wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-26 17:52:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use "undefine CONFIG_OBJTOOL" to inhibit false-positive "unannotated intra-function call" due to inline retpolines;

Browse Source 
linuxkm/Makefile, linuxkm/include.am, linuxkm/module_hooks.c: remove linuxkm/pie_first.c, linuxkm/pie_last.c, and references to them (replaced by fenceposts in linuxkm/wolfcrypt.lds).
This commit is contained in:
Daniel Pouzzner
2025-09-10 15:08:41 -05:00
parent e3423d0922
commit 04834680d5
6 changed files with 10 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
linuxkm/Kbuild
View File

@@ -127,10 +127,11 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
endif endif
$(WOLFCRYPT_PIE_FILES): ccflags-y += $(PIE_SUPPORT_FLAGS) $(PIE_FLAGS) $(WOLFCRYPT_PIE_FILES): ccflags-y += $(PIE_SUPPORT_FLAGS) $(PIE_FLAGS)
$(WOLFCRYPT_PIE_FILES): ccflags-remove-y += -pg $(WOLFCRYPT_PIE_FILES): ccflags-remove-y += -pg
$(obj)/linuxkm/module_hooks.o: ccflags-y += $(PIE_SUPPORT_FLAGS)
# using inline retpolines leads to "unannotated intra-function call" # using inline retpolines leads to "unannotated intra-function call"
# warnings from objtool without this: # warnings from objtool without this:
undefine CONFIG_OBJTOOL
$(WOLFCRYPT_PIE_FILES): OBJECT_FILES_NON_STANDARD := y $(WOLFCRYPT_PIE_FILES): OBJECT_FILES_NON_STANDARD := y
$(obj)/linuxkm/module_hooks.o: ccflags-y += $(PIE_SUPPORT_FLAGS)
endif endif
ifdef KERNEL_EXTRA_CFLAGS_REMOVE ifdef KERNEL_EXTRA_CFLAGS_REMOVE

2
linuxkm/Makefile
View File

@@ -54,7 +54,7 @@ ifeq "$(ENABLED_LINUXKM_BENCHMARKS)" "yes"
endif endif
ifeq "$(ENABLED_LINUXKM_PIE)" "yes" ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
WOLFCRYPT_PIE_FILES := linuxkm/pie_first.o $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o linuxkm/pie_last.o WOLFCRYPT_PIE_FILES := $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o
WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES)) WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES))
endif endif

2
linuxkm/include.am
View File

@@ -8,9 +8,7 @@ EXTRA_DIST += m4/ax_linuxkm.m4 \
linuxkm/get_thread_size.c \ linuxkm/get_thread_size.c \
linuxkm/module_hooks.c \ linuxkm/module_hooks.c \
linuxkm/module_exports.c.template \ linuxkm/module_exports.c.template \
linuxkm/pie_first.c \
linuxkm/pie_redirect_table.c \ linuxkm/pie_redirect_table.c \
linuxkm/pie_last.c \
linuxkm/linuxkm_memory.c \ linuxkm/linuxkm_memory.c \
linuxkm/linuxkm_wc_port.h \ linuxkm/linuxkm_wc_port.h \
linuxkm/x86_vector_register_glue.c \ linuxkm/x86_vector_register_glue.c \

20
linuxkm/module_hooks.c
View File

@@ -97,7 +97,7 @@ extern const unsigned int wolfCrypt_PIE_rodata_end[];
/* cheap portable ad-hoc hash function to confirm bitwise stability of the PIE /* cheap portable ad-hoc hash function to confirm bitwise stability of the PIE
* binary image. * binary image.
*/ */
static unsigned int hash_span(char *start, char *end) { static unsigned int hash_span(const u8 *start, const u8 *end) {
unsigned int sum = 1; unsigned int sum = 1;
while (start < end) { while (start < end) {
unsigned int rotate_by; unsigned int rotate_by;
@@ -419,24 +419,18 @@ static int wolfssl_init(void)
#endif #endif
{ {
char *pie_text_start = (char *)wolfCrypt_PIE_first_function; unsigned int text_hash = hash_span(__wc_text_start, __wc_text_end);
char *pie_text_end = (char *)wolfCrypt_PIE_last_function; unsigned int rodata_hash = hash_span(__wc_rodata_start, __wc_rodata_end);
char *pie_rodata_start = (char *)wolfCrypt_PIE_rodata_start;
char *pie_rodata_end = (char *)wolfCrypt_PIE_rodata_end;
unsigned int text_hash, rodata_hash;
text_hash = hash_span(pie_text_start, pie_text_end);
rodata_hash = hash_span(pie_rodata_start, pie_rodata_end);
/* note, "%pK" conceals the actual layout information. "%px" exposes /* note, "%pK" conceals the actual layout information. "%px" exposes
* the true module start address, which is potentially useful to an * the true module start address, which is potentially useful to an
* attacker. * attacker.
*/ */
pr_info("wolfCrypt section hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu), offset %c0x%lx\n", pr_info("wolfCrypt section hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu), offset %c0x%lx\n",
text_hash, pie_text_end-pie_text_start, text_hash, __wc_text_end - __wc_text_start,
rodata_hash, pie_rodata_end-pie_rodata_start, rodata_hash, __wc_rodata_end - __wc_rodata_start,
pie_text_start < pie_rodata_start ? '+' : '-', &__wc_text_start[0] < &__wc_rodata_start[0] ? '+' : '-',
pie_text_start < pie_rodata_start ? pie_rodata_start - pie_text_start : pie_text_start - pie_rodata_start); &__wc_text_start[0] < &__wc_rodata_start[0] ? &__wc_rodata_start[0] - &__wc_text_start[0] : &__wc_text_start[0] - &__wc_rodata_start[0]);
pr_info("wolfCrypt segments: text=%x-%x, rodata=%x-%x, " pr_info("wolfCrypt segments: text=%x-%x, rodata=%x-%x, "
"rwdata=%x-%x, bss=%x-%x\n", "rwdata=%x-%x, bss=%x-%x\n",
(unsigned)(uintptr_t)__wc_text_start, (unsigned)(uintptr_t)__wc_text_start,

38
linuxkm/pie_first.c
View File

@@ -1,38 +0,0 @@
/* linuxkm/pie_first.c -- memory fenceposts for checking binary image stability
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef __PIE__
#error pie_first.c must be compiled -fPIE.
#endif
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#include <wolfssl/ssl.h>
int wolfCrypt_PIE_first_function(void);
int wolfCrypt_PIE_first_function(void) {
return 0;
}
const unsigned int wolfCrypt_PIE_rodata_start[];
const unsigned int wolfCrypt_PIE_rodata_start[] =
/* random values, analogous to wolfCrypt_FIPS_ro_{start,end} */
{ 0x8208f9ca, 0x9daf4ac9 };

38
linuxkm/pie_last.c
View File

@@ -1,38 +0,0 @@
/* linuxkm/pie_last.c -- memory fenceposts for checking binary image stability
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef __PIE__
#error pie_last.c must be compiled -fPIE.
#endif
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#include <wolfssl/ssl.h>
int wolfCrypt_PIE_last_function(void);
int wolfCrypt_PIE_last_function(void) {
return 1;
}
const unsigned int wolfCrypt_PIE_rodata_end[];
const unsigned int wolfCrypt_PIE_rodata_end[] =
/* random values, analogous to wolfCrypt_FIPS_ro_{start,end} */
{ 0xa4aaaf71, 0x55c4b7d0 };