mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-01-26 15:52:23 +01:00
linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use "undefine CONFIG_OBJTOOL" to inhibit false-positive "unannotated intra-function call" due to inline retpolines;
linuxkm/Makefile, linuxkm/include.am, linuxkm/module_hooks.c: remove linuxkm/pie_first.c, linuxkm/pie_last.c, and references to them (replaced by fenceposts in linuxkm/wolfcrypt.lds).
This commit is contained in:
Daniel Pouzzner
@@ -127,10 +127,11 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
|
||||
endif
|
||||
$(WOLFCRYPT_PIE_FILES): ccflags-y += $(PIE_SUPPORT_FLAGS) $(PIE_FLAGS)
|
||||
$(WOLFCRYPT_PIE_FILES): ccflags-remove-y += -pg
|
||||
$(obj)/linuxkm/module_hooks.o: ccflags-y += $(PIE_SUPPORT_FLAGS)
|
||||
# using inline retpolines leads to "unannotated intra-function call"
|
||||
# warnings from objtool without this:
|
||||
undefine CONFIG_OBJTOOL
|
||||
$(WOLFCRYPT_PIE_FILES): OBJECT_FILES_NON_STANDARD := y
|
||||
$(obj)/linuxkm/module_hooks.o: ccflags-y += $(PIE_SUPPORT_FLAGS)
|
||||
endif
|
||||
|
||||
ifdef KERNEL_EXTRA_CFLAGS_REMOVE
|
||||
|
||||
@@ -54,7 +54,7 @@ ifeq "$(ENABLED_LINUXKM_BENCHMARKS)" "yes"
|
||||
endif
|
||||
|
||||
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
|
||||
WOLFCRYPT_PIE_FILES := linuxkm/pie_first.o $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o linuxkm/pie_last.o
|
||||
WOLFCRYPT_PIE_FILES := $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o
|
||||
WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES))
|
||||
endif
|
||||
|
||||
|
||||
@@ -8,9 +8,7 @@ EXTRA_DIST += m4/ax_linuxkm.m4 \
|
||||
linuxkm/get_thread_size.c \
|
||||
linuxkm/module_hooks.c \
|
||||
linuxkm/module_exports.c.template \
|
||||
linuxkm/pie_first.c \
|
||||
linuxkm/pie_redirect_table.c \
|
||||
linuxkm/pie_last.c \
|
||||
linuxkm/linuxkm_memory.c \
|
||||
linuxkm/linuxkm_wc_port.h \
|
||||
linuxkm/x86_vector_register_glue.c \
|
||||
|
||||
@@ -97,7 +97,7 @@ extern const unsigned int wolfCrypt_PIE_rodata_end[];
|
||||
/* cheap portable ad-hoc hash function to confirm bitwise stability of the PIE
|
||||
* binary image.
|
||||
*/
|
||||
static unsigned int hash_span(char *start, char *end) {
|
||||
static unsigned int hash_span(const u8 *start, const u8 *end) {
|
||||
unsigned int sum = 1;
|
||||
while (start < end) {
|
||||
unsigned int rotate_by;
|
||||
@@ -419,24 +419,18 @@ static int wolfssl_init(void)
|
||||
#endif
|
||||
|
||||
{
|
||||
char *pie_text_start = (char *)wolfCrypt_PIE_first_function;
|
||||
char *pie_text_end = (char *)wolfCrypt_PIE_last_function;
|
||||
char *pie_rodata_start = (char *)wolfCrypt_PIE_rodata_start;
|
||||
char *pie_rodata_end = (char *)wolfCrypt_PIE_rodata_end;
|
||||
unsigned int text_hash, rodata_hash;
|
||||
|
||||
text_hash = hash_span(pie_text_start, pie_text_end);
|
||||
rodata_hash = hash_span(pie_rodata_start, pie_rodata_end);
|
||||
unsigned int text_hash = hash_span(__wc_text_start, __wc_text_end);
|
||||
unsigned int rodata_hash = hash_span(__wc_rodata_start, __wc_rodata_end);
|
||||
|
||||
/* note, "%pK" conceals the actual layout information. "%px" exposes
|
||||
* the true module start address, which is potentially useful to an
|
||||
* attacker.
|
||||
*/
|
||||
pr_info("wolfCrypt section hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu), offset %c0x%lx\n",
|
||||
text_hash, pie_text_end-pie_text_start,
|
||||
rodata_hash, pie_rodata_end-pie_rodata_start,
|
||||
pie_text_start < pie_rodata_start ? '+' : '-',
|
||||
pie_text_start < pie_rodata_start ? pie_rodata_start - pie_text_start : pie_text_start - pie_rodata_start);
|
||||
text_hash, __wc_text_end - __wc_text_start,
|
||||
rodata_hash, __wc_rodata_end - __wc_rodata_start,
|
||||
&__wc_text_start[0] < &__wc_rodata_start[0] ? '+' : '-',
|
||||
&__wc_text_start[0] < &__wc_rodata_start[0] ? &__wc_rodata_start[0] - &__wc_text_start[0] : &__wc_text_start[0] - &__wc_rodata_start[0]);
|
||||
pr_info("wolfCrypt segments: text=%x-%x, rodata=%x-%x, "
|
||||
"rwdata=%x-%x, bss=%x-%x\n",
|
||||
(unsigned)(uintptr_t)__wc_text_start,
|
||||
|
||||
@@ -1,38 +0,0 @@
|
||||
/* linuxkm/pie_first.c -- memory fenceposts for checking binary image stability
|
||||
*
|
||||
* Copyright (C) 2006-2025 wolfSSL Inc.
|
||||
*
|
||||
* This file is part of wolfSSL.
|
||||
*
|
||||
* wolfSSL is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* wolfSSL is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
||||
*/
|
||||
|
||||
#ifndef __PIE__
|
||||
#error pie_first.c must be compiled -fPIE.
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
|
||||
|
||||
#include <wolfssl/ssl.h>
|
||||
|
||||
int wolfCrypt_PIE_first_function(void);
|
||||
int wolfCrypt_PIE_first_function(void) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
const unsigned int wolfCrypt_PIE_rodata_start[];
|
||||
const unsigned int wolfCrypt_PIE_rodata_start[] =
|
||||
/* random values, analogous to wolfCrypt_FIPS_ro_{start,end} */
|
||||
{ 0x8208f9ca, 0x9daf4ac9 };
|
||||
@@ -1,38 +0,0 @@
|
||||
/* linuxkm/pie_last.c -- memory fenceposts for checking binary image stability
|
||||
*
|
||||
* Copyright (C) 2006-2025 wolfSSL Inc.
|
||||
*
|
||||
* This file is part of wolfSSL.
|
||||
*
|
||||
* wolfSSL is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* wolfSSL is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
||||
*/
|
||||
|
||||
#ifndef __PIE__
|
||||
#error pie_last.c must be compiled -fPIE.
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
|
||||
|
||||
#include <wolfssl/ssl.h>
|
||||
|
||||
int wolfCrypt_PIE_last_function(void);
|
||||
int wolfCrypt_PIE_last_function(void) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
const unsigned int wolfCrypt_PIE_rodata_end[];
|
||||
const unsigned int wolfCrypt_PIE_rodata_end[] =
|
||||
/* random values, analogous to wolfCrypt_FIPS_ro_{start,end} */
|
||||
{ 0xa4aaaf71, 0x55c4b7d0 };
|
||||
Reference in New Issue
Block a user