxkm/Makefile. also, in sp_int.c, tweak DECL_DYN_SP_INT_ARRAY() to use an explicit XMEMSET() to clear n[], to avoid unshimmable implicit memset() from gcc on aarch64.
2024-07-16 14:24:37 -05:00
ifndef KERNEL_THREAD_STACK_SIZE
ifdef CROSS_COMPILE
KERNEL_THREAD_STACK_SIZE=16384
endif
endif
lkm: tweak Kbuild to work on 4.x (hardcoded fallback stack size); add linuxkm/get_thread_size.c.
2020-08-22 01:10:28 -05:00
# this mechanism only works in kernel 5.x+ (fallback to hardcoded value)
linuxkm: initial support for cross-compilation. also, additional backward-compatibility measures around cp and clean recipe in linuxkm/Makefile. also, in sp_int.c, tweak DECL_DYN_SP_INT_ARRAY() to use an explicit XMEMSET() to clear n[], to avoid unshimmable implicit memset() from gcc on aarch64.
2024-07-16 14:24:37 -05:00
ifndef KERNEL_THREAD_STACK_SIZE
hostprogs := linuxkm/get_thread_size
always-y := $(hostprogs)
endif
linuxkm: spruce up arch-dependent CFLAGS setup in linuxkm/Kbuild; add "failed:" to error messages in km_AesGcmEncrypt() and km_AesGcmDecrypt().
2024-01-31 11:49:46 -06:00
HOST_EXTRACFLAGS += $(NOSTDINC_FLAGS) $(LINUXINCLUDE) $(KBUILD_CFLAGS) -static -fno-omit-frame-pointer
linuxkm: inhibit thunk generation in get_thread_size.
2022-07-19 10:20:04 -05:00
# "-mindirect-branch=keep -mfunction-return=keep" to avoid "undefined reference
# to `__x86_return_thunk'" on CONFIG_RETHUNK kernels (5.19.0-rc7)
linuxkm/Kbuild: treat KERNEL_ARCH "x86_64" as "x86" and remove inapt -mpreferred-stack-boundary=4 from x86 WOLFSSL_CFLAGS; linuxkm/linuxkm_wc_port.h: use >=6.9.0 as the gate for 5-arg fortify_panic(); in lkm_printf() definition, use _printk on >5.15.0; linuxkm/module_hooks.c: raise MAX_FIPS_DATA_SZ and MAX_FIPS_CODE_SZ to accommodate growth.
2025-04-10 17:23:17 +00:00
ifeq "$(KERNEL_ARCH_X86)" "yes"
linuxkm: spruce up arch-dependent CFLAGS setup in linuxkm/Kbuild; add "failed:" to error messages in km_AesGcmEncrypt() and km_AesGcmDecrypt().
2024-01-31 11:49:46 -06:00
HOST_EXTRACFLAGS += -mindirect-branch=keep -mfunction-return=keep
linuxkm: squash of philljj's POC work integrating libwolfssl.ko with crypto_register_skcipher/crypto_register_aead, start 2022-12-26, end 2023-01-14.
2024-01-26 14:04:02 -06:00
endif
lkm: tweak Kbuild to work on 4.x (hardcoded fallback stack size); add linuxkm/get_thread_size.c.
2020-08-22 01:10:28 -05:00
# this rule is needed to get build to succeed in 4.x (get_thread_size still doesn't get built)
$(obj)/linuxkm/get_thread_size: $(src)/linuxkm/get_thread_size.c
linuxkm: initial support for cross-compilation. also, additional backward-compatibility measures around cp and clean recipe in linuxkm/Makefile. also, in sp_int.c, tweak DECL_DYN_SP_INT_ARRAY() to use an explicit XMEMSET() to clear n[], to avoid unshimmable implicit memset() from gcc on aarch64.
2024-07-16 14:24:37 -05:00
ifndef KERNEL_THREAD_STACK_SIZE
$(WOLFSSL_OBJ_TARGETS): | $(obj)/linuxkm/get_thread_size
KERNEL_THREAD_STACK_SIZE=$(shell test -x $(obj)/linuxkm/get_thread_size && $(obj)/linuxkm/get_thread_size || echo 16384)
endif
lkm: add autodetection of kernel stack frame size; reactivate objtool scrutiny since _asm files are indeed not yet kernel-compatible; delete linuxkm/lkm_testcrypto.c and use wolfcrypt/test/test.c.
2020-08-22 00:32:32 -05:00
MAX_STACK_FRAME_SIZE=$(shell echo $$(( $(KERNEL_THREAD_STACK_SIZE) / 4)))
linuxkm: add linuxkm/module_exports.c.template, and autogenerate linuxkm/module_exports.c.
2020-08-28 10:32:30 -05:00
libwolfssl-y := $(WOLFSSL_OBJ_FILES) linuxkm/module_hooks.o linuxkm/module_exports.o
initial buildability of full libwolfssl.ko loadable kernel module for Linux via ./configure --enable-linuxkm && make.
2020-08-18 14:17:44 -05:00
add WOLFSSL_API_PREFIX_MAP -- when defined, exported symbols otherwise missing wc_ or wolfSSL_ prefixes are remapped with the appropriate prefix; define WOLFSSL_API_PREFIX_MAP in WOLFSSL_LINUXKM setup in settings.h; fix gates on WOLFSSL_HAVE_PRF and WOLFSSL_NO_CT_OPS setup in settings.h; linuxkm/: add support for FIPS_OPTEST.
2025-10-08 13:15:22 -05:00
ifeq "$(FIPS_OPTEST)" "1"
libwolfssl-y += linuxkm/optest-140-3/linuxkm_optest_wrapper.o
endif
linuxkm: add autotools detection of usable compiler flags for enabling and disabling SIMD and fp registers and auto-vectorization, and integrate into linuxkm makefiles.
2020-09-01 14:40:53 -05:00
WOLFSSL_CFLAGS_NO_VECTOR_INSNS := $(CFLAGS_SIMD_DISABLE) $(CFLAGS_FPU_DISABLE)
ifeq "$(ENABLED_ASM)" "yes"
WOLFSSL_CFLAGS_YES_VECTOR_INSNS := $(CFLAGS_SIMD_ENABLE) $(CFLAGS_FPU_DISABLE) $(CFLAGS_AUTO_VECTORIZE_DISABLE)
linuxkm: dial in SIMD options in Kbuild; add boilerplate at the top of all files added for linuxkm.
2020-08-31 20:53:58 -05:00
else
linuxkm: add autotools detection of usable compiler flags for enabling and disabling SIMD and fp registers and auto-vectorization, and integrate into linuxkm makefiles.
2020-09-01 14:40:53 -05:00
WOLFSSL_CFLAGS_YES_VECTOR_INSNS := $(WOLFSSL_CFLAGS_NO_VECTOR_INSNS)
linuxkm: override-disable SIMD instructions for all .c.o's, with exceptions enumerated in Kbuild (currently only aes.c), and couple -msse with -fno-builtin-functions; export ENABLED_ASM for use as a pivot in Kbuild; use asm/i387.h, not asm/simd.h, for kernel_fpu_{begin,end}() protos.
2020-08-31 18:37:04 -05:00
endif
linuxkm/: fixes for ARMv7, and miscellaneous fixes for Makefile and FIPS logic.
2025-11-19 17:20:14 -06:00
ccflags-y = $(WOLFSSL_CFLAGS) $(WOLFSSL_CFLAGS_NO_VECTOR_INSNS)
linuxkm: override-disable SIMD instructions for all .c.o's, with exceptions enumerated in Kbuild (currently only aes.c), and couple -msse with -fno-builtin-functions; export ENABLED_ASM for use as a pivot in Kbuild; use asm/i387.h, not asm/simd.h, for kernel_fpu_{begin,end}() protos.
2020-08-31 18:37:04 -05:00
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
linuxkm/Kbuild: revert change to base PIE_FLAGS -- we need -fno-stack-protector to avoid compiler-generated references to __stack_chk_fail.
2025-07-22 16:45:06 -05:00
# note, we need -fno-stack-protector to avoid references to
# "__stack_chk_fail" from the wolfCrypt container.
PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder
linuxkm/Kbuild: if ENABLED_LINUXKM_PIE, disable KASAN and UBSAN, to avoid external references (__ubsan_handle_out_of_bounds() etc.).
2025-07-23 17:30:14 -05:00
# the kernel sanitizers generate external references to
# __ubsan_handle_out_of_bounds(), __ubsan_handle_shift_out_of_bounds(), etc.
KASAN_SANITIZE := n
UBSAN_SANITIZE := n
linuxkm/Kbuild: treat KERNEL_ARCH "x86_64" as "x86" and remove inapt -mpreferred-stack-boundary=4 from x86 WOLFSSL_CFLAGS; linuxkm/linuxkm_wc_port.h: use >=6.9.0 as the gate for 5-arg fortify_panic(); in lkm_printf() definition, use _printk on >5.15.0; linuxkm/module_hooks.c: raise MAX_FIPS_DATA_SZ and MAX_FIPS_CODE_SZ to accommodate growth.
2025-04-10 17:23:17 +00:00
ifeq "$(KERNEL_ARCH_X86)" "yes"
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
PIE_FLAGS += -mcmodel=small
# eliminate external references to __x86_return_thunk and
# __x86_indirect_thunk_foo implementations. _all_ references must be
# eliminated, not just those in PIE objects, otherwise some kernels will
# false-positively complain about unpatched thunks.
ifeq "$(CONFIG_MITIGATION_RETPOLINE)" "y"
PIE_SUPPORT_FLAGS += -mfunction-return=thunk-inline
else
PIE_SUPPORT_FLAGS += -mfunction-return=keep
endif
ifeq "$(CONFIG_MITIGATION_RETHUNK)" "y"
PIE_SUPPORT_FLAGS += -mindirect-branch=thunk-inline
else
PIE_SUPPORT_FLAGS += -mindirect-branch=keep
endif
OBJECT_FILES_NON_STANDARD := y
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
endif
linuxkm/Kbuild and linuxkm/module_hooks.c: refactor wc_linuxkm_pie_reloc_tab to include ground truth segment tag from ELF metadata. tweaks for ARM32: recognize R_ARM_* relocations, and add -fno-unwind-tables to PIE_FLAGS. linuxkm/linuxkm_wc_port.h: * __PIE__: don't declare static pmd_to_page() unless USE_SPLIT_PMD_PTLOCKS. * add wc_lkm_refcount_to_int() helper with -Wnested-externs suppressed. wolfcrypt/src/fe_operations.c: in fe_frombytes() and fe_sq2(), use explicit XMEMSET()s to initialize working vars, rather than implicit, to avoid implicit (unshimmable) memset() calls. wolfcrypt/src/ge_operations.c: fix gate on _wc_curve25519_dummy() to require CURVED25519_ASM.
2025-11-14 19:24:53 -06:00
ifeq "$(KERNEL_ARCH)" "arm"
PIE_FLAGS += -fno-unwind-tables
endif
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
ifeq "$(KERNEL_ARCH)" "mips"
PIE_FLAGS += -mabicalls
endif
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
ccflags-y += $(PIE_SUPPORT_FLAGS)
$(WOLFCRYPT_PIE_FILES): ccflags-y += $(PIE_FLAGS)
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
$(WOLFCRYPT_PIE_FILES): ccflags-remove-y += -pg
linuxkm/Kbuild: add support for FORCE_GLOBAL_OBJTOOL_OFF.
2025-09-16 15:39:12 -05:00
ifdef FORCE_GLOBAL_OBJTOOL_OFF
undefine CONFIG_OBJTOOL
endif
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
endif
linuxkm/Kbuild: add KERNEL_EXTRA_CFLAGS_REMOVE; linuxkm/linuxkm_wc_port.h: fix version threshold for HAVE_KVREALLOC (6.12.0, not 6.11.0), and add manual overrides.
2025-07-23 14:31:52 -05:00
ifdef KERNEL_EXTRA_CFLAGS_REMOVE
linuxkm/: fixes for ARMv7, and miscellaneous fixes for Makefile and FIPS logic.
2025-11-19 17:20:14 -06:00
ccflags-remove-y += $(KERNEL_EXTRA_CFLAGS_REMOVE)
linuxkm/Kbuild: add KERNEL_EXTRA_CFLAGS_REMOVE; linuxkm/linuxkm_wc_port.h: fix version threshold for HAVE_KVREALLOC (6.12.0, not 6.11.0), and add manual overrides.
2025-07-23 14:31:52 -05:00
endif
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/libwolfssl.mod.o: ccflags-y := $(PIE_SUPPORT_FLAGS)
$(obj)/wolfcrypt/test/test.o: ccflags-y += -DNO_MAIN_DRIVER -DWOLFSSL_NO_OPTIONS_H
$(obj)/wolfcrypt/src/aes.o: ccflags-y := $(WOLFSSL_CFLAGS) $(WOLFSSL_CFLAGS_YES_VECTOR_INSNS) $(PIE_FLAGS) $(PIE_SUPPORT_FLAGS)
$(obj)/wolfcrypt/benchmark/benchmark.o: ccflags-y := $(WOLFSSL_CFLAGS) $(CFLAGS_FPU_ENABLE) $(CFLAGS_SIMD_ENABLE) $(PIE_SUPPORT_FLAGS) -DNO_MAIN_FUNCTION -DWOLFSSL_NO_OPTIONS_H
$(obj)/wolfcrypt/benchmark/benchmark.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_ENABLE_SIMD_DISABLE)
linuxkm/linuxkm_memory.c: refactor SAVE/RESTORE_VECTOR_REGISTERS() to be per-process rather than per-CPU, and add migrate_disable/enable() to kernel_fpu_begin/end() because preempt_disable() is just a barrier on _PREEMPT_VOLUNTARY kernels; linuxkm/linuxkm_wc_port.h: activate SAVE/RESTORE_VECTOR_REGISTERS() whenever defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS) for benchmark.c support, independent of vector crypto features; fix and optimize various alignment issues with stack and heap allocations; fix macro definitions for XMALLOC/XREALLOC/XFREE to correctly use kvmalloc and friends when defined(HAVE_KVMALLOC), and to use wolfSSL_Malloc() and friends when defined(WOLFSSL_TRACK_MEMORY); purge stale LINUXKM_SIMD_IRQ code.
2023-05-17 01:44:36 -05:00
linuxkm: enable the rest of the _asm implementations for x86, wrapped in {SAVE,RESTORE}_VECTOR_REGISTERS().
2020-09-08 23:11:03 -05:00
asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPUSIMD_DISABLE)
linuxkm: fix Makefile to properly pivot module signature on CONFIG_MODULE_SIG==y; remove not-yet-kernel-compatible asm files from the ASFLAGS_FPU_DISABLE_SIMD_ENABLE list, matching the OBJECT_FILES_NON_STANDARD list, for clarity.
2021-10-18 15:00:47 -05:00
# vectorized implementations that are kernel-safe are listed here.
linuxkm: add asm support for Kyber.
2024-08-14 14:39:45 -05:00
# these are known kernel-compatible, but need the vector instructions enabled in the assembler,
# and most of them still irritate objtool.
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/aes_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
linuxkm: override-disable SIMD instructions for all .c.o's, with exceptions enumerated in Kbuild (currently only aes.c), and couple -msse with -fno-builtin-functions; export ENABLED_ASM for use as a pivot in Kbuild; use asm/i387.h, not asm/simd.h, for kernel_fpu_{begin,end}() protos.
2020-08-31 18:37:04 -05:00
$(obj)/wolfcrypt/src/aes_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/aes_gcm_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
linuxkm: override-disable SIMD instructions for all .c.o's, with exceptions enumerated in Kbuild (currently only aes.c), and couple -msse with -fno-builtin-functions; export ENABLED_ASM for use as a pivot in Kbuild; use asm/i387.h, not asm/simd.h, for kernel_fpu_{begin,end}() protos.
2020-08-31 18:37:04 -05:00
$(obj)/wolfcrypt/src/aes_gcm_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/aes_xts_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
AES XTS x64 ASM: add AVX1 and AESNI implementations Adding AES-XTS AVX1 and AESNI implementations. Fix name in comment at top of x64 assembly files.
2023-09-28 09:25:37 +10:00
$(obj)/wolfcrypt/src/aes_xts_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/sp_x86_64_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
linuxkm feature additions: add build-time support for module signing using native Linux facility; add support for alternative licenses using WOLFSSL_LICENSE macro; improve load-time kernel log messages; add support for sp-math-all asm/AVX2 acceleration; add error-checking and return in SAVE_VECTOR_REGISTERS(); implement support for x86 accelerated crypto from interrupt handlers, gated on WOLFSSL_LINUXKM_SIMD_X86_IRQ_ALLOWED: * wolfcrypt_irq_fpu_states * am_in_hard_interrupt_handler() * allocate_wolfcrypt_irq_fpu_states() * free_wolfcrypt_irq_fpu_states() * save_vector_registers_x86() * restore_vector_registers_x86() add WOLFSSL_LINUXKM_SIMD, WOLFSSL_LINUXKM_SIMD_X86, and WOLFSSL_LINUXKM_SIMD_ARM macros for more readable gating.
2021-09-15 23:05:32 -05:00
$(obj)/wolfcrypt/src/sp_x86_64_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/sha256_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
linuxkm/Kbuild: add SHA-2, SHA-3, ChaCha20, and poly1305, to kernel-safe vectorized-asm list.
2024-04-19 01:35:45 -05:00
$(obj)/wolfcrypt/src/sha256_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/sha512_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
linuxkm/Kbuild: add SHA-2, SHA-3, ChaCha20, and poly1305, to kernel-safe vectorized-asm list.
2024-04-19 01:35:45 -05:00
$(obj)/wolfcrypt/src/sha512_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/sha3_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
linuxkm/Kbuild: add SHA-2, SHA-3, ChaCha20, and poly1305, to kernel-safe vectorized-asm list.
2024-04-19 01:35:45 -05:00
$(obj)/wolfcrypt/src/sha3_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/chacha_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
linuxkm/Kbuild: add SHA-2, SHA-3, ChaCha20, and poly1305, to kernel-safe vectorized-asm list.
2024-04-19 01:35:45 -05:00
$(obj)/wolfcrypt/src/chacha_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/poly1305_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
linuxkm/Kbuild: add SHA-2, SHA-3, ChaCha20, and poly1305, to kernel-safe vectorized-asm list.
2024-04-19 01:35:45 -05:00
$(obj)/wolfcrypt/src/poly1305_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/wc_mlkem_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
linuxkm/Kbuild: set OBJECT_FILES_NON_STANDARD=y for wolfcrypt/src/wc_mlkem_asm.o ("'naked' return found").
2025-05-30 13:39:33 -05:00
$(obj)/wolfcrypt/src/wc_mlkem_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally.
2025-11-06 17:37:07 -06:00
$(obj)/wolfcrypt/src/wc_mldsa_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
ML-DSA/Dilithium: Intel x64 ASM Optimize code knowing it is for Intel x64. Change signing to calculate one polynomial at a time so that if it isn't valid then we fail early. Other minor improvements. Move the SHA-3 4 blocks at a time assembly into SHA-3 asm file. Make constants in assembly the same length (front pad with zeros).
2025-08-04 17:56:52 +10:00
$(obj)/wolfcrypt/src/wc_mldsa_asm.o: OBJECT_FILES_NON_STANDARD := y
linuxkm: add linuxkm/module_exports.c.template, and autogenerate linuxkm/module_exports.c.
2020-08-28 10:32:30 -05:00
linuxkm/Kbuild and linuxkm/module_exports.c.template: on kernel >=6.13, add quotes around the namespace arg to EXPORT_SYMBOL_NS_GPL() (upstream change actually made in 6.13-rc2).
2024-12-16 11:43:26 -06:00
ifndef READELF
READELF := readelf
endif
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
linuxkm/Kbuild: activate linker script with backward-compatible construct (tests good on 4.4); linuxkm/linuxkm_wc_port.h: completely inhibit CONFIG_FORTIFY_SOURCE across the module when HAVE_LINUXKM_PIE_SUPPORT, for fidget-free backward compat; linuxkm/module_hooks.c: * add startup-time sanity check on fenceposts, * enhance DEBUG_LINUXKM_PIE_SUPPORT with coverage for WOLFSSL_TEXT_SEGMENT_CANONICALIZER on the entire text segment, * compute and report a hash on the stabilized text segment, * fix wc_linuxkm_normalize_relocations() to allow span end == __wc_text_end, and * add numerous verbose pr_err()s when DEBUG_LINUXKM_PIE_SUPPORT.
2025-10-03 15:07:56 -05:00
ldflags-y += -T $(src)/wolfcrypt.lds
add linuxkm/wolfcrypt.lds module linker script, explicitly grouping wolfcrypt sections together; linuxkm/Kbuild: add linker script flag, containerize several more previously-missed ELF sections, and add a test verifying no sections were missed; linuxkm/linuxkm_memory.c: remove obsolete lkm_realloc() shim and unneeded my__show_free_areas() wrapper; linuxkm/linuxkm_wc_port.h: add new mapping from realloc() to native kvrealloc(), and gate out a slew of headers when __PIE__ to avoid polluting wolfCrypt objects with various unneeded header-implemented functions with associated awkward symbols references; linuxkm/lkcapi_glue.c: harmonize gate for REGISTER_ALG_OPTIONAL(); linuxkm/module_hooks.c: add "ERROR:" prefixes on pr_err()s; add wc_RunAllCast_fips() at shutdown to send confidence verification to the kernel log; remove section bounds checks now that layout is unreliable; wolfssl/wolfcrypt/settings.h: for WOLFSSL_LINUXKM && HAVE_LINUXKM_PIE_SUPPORT, #define WOLFSSL_ECC_CURVE_STATIC and WOLFSSL_NAMES_STATIC; wolfssl/wolfcrypt/types.h: refactor the typedef for wcchar from a pointer to a char[]; wolfcrypt/src/wc_xmss.c and wolfssl/wolfcrypt/wc_lms.h: add WOLFSSL_NAMES_STATIC code paths for struct wc_XmssString and struct wc_LmsParamsMap; wolfcrypt/src/asn.c: add WOLFSSL_NAMES_STATIC code paths for struct CertNameData, and add static attribute to a slew of wcchars not used or declared outside asn.c.
2025-07-09 16:29:04 -05:00
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
ifndef NM
NM := nm
endif
ifndef OBJCOPY
OBJCOPY := objcopy
endif
linuxkm/Makefile and linuxkm/Kbuild: * refactor .PHONY Kbuild target rename-pie-text-and-data-sections into macro RENAME_PIE_TEXT_AND_DATA_SECTIONS, and execute it conditional on module_exports.c regeneration; * use .ONESHELL in the wrapper Makefile too, and rework the changes in bf5536d6b8 such that the recursive make is always executed, but will leave the target untouched if it was already up-to-date relative to its dependencies. these tweaks fix the module build to restore automatic rebuild when dependencies are updated.
2025-09-17 13:06:32 -05:00
RENAME_PIE_TEXT_AND_DATA_SECTIONS := \
if [[ "$(quiet)" != "silent_" ]]; then \
echo -n ' Checking wolfCrypt for unresolved symbols and forbidden relocations... '; \
fi; \
cd "$(obj)" || exit $$?; \
$(LD) -relocatable -o wolfcrypt_test_link.o $(WOLFCRYPT_PIE_FILES) || exit $$?; \
undefined=$$($(NM) --undefined-only wolfcrypt_test_link.o) || exit $$?; \
GOT_relocs=$$($(READELF) --relocs --wide wolfcrypt_test_link.o | grep -E '^[^ ]+ +[^ ]+ +[^ ]*GOT[^ ]* ') || [ $$? = 1 ] || exit 2; \
rm wolfcrypt_test_link.o; \
if [ -n "$$undefined" ]; then \
echo "wolfCrypt container has unresolved symbols:" 1>&2; \
echo "$$undefined" 1>&2; \
exit 1; \
fi; \
if [ -n "$$GOT_relocs" ]; then \
echo "wolfCrypt container has GOT relocations (non-local function address used as operand?):" 1>&2; \
echo "$$GOT_relocs" 1>&2; \
exit 1; \
fi; \
if [[ "$(quiet)" != "silent_" ]]; then \
echo 'OK.'; \
fi; \
cd "$(obj)" || exit $$?; \
linuxkm/Kbuild: refactor RENAME_PIE_TEXT_AND_DATA_SECTIONS to automatically derive the list of all ELF sections to rename, rather than enumerating them staticly in the objcopy recipe (motivated by changes expected in kernel 6.19).
2025-10-18 12:07:35 -05:00
for file in $(WOLFCRYPT_PIE_FILES); do \
$(OBJCOPY) $$($(READELF) --sections --wide "$$file" | \
$(AWK) ' \
{ \
linuxkm: globally rename+unify: * HAVE_LINUXKM_PIE_SUPPORT and USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE under gate WC_PIE_RELOC_TABLES * WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY as WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY * WC_LKM_INDIRECT_SYM_BY_DIRECT_TABLE_READ as WC_PIE_INDIRECT_SYM_BY_DIRECT_TABLE_READ * WC_LKM_INDIRECT_SYM() as WC_PIE_INDIRECT_SYM; linuxkm/linuxkm_wc_port.h: * implement pointer-caching inline wolfssl_linuxkm_get_pie_redirect_table_local() for the WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY path; * for FIPS_VERSION3_GE(6,0,0), add wolfCrypt_FIPS_*_ro_sanity pointers to struct wolfssl_linuxkm_pie_redirect_table, and corresponding ad hoc prototypes; linuxkm/Makefile and linuxkm/module_hooks.c: move wc_linuxkm_pie_reloc_tab into the wolfCrypt PIE container; linuxkm/module_hooks.c and linuxkm/linuxkm_wc_port.h: harmonize the types of __wc_{text,rodata}_{start,end} with wolfCrypt_FIPS_{first,last,ro_start,ro_end} to allow drop-in use of the all-inclusive ELF fenceposts, activated by WC_USE_PIE_FENCEPOSTS_FOR_FIPS.
2025-10-31 16:03:51 -05:00
if (match($$0, "^ *\\[ *[0-9]+\\] +\\.(text|rodata|data|bss)(\\.[^ ]+)? ", a)) \
{ \
printf("--rename-section .%s%s=.%s_wolfcrypt ", \
a[1], a[2], a[1]); \
} \
else if (match($$0, "^ *\\[ *[0-9]+\\] +\\.([^ ]+)\\.(text|rodata|data|bss) ", a)) \
{ \
printf("--rename-section .%s.%s=.%s_wolfcrypt ", a[1], a[2], a[2]); \
linuxkm/Kbuild: refactor RENAME_PIE_TEXT_AND_DATA_SECTIONS to automatically derive the list of all ELF sections to rename, rather than enumerating them staticly in the objcopy recipe (motivated by changes expected in kernel 6.19).
2025-10-18 12:07:35 -05:00
} \
}') "$$file" || exit $$?; \
done; \
linuxkm/x86_vector_register_glue.c: * refactor the save_vector_registers_x86() algorithm to depend directly on preempt_count(), and use local_bh_enable() and preempt_disable() directly, to mitigate glitchiness around irq_fpu_usable() and crypto_simd_usable(); * eliminate the WC_FPU_ALREADY_FLAG kludge. * improve the error and warning messages, and add some additional checks and messages for unexpected states; add VRG_PR_ERR_X and VRG_PR_WARN_X for pr_*_once() semantics on regular builds, but unlimited messages when WOLFSSL_LINUXKM_VERBOSE_DEBUG. linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: * move the spinlock-based implementation of wc_LockMutex() from linuxkm_wc_port.h to module_hooks.c, due to numerous stuboorn direct external symbol references; * extensively refactor the kernel header #include strategy, keeping many more superfluous headers out of __PIE__ objects, and fixing unavoidable static header functions with grafted __always_inline attributes; * add version exceptions for RHEL 9.5. linuxkm/Kbuild: * on x86 with CONFIG_MITIGATION_{RETPOLINE,RETHUNK}, use inline rethunks rather than none; * refactor check for "Error: section(s) missed by containerization." using `readelf --sections --syms`, for 100% coverage, more informative error output, and suppression of false positives on printk-related cruft; configure.ac and linuxkm/lkcapi_sha_glue.c: use LINUXKM_LKCAPI_[DONT_]REGISTER_{SHA,HMAC}_ALL to represent --enable-linuxkm-lkcapi-register=[-]all-{sha,hmac}, which allows alg families (notably SHA1) to be masked out piecemeal; linuxkm/lkcapi_rsa_glue.c: in linuxkm_test_pkcs1pad_driver(), mitigate unused args when LINUXKM_AKCIPHER_NO_SIGNVERIFY.
2025-07-16 13:09:03 -05:00
{ $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) | \
$(AWK) -v obj="$(obj)" ' \
/^File:/ { \
phase = 0; \
delete wolfcrypt_data_sections; \
delete wolfcrypt_text_sections; \
delete other_sections; \
if (substr($$2, 1, length(obj)) == obj) { \
curfile = substr($$2, length(obj) + 2); \
} else { \
curfile=$$2; \
} \
next; \
} \
/^Section Headers:/ { \
phase = 1; \
next; \
} \
/^Symbol table / { \
phase = 2; \
next; \
} \
{ \
if (phase == 1) { \
if (match($$0, "^ *\\[ *([0-9]+)\\] +([^ ]+) ", a)) {\
switch (a[2]) { \
linuxkm: rename FIPS container segments from foo.wolfcrypt to foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds klp/kpatch clauses expected in kernel 6.19.
2025-10-18 03:23:38 -05:00
case ".text_wolfcrypt": \
linuxkm/x86_vector_register_glue.c: * refactor the save_vector_registers_x86() algorithm to depend directly on preempt_count(), and use local_bh_enable() and preempt_disable() directly, to mitigate glitchiness around irq_fpu_usable() and crypto_simd_usable(); * eliminate the WC_FPU_ALREADY_FLAG kludge. * improve the error and warning messages, and add some additional checks and messages for unexpected states; add VRG_PR_ERR_X and VRG_PR_WARN_X for pr_*_once() semantics on regular builds, but unlimited messages when WOLFSSL_LINUXKM_VERBOSE_DEBUG. linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: * move the spinlock-based implementation of wc_LockMutex() from linuxkm_wc_port.h to module_hooks.c, due to numerous stuboorn direct external symbol references; * extensively refactor the kernel header #include strategy, keeping many more superfluous headers out of __PIE__ objects, and fixing unavoidable static header functions with grafted __always_inline attributes; * add version exceptions for RHEL 9.5. linuxkm/Kbuild: * on x86 with CONFIG_MITIGATION_{RETPOLINE,RETHUNK}, use inline rethunks rather than none; * refactor check for "Error: section(s) missed by containerization." using `readelf --sections --syms`, for 100% coverage, more informative error output, and suppression of false positives on printk-related cruft; configure.ac and linuxkm/lkcapi_sha_glue.c: use LINUXKM_LKCAPI_[DONT_]REGISTER_{SHA,HMAC}_ALL to represent --enable-linuxkm-lkcapi-register=[-]all-{sha,hmac}, which allows alg families (notably SHA1) to be masked out piecemeal; linuxkm/lkcapi_rsa_glue.c: in linuxkm_test_pkcs1pad_driver(), mitigate unused args when LINUXKM_AKCIPHER_NO_SIGNVERIFY.
2025-07-16 13:09:03 -05:00
{ \
wolfcrypt_text_sections[a[1]] = a[2]; \
next; \
} \
linuxkm: rename FIPS container segments from foo.wolfcrypt to foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds klp/kpatch clauses expected in kernel 6.19.
2025-10-18 03:23:38 -05:00
case /^\.(data|rodata|bss)_wolfcrypt$$/: \
linuxkm/x86_vector_register_glue.c: * refactor the save_vector_registers_x86() algorithm to depend directly on preempt_count(), and use local_bh_enable() and preempt_disable() directly, to mitigate glitchiness around irq_fpu_usable() and crypto_simd_usable(); * eliminate the WC_FPU_ALREADY_FLAG kludge. * improve the error and warning messages, and add some additional checks and messages for unexpected states; add VRG_PR_ERR_X and VRG_PR_WARN_X for pr_*_once() semantics on regular builds, but unlimited messages when WOLFSSL_LINUXKM_VERBOSE_DEBUG. linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: * move the spinlock-based implementation of wc_LockMutex() from linuxkm_wc_port.h to module_hooks.c, due to numerous stuboorn direct external symbol references; * extensively refactor the kernel header #include strategy, keeping many more superfluous headers out of __PIE__ objects, and fixing unavoidable static header functions with grafted __always_inline attributes; * add version exceptions for RHEL 9.5. linuxkm/Kbuild: * on x86 with CONFIG_MITIGATION_{RETPOLINE,RETHUNK}, use inline rethunks rather than none; * refactor check for "Error: section(s) missed by containerization." using `readelf --sections --syms`, for 100% coverage, more informative error output, and suppression of false positives on printk-related cruft; configure.ac and linuxkm/lkcapi_sha_glue.c: use LINUXKM_LKCAPI_[DONT_]REGISTER_{SHA,HMAC}_ALL to represent --enable-linuxkm-lkcapi-register=[-]all-{sha,hmac}, which allows alg families (notably SHA1) to be masked out piecemeal; linuxkm/lkcapi_rsa_glue.c: in linuxkm_test_pkcs1pad_driver(), mitigate unused args when LINUXKM_AKCIPHER_NO_SIGNVERIFY.
2025-07-16 13:09:03 -05:00
{ \
wolfcrypt_data_sections[a[1]] = a[2]; \
next; \
} \
default: \
{ \
other_sections[a[1]] = a[2]; \
} \
} \
next; \
} \
next; \
} \
else if (phase == 2) { \
if ($$4 == "FUNC") { \
if (! ($$7 in wolfcrypt_text_sections)) { \
print curfile ": " $$4 " " $$8 " " other_sections[$$7] >"/dev/stderr"; \
++warnings; \
} \
next; \
} \
else if ($$4 == "OBJECT") { \
if (! ($$7 in wolfcrypt_data_sections)) { \
if ((other_sections[$$7] == ".printk_index") || \
(($$8 ~ /^_entry\.[0-9]+$$|^kernel_read_file_str$$/) && \
(other_sections[$$7] == ".data.rel.ro.local"))) \
next; \
print curfile ": " $$4 " " $$8 " " other_sections[$$7] >"/dev/stderr"; \
++warnings; \
} \
next; \
} \
} \
} \
END { \
if (warnings) { \
exit(1); \
} else { \
exit(0); \
}}'; } || \
linuxkm/Makefile and linuxkm/Kbuild: * refactor .PHONY Kbuild target rename-pie-text-and-data-sections into macro RENAME_PIE_TEXT_AND_DATA_SECTIONS, and execute it conditional on module_exports.c regeneration; * use .ONESHELL in the wrapper Makefile too, and rework the changes in bf5536d6b8 such that the recursive make is always executed, but will leave the target untouched if it was already up-to-date relative to its dependencies. these tweaks fix the module build to restore automatic rebuild when dependencies are updated.
2025-09-17 13:06:32 -05:00
{ echo 'Error: symbol(s) missed by containerization.' >&2; exit 1; }; \
if [[ "$(quiet)" != "silent_" ]]; then \
linuxkm: rename FIPS container segments from foo.wolfcrypt to foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds klp/kpatch clauses expected in kernel 6.19.
2025-10-18 03:23:38 -05:00
echo ' wolfCrypt .{text,data,rodata,bss} sections containerized to .{text,data,rodata}_wolfcrypt'; \
linuxkm/Makefile and linuxkm/Kbuild: * refactor .PHONY Kbuild target rename-pie-text-and-data-sections into macro RENAME_PIE_TEXT_AND_DATA_SECTIONS, and execute it conditional on module_exports.c regeneration; * use .ONESHELL in the wrapper Makefile too, and rework the changes in bf5536d6b8 such that the recursive make is always executed, but will leave the target untouched if it was already up-to-date relative to its dependencies. these tweaks fix the module build to restore automatic rebuild when dependencies are updated.
2025-09-17 13:06:32 -05:00
fi
--enable-linuxkm-pie (FIPS Linux kernel module) (#4276) * Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module. * Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 11:15:52 -05:00
endif
linuxkm: add linuxkm/module_exports.c.template, and autogenerate linuxkm/module_exports.c.
2020-08-28 10:32:30 -05:00
# auto-generate the exported symbol list, leveraging the WOLFSSL_API visibility tags.
# exclude symbols that don't match wc_* or wolf*.
linuxkm/Kbuild: add helper variable EXPORT_SYMBOL to facilitate export attribute control.
2025-11-04 14:00:58 -06:00
EXPORT_SYMBOL := EXPORT_SYMBOL_NS_GPL
linuxkm/linuxkm_wc_port.h, linuxkm/x86_vector_register_glue.c, linuxkm/Kbuild: * rename can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), with wc_ prefix, and properly export them; * move setup for WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS outside BUILDING_WOLFSSL gate; * fix !BUILDING_WOLFSSL bindings for DISABLE_VECTOR_REGISTERS() to properly fall through to no-ops in !WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS configs, and properly #error if WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS but !CONFIG_X86; .github/workflows/linuxkm.yml: --enable-linuxkm-benchmarks for additional coverage.
2025-07-31 10:37:39 -05:00
$(obj)/linuxkm/module_exports.c: $(src)/module_exports.c.template $(WOLFSSL_OBJ_TARGETS) $(obj)/linuxkm/module_hooks.o
linuxkm/Makefile and linuxkm/Kbuild: * refactor .PHONY Kbuild target rename-pie-text-and-data-sections into macro RENAME_PIE_TEXT_AND_DATA_SECTIONS, and execute it conditional on module_exports.c regeneration; * use .ONESHELL in the wrapper Makefile too, and rework the changes in bf5536d6b8 such that the recursive make is always executed, but will leave the target untouched if it was already up-to-date relative to its dependencies. these tweaks fix the module build to restore automatic rebuild when dependencies are updated.
2025-09-17 13:06:32 -05:00
@$(RENAME_PIE_TEXT_AND_DATA_SECTIONS)
linuxkm/Kbuild and linuxkm/module_exports.c.template: refactor using .ONESHELL, and in recipe for generating linuxkm/module_exports.c, render the namespace with a literal, with or without quotes as dictated by target kernel version. remove EXPORT_SYMBOL_NS_Q(), which didn't work right on old (pre-6.13) kernels with namespace support. wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, define NO_OLD_WC_NAMES, OPENSSL_COEXIST, etc., to avoid collisions with in-tree crypto in application sources that include both wolfssl and linux kernel native headers.
2025-02-23 15:33:46 -06:00
@cp $< $@ || exit $$?
if [[ "$${VERSION}" -gt 6 || ("$${VERSION}" -eq 6 && "$${PATCHLEVEL}" -ge 13) ]]; then
# use ASCII octal escape to avoid syntax disruption in the awk script.
ns='\042WOLFSSL\042'
else
ns='WOLFSSL'
fi
linuxkm/linuxkm_wc_port.h, linuxkm/x86_vector_register_glue.c, linuxkm/Kbuild: * rename can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), with wc_ prefix, and properly export them; * move setup for WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS outside BUILDING_WOLFSSL gate; * fix !BUILDING_WOLFSSL bindings for DISABLE_VECTOR_REGISTERS() to properly fall through to no-ops in !WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS configs, and properly #error if WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS but !CONFIG_X86; .github/workflows/linuxkm.yml: --enable-linuxkm-benchmarks for additional coverage.
2025-07-31 10:37:39 -05:00
$(READELF) --symbols --wide $(filter %.o,$^) |
linuxkm/Kbuild and linuxkm/module_exports.c.template: refactor using .ONESHELL, and in recipe for generating linuxkm/module_exports.c, render the namespace with a literal, with or without quotes as dictated by target kernel version. remove EXPORT_SYMBOL_NS_Q(), which didn't work right on old (pre-6.13) kernels with namespace support. wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, define NO_OLD_WC_NAMES, OPENSSL_COEXIST, etc., to avoid collisions with in-tree crypto in application sources that include both wolfssl and linux kernel native headers.
2025-02-23 15:33:46 -06:00
$(AWK) '/^ *[0-9]+: / {
if ($$8 !~ /^(wc_|wolf|WOLF|TLSX_)/){next;}
if (($$4 == "FUNC") && ($$5 == "GLOBAL") && ($$6 == "DEFAULT")) {
linuxkm/Kbuild: add helper variable EXPORT_SYMBOL to facilitate export attribute control.
2025-11-04 14:00:58 -06:00
print "$(EXPORT_SYMBOL)(" $$8 ", '"$$ns"');";
linuxkm/Kbuild and linuxkm/module_exports.c.template: refactor using .ONESHELL, and in recipe for generating linuxkm/module_exports.c, render the namespace with a literal, with or without quotes as dictated by target kernel version. remove EXPORT_SYMBOL_NS_Q(), which didn't work right on old (pre-6.13) kernels with namespace support. wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, define NO_OLD_WC_NAMES, OPENSSL_COEXIST, etc., to avoid collisions with in-tree crypto in application sources that include both wolfssl and linux kernel native headers.
2025-02-23 15:33:46 -06:00
}
}' >> $@ || exit $$?
linuxkm/Kbuild: add helper variable EXPORT_SYMBOL to facilitate export attribute control.
2025-11-04 14:00:58 -06:00
echo -e "#ifndef NO_CRYPT_TEST\n$(EXPORT_SYMBOL)(wolfcrypt_test, $${ns});\n#endif" >> $@
linuxkm: add linuxkm/module_exports.c.template, and autogenerate linuxkm/module_exports.c.
2020-08-28 10:32:30 -05:00
linuxkm: updates for kernel 6.10: use new _noprof names for newly macro-shimmed kmalloc, krealloc, kzmalloc, kvmalloc_node, and kmalloc_trace, and refactor linuxkm/Makefile and linuxkm/Kbuild to set up links to sources in the dest tree (works around breakage from linux commit 9a0ebe5011).
2024-05-30 11:21:42 -05:00
clean-files := linuxkm src wolfcrypt
Reference in New Issue Copy Permalink