diff --git a/.github/workflows/linuxkm.yml b/.github/workflows/linuxkm.yml new file mode 100644 index 000000000..931e2d4c7 --- /dev/null +++ b/.github/workflows/linuxkm.yml @@ -0,0 +1,54 @@ +name: Kernel Module Build + +# START OF COMMON SECTION +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + build_library: + strategy: + matrix: + config: [ + 'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-lkcapi-register=all --enable-all --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --enable-dual-alg-certs --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --enable-sp-asm --enable-crypttests CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -Wframe-larger-than=2048 -Wstack-usage=4096" --with-max-rsa-bits=16384', + 'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-pie --enable-reproducible-build --enable-linuxkm-lkcapi-register=all --enable-all-crypto --enable-cryptonly --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --enable-sp-asm --enable-crypttests CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -Wframe-larger-than=2048 -Wstack-usage=4096" --with-max-rsa-bits=16384' + ] + name: build module + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - uses: actions/checkout@v4 + name: Checkout wolfSSL + + - name: Prepare target kernel for module builds + run: | + echo "updating linux-headers" + sudo apt-get update || $(exit 2) + sudo apt-get install linux-headers-$(uname -r) -y || $(exit 3) + echo "preparing target kernel $(uname -r)" + pushd "/lib/modules/$(uname -r)/build" || $(exit 4) + if [ -f /proc/config.gz ]; then gzip -dc /proc/config.gz > /tmp/.config && sudo mv /tmp/.config . || $(exit 5); elif [ -f "/boot/config-$(uname -r)" ]; then sudo cp -p "/boot/config-$(uname -r)" .config || $(exit 6); fi + sudo make -j 4 oldconfig || $(exit 7) + sudo make M="$(pwd)" modules_prepare || $(exit 8) + popd >/dev/null + + - name: autogen.sh + run: | + ./autogen.sh || $(exit 9) + + - name: Build libwolfssl.ko, targeting GitHub ubuntu-latest, with --enable-all, PQC, and smallstack and stack depth warnings + run: | + echo "running ./configure --with-linux-source=/lib/modules/$(uname -r)/build ${{ matrix.config }}" + ./configure --with-linux-source=/lib/modules/$(uname -r)/build ${{ matrix.config }} || $(exit 10) + # try to remove profiling (-pg) because it leads to "_mcleanup: gmon.out: Permission denied" + make -j 4 KERNEL_EXTRA_CFLAGS_REMOVE=-pg FORCE_NO_MODULE_SIG=1 || $(exit 11) + ls -l linuxkm/libwolfssl.ko || $(exit 12) + echo "Successful linuxkm build." diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 236de6627..3e039f6fc 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -193,6 +193,10 @@ DILITHIUM_MUL_QINV_SLOW DILITHIUM_MUL_Q_SLOW DILITHIUM_MUL_SLOW DILITHIUM_USE_HINT_CT +DONT_HAVE_KVMALLOC +DONT_HAVE_KVREALLOC +DONT_USE_KVMALLOC +DONT_USE_KVREALLOC DTLS_RECEIVEFROM_NO_TIMEOUT_ON_INVALID_PEER ECCSI_ORDER_MORE_BITS_THAN_PRIME ECC_DUMP_OID diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index 5e15ce1d4..93c332fe9 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -105,6 +105,10 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes" # "__stack_chk_fail" from the wolfCrypt container. PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder PIE_SUPPORT_FLAGS := -DUSE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE + # the kernel sanitizers generate external references to + # __ubsan_handle_out_of_bounds(), __ubsan_handle_shift_out_of_bounds(), etc. + KASAN_SANITIZE := n + UBSAN_SANITIZE := n ifeq "$(KERNEL_ARCH_X86)" "yes" PIE_FLAGS += -mcmodel=small ifeq "$(CONFIG_MITIGATION_RETPOLINE)" "y" @@ -129,6 +133,10 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes" $(obj)/linuxkm/module_hooks.o: ccflags-y += $(PIE_SUPPORT_FLAGS) endif +ifdef KERNEL_EXTRA_CFLAGS_REMOVE + ccflags-remove-y += KERNEL_EXTRA_CFLAGS_REMOVE +endif + $(obj)/wolfcrypt/benchmark/benchmark.o: ccflags-y = $(WOLFSSL_CFLAGS) $(CFLAGS_FPU_ENABLE) $(CFLAGS_SIMD_ENABLE) $(PIE_SUPPORT_FLAGS) -DNO_MAIN_FUNCTION -DWOLFSSL_NO_OPTIONS_H $(obj)/wolfcrypt/benchmark/benchmark.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_ENABLE_SIMD_DISABLE) diff --git a/linuxkm/Makefile b/linuxkm/Makefile index 98198f35c..7fb380cea 100644 --- a/linuxkm/Makefile +++ b/linuxkm/Makefile @@ -98,6 +98,9 @@ else endif libwolfssl.ko.signed: libwolfssl.ko +ifdef FORCE_NO_MODULE_SIG + @echo 'Skipping module signature operation because FORCE_NO_MODULE_SIG.' +else @cd '$(KERNEL_ROOT)' || exit $$?; \ while read configline; do \ case "$$configline" in \ @@ -127,6 +130,7 @@ libwolfssl.ko.signed: libwolfssl.ko echo " Module $@ signed by $${CONFIG_MODULE_SIG_KEY}."; \ fi \ fi +endif .PHONY: install modules_install diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 1d15bbedd..96e3be3a1 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -81,28 +81,38 @@ * kvrealloc() added in de2860f463, merged for 5.15, backported to 5.10.137. * moved to ultimate home (slab.h) in 8587ca6f34, merged for 5.16. * - * however, until 6.11, it took an extra argument, oldsize, that makes it - * incompatible with traditional libc usage patterns, so we don't try to use it. + * however, until 6.12 (commit 590b9d576c), it took an extra argument, + * oldsize, that makes it incompatible with traditional libc usage patterns, + * so we don't try to use it. */ - #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0) + #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0) && \ + !defined(DONT_HAVE_KVMALLOC) && !defined(HAVE_KVMALLOC) #define HAVE_KVMALLOC #endif - #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0) + #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0) && \ + !defined(DONT_HAVE_KVREALLOC) && !defined(HAVE_KVREALLOC) #define HAVE_KVREALLOC #endif #ifdef WOLFCRYPT_ONLY - #ifdef HAVE_KVMALLOC + #if defined(HAVE_KVMALLOC) && \ + !defined(DONT_USE_KVMALLOC) && !defined(USE_KVMALLOC) #define USE_KVMALLOC #endif - #ifdef HAVE_KVREALLOC + #if defined(HAVE_KVREALLOC) && \ + !defined(DONT_USE_KVREALLOC) && !defined(USE_KVREALLOC) #define USE_KVREALLOC #endif #else /* functioning realloc() is needed for the TLS stack. */ - #if defined(HAVE_KVMALLOC) && defined(HAVE_KVREALLOC) - #define USE_KVMALLOC - #define USE_KVREALLOC + #if defined(HAVE_KVMALLOC) && defined(HAVE_KVREALLOC) && \ + !defined(DONT_USE_KVMALLOC) && !defined(DONT_USE_KVREALLOC) + #ifndef USE_KVMALLOC + #define USE_KVMALLOC + #endif + #ifndef USE_KVREALLOC + #define USE_KVREALLOC + #endif #endif #endif @@ -686,7 +696,9 @@ typeof(kzalloc_noprof) *kzalloc_noprof; typeof(__kvmalloc_node_noprof) *__kvmalloc_node_noprof; typeof(__kmalloc_cache_noprof) *__kmalloc_cache_noprof; - typeof(kvrealloc_noprof) *kvrealloc_noprof; + #ifdef HAVE_KVREALLOC + typeof(kvrealloc_noprof) *kvrealloc_noprof; + #endif #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) typeof(kmalloc_noprof) *kmalloc_noprof; typeof(krealloc_noprof) *krealloc_noprof; @@ -960,7 +972,9 @@ #define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof) #define __kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(__kvmalloc_node_noprof) #define __kmalloc_cache_noprof WC_LKM_INDIRECT_SYM(__kmalloc_cache_noprof) - #define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) + #ifdef HAVE_KVREALLOC + #define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) + #endif #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) /* see include/linux/alloc_tag.h and include/linux/slab.h */ #define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof) @@ -968,7 +982,9 @@ #define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof) #define kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(kvmalloc_node_noprof) #define kmalloc_trace_noprof WC_LKM_INDIRECT_SYM(kmalloc_trace_noprof) - #define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) + #ifdef HAVE_KVREALLOC + #define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) + #endif #else /* <6.10.0 */ #define kmalloc WC_LKM_INDIRECT_SYM(kmalloc) #define krealloc WC_LKM_INDIRECT_SYM(krealloc) diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index 389ff1f59..3d002e5d9 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -556,14 +556,18 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof; wolfssl_linuxkm_pie_redirect_table.__kvmalloc_node_noprof = __kvmalloc_node_noprof; wolfssl_linuxkm_pie_redirect_table.__kmalloc_cache_noprof = __kmalloc_cache_noprof; +#ifdef HAVE_KVREALLOC wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof; +#endif #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof; wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof; wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof; wolfssl_linuxkm_pie_redirect_table.kvmalloc_node_noprof = kvmalloc_node_noprof; wolfssl_linuxkm_pie_redirect_table.kmalloc_trace_noprof = kmalloc_trace_noprof; +#ifdef HAVE_KVREALLOC wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof; +#endif #else wolfssl_linuxkm_pie_redirect_table.kmalloc = kmalloc; wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc; diff --git a/src/tls.c b/src/tls.c index b2964ad95..2f13d558b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -8537,7 +8537,11 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse) int ret = 0; int type = 0; #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ - KyberKey kem[1]; + #ifdef WOLFSSL_SMALL_STACK + KyberKey *kem = NULL; + #else + KyberKey kem[1]; + #endif byte* privKey = NULL; word32 privSz = 0; #else @@ -8559,6 +8563,18 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse) } #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ + + #ifdef WOLFSSL_SMALL_STACK + if (ret == 0) { + kem = (KyberKey *)XMALLOC(sizeof(*kem), ssl->heap, + DYNAMIC_TYPE_PRIVATE_KEY); + if (kem == NULL) { + WOLFSSL_MSG("KEM memory allocation failure"); + ret = MEMORY_ERROR; + } + } + #endif /* WOLFSSL_SMALL_STACK */ + if (ret == 0) { ret = wc_KyberKey_Init(type, kem, ssl->heap, ssl->devId); if (ret != 0) { @@ -8658,6 +8674,11 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse) #endif } + #if !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ) && \ + defined(WOLFSSL_SMALL_STACK) + XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); + #endif + return ret; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index cc9ae816a..212986e9a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -6806,7 +6806,7 @@ WOLFSSL_LOCAL word32 MacSize(const WOLFSSL* ssl); WOLFSSL_LOCAL int DoClientHelloStateless(WOLFSSL* ssl, const byte* input, word32 helloSz, byte isFirstCHFrag, byte* tls13); #endif /* !defined(NO_WOLFSSL_SERVER) */ -#if !defined(WOLFCRYPT_ONLY) && \ +#if !defined(WOLFCRYPT_ONLY) && !defined(WOLFSSL_NO_SOCK) && \ (defined(USE_WOLFSSL_IO) || defined(WOLFSSL_USER_IO)) WOLFSSL_LOCAL int sockAddrEqual(SOCKADDR_S *a, XSOCKLENT aLen, SOCKADDR_S *b, XSOCKLENT bLen);