wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 20:24:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9027 from douzzer/20250723-linuxkm-fixes-and-testing-workflow

Browse Source 
20250723-linuxkm-fixes-and-testing-workflow
This commit is contained in:
philljj
2025-07-23 22:43:51 -05:00
committed by GitHub
parent 6aabc73845 5e57ec5c93
commit 6750c29e67
8 changed files with 125 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
.github/workflows/linuxkm.yml vendored Normal file
View File

@@ -0,0 +1,54 @@
name: Kernel Module Build
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_library:
strategy:
matrix:
config: [
'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-lkcapi-register=all --enable-all --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --enable-dual-alg-certs --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --enable-sp-asm --enable-crypttests CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -Wframe-larger-than=2048 -Wstack-usage=4096" --with-max-rsa-bits=16384',
'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-pie --enable-reproducible-build --enable-linuxkm-lkcapi-register=all --enable-all-crypto --enable-cryptonly --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --enable-sp-asm --enable-crypttests CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -Wframe-larger-than=2048 -Wstack-usage=4096" --with-max-rsa-bits=16384'
]
name: build module
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Prepare target kernel for module builds
run: |
echo "updating linux-headers"
sudo apt-get update || $(exit 2)
sudo apt-get install linux-headers-$(uname -r) -y || $(exit 3)
echo "preparing target kernel $(uname -r)"
pushd "/lib/modules/$(uname -r)/build" || $(exit 4)
if [ -f /proc/config.gz ]; then gzip -dc /proc/config.gz > /tmp/.config && sudo mv /tmp/.config . || $(exit 5); elif [ -f "/boot/config-$(uname -r)" ]; then sudo cp -p "/boot/config-$(uname -r)" .config || $(exit 6); fi
sudo make -j 4 oldconfig || $(exit 7)
sudo make M="$(pwd)" modules_prepare || $(exit 8)
popd >/dev/null
- name: autogen.sh
run: |
./autogen.sh || $(exit 9)
- name: Build libwolfssl.ko, targeting GitHub ubuntu-latest, with --enable-all, PQC, and smallstack and stack depth warnings
run: |
echo "running ./configure --with-linux-source=/lib/modules/$(uname -r)/build ${{ matrix.config }}"
./configure --with-linux-source=/lib/modules/$(uname -r)/build ${{ matrix.config }} || $(exit 10)
# try to remove profiling (-pg) because it leads to "_mcleanup: gmon.out: Permission denied"
make -j 4 KERNEL_EXTRA_CFLAGS_REMOVE=-pg FORCE_NO_MODULE_SIG=1 || $(exit 11)
ls -l linuxkm/libwolfssl.ko || $(exit 12)
echo "Successful linuxkm build."

4
.wolfssl_known_macro_extras
View File

@@ -193,6 +193,10 @@ DILITHIUM_MUL_QINV_SLOW
DILITHIUM_MUL_Q_SLOW DILITHIUM_MUL_Q_SLOW
DILITHIUM_MUL_SLOW DILITHIUM_MUL_SLOW
DILITHIUM_USE_HINT_CT DILITHIUM_USE_HINT_CT
DONT_HAVE_KVMALLOC
DONT_HAVE_KVREALLOC
DONT_USE_KVMALLOC
DONT_USE_KVREALLOC
DTLS_RECEIVEFROM_NO_TIMEOUT_ON_INVALID_PEER DTLS_RECEIVEFROM_NO_TIMEOUT_ON_INVALID_PEER
ECCSI_ORDER_MORE_BITS_THAN_PRIME ECCSI_ORDER_MORE_BITS_THAN_PRIME
ECC_DUMP_OID ECC_DUMP_OID

8
linuxkm/Kbuild
View File

@@ -105,6 +105,10 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
# "__stack_chk_fail" from the wolfCrypt container. # "__stack_chk_fail" from the wolfCrypt container.
PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder
PIE_SUPPORT_FLAGS := -DUSE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE PIE_SUPPORT_FLAGS := -DUSE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
# the kernel sanitizers generate external references to
# __ubsan_handle_out_of_bounds(), __ubsan_handle_shift_out_of_bounds(), etc.
KASAN_SANITIZE := n
UBSAN_SANITIZE := n
ifeq "$(KERNEL_ARCH_X86)" "yes" ifeq "$(KERNEL_ARCH_X86)" "yes"
PIE_FLAGS += -mcmodel=small PIE_FLAGS += -mcmodel=small
ifeq "$(CONFIG_MITIGATION_RETPOLINE)" "y" ifeq "$(CONFIG_MITIGATION_RETPOLINE)" "y"
@@ -129,6 +133,10 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
$(obj)/linuxkm/module_hooks.o: ccflags-y += $(PIE_SUPPORT_FLAGS) $(obj)/linuxkm/module_hooks.o: ccflags-y += $(PIE_SUPPORT_FLAGS)
endif endif
ifdef KERNEL_EXTRA_CFLAGS_REMOVE
ccflags-remove-y += KERNEL_EXTRA_CFLAGS_REMOVE
endif
$(obj)/wolfcrypt/benchmark/benchmark.o: ccflags-y = $(WOLFSSL_CFLAGS) $(CFLAGS_FPU_ENABLE) $(CFLAGS_SIMD_ENABLE) $(PIE_SUPPORT_FLAGS) -DNO_MAIN_FUNCTION -DWOLFSSL_NO_OPTIONS_H $(obj)/wolfcrypt/benchmark/benchmark.o: ccflags-y = $(WOLFSSL_CFLAGS) $(CFLAGS_FPU_ENABLE) $(CFLAGS_SIMD_ENABLE) $(PIE_SUPPORT_FLAGS) -DNO_MAIN_FUNCTION -DWOLFSSL_NO_OPTIONS_H
$(obj)/wolfcrypt/benchmark/benchmark.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_ENABLE_SIMD_DISABLE) $(obj)/wolfcrypt/benchmark/benchmark.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_ENABLE_SIMD_DISABLE)

4
linuxkm/Makefile
View File

@@ -98,6 +98,9 @@ else
endif endif
libwolfssl.ko.signed: libwolfssl.ko libwolfssl.ko.signed: libwolfssl.ko
ifdef FORCE_NO_MODULE_SIG
@echo 'Skipping module signature operation because FORCE_NO_MODULE_SIG.'
else
@cd '$(KERNEL_ROOT)' || exit $$?; \ @cd '$(KERNEL_ROOT)' || exit $$?; \
while read configline; do \ while read configline; do \
case "$$configline" in \ case "$$configline" in \
@@ -127,6 +130,7 @@ libwolfssl.ko.signed: libwolfssl.ko
echo " Module $@ signed by $${CONFIG_MODULE_SIG_KEY}."; \ echo " Module $@ signed by $${CONFIG_MODULE_SIG_KEY}."; \
fi \ fi \
fi fi
endif
.PHONY: install modules_install .PHONY: install modules_install

40
linuxkm/linuxkm_wc_port.h
View File

@@ -81,28 +81,38 @@
* kvrealloc() added in de2860f463, merged for 5.15, backported to 5.10.137. * kvrealloc() added in de2860f463, merged for 5.15, backported to 5.10.137.
* moved to ultimate home (slab.h) in 8587ca6f34, merged for 5.16. * moved to ultimate home (slab.h) in 8587ca6f34, merged for 5.16.
* *
* however, until 6.11, it took an extra argument, oldsize, that makes it * however, until 6.12 (commit 590b9d576c), it took an extra argument,
* incompatible with traditional libc usage patterns, so we don't try to use it. * oldsize, that makes it incompatible with traditional libc usage patterns,
* so we don't try to use it.
*/ */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0) #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0) && \
!defined(DONT_HAVE_KVMALLOC) && !defined(HAVE_KVMALLOC)
#define HAVE_KVMALLOC #define HAVE_KVMALLOC
#endif #endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0) #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0) && \
!defined(DONT_HAVE_KVREALLOC) && !defined(HAVE_KVREALLOC)
#define HAVE_KVREALLOC #define HAVE_KVREALLOC
#endif #endif
#ifdef WOLFCRYPT_ONLY #ifdef WOLFCRYPT_ONLY
#ifdef HAVE_KVMALLOC #if defined(HAVE_KVMALLOC) && \
!defined(DONT_USE_KVMALLOC) && !defined(USE_KVMALLOC)
#define USE_KVMALLOC #define USE_KVMALLOC
#endif #endif
#ifdef HAVE_KVREALLOC #if defined(HAVE_KVREALLOC) && \
!defined(DONT_USE_KVREALLOC) && !defined(USE_KVREALLOC)
#define USE_KVREALLOC #define USE_KVREALLOC
#endif #endif
#else #else
/* functioning realloc() is needed for the TLS stack. */ /* functioning realloc() is needed for the TLS stack. */
#if defined(HAVE_KVMALLOC) && defined(HAVE_KVREALLOC) #if defined(HAVE_KVMALLOC) && defined(HAVE_KVREALLOC) && \
#define USE_KVMALLOC !defined(DONT_USE_KVMALLOC) && !defined(DONT_USE_KVREALLOC)
#define USE_KVREALLOC #ifndef USE_KVMALLOC
#define USE_KVMALLOC
#endif
#ifndef USE_KVREALLOC
#define USE_KVREALLOC
#endif
#endif #endif
#endif #endif
@@ -686,7 +696,9 @@
typeof(kzalloc_noprof) *kzalloc_noprof; typeof(kzalloc_noprof) *kzalloc_noprof;
typeof(__kvmalloc_node_noprof) *__kvmalloc_node_noprof; typeof(__kvmalloc_node_noprof) *__kvmalloc_node_noprof;
typeof(__kmalloc_cache_noprof) *__kmalloc_cache_noprof; typeof(__kmalloc_cache_noprof) *__kmalloc_cache_noprof;
typeof(kvrealloc_noprof) *kvrealloc_noprof; #ifdef HAVE_KVREALLOC
typeof(kvrealloc_noprof) *kvrealloc_noprof;
#endif
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0)
typeof(kmalloc_noprof) *kmalloc_noprof; typeof(kmalloc_noprof) *kmalloc_noprof;
typeof(krealloc_noprof) *krealloc_noprof; typeof(krealloc_noprof) *krealloc_noprof;
@@ -960,7 +972,9 @@
#define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof) #define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof)
#define __kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(__kvmalloc_node_noprof) #define __kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(__kvmalloc_node_noprof)
#define __kmalloc_cache_noprof WC_LKM_INDIRECT_SYM(__kmalloc_cache_noprof) #define __kmalloc_cache_noprof WC_LKM_INDIRECT_SYM(__kmalloc_cache_noprof)
#define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) #ifdef HAVE_KVREALLOC
#define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof)
#endif
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0)
/* see include/linux/alloc_tag.h and include/linux/slab.h */ /* see include/linux/alloc_tag.h and include/linux/slab.h */
#define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof) #define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof)
@@ -968,7 +982,9 @@
#define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof) #define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof)
#define kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(kvmalloc_node_noprof) #define kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(kvmalloc_node_noprof)
#define kmalloc_trace_noprof WC_LKM_INDIRECT_SYM(kmalloc_trace_noprof) #define kmalloc_trace_noprof WC_LKM_INDIRECT_SYM(kmalloc_trace_noprof)
#define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) #ifdef HAVE_KVREALLOC
#define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof)
#endif
#else /* <6.10.0 */ #else /* <6.10.0 */
#define kmalloc WC_LKM_INDIRECT_SYM(kmalloc) #define kmalloc WC_LKM_INDIRECT_SYM(kmalloc)
#define krealloc WC_LKM_INDIRECT_SYM(krealloc) #define krealloc WC_LKM_INDIRECT_SYM(krealloc)

4
linuxkm/module_hooks.c
View File

@@ -556,14 +556,18 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) {
wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof; wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof;
wolfssl_linuxkm_pie_redirect_table.__kvmalloc_node_noprof = __kvmalloc_node_noprof; wolfssl_linuxkm_pie_redirect_table.__kvmalloc_node_noprof = __kvmalloc_node_noprof;
wolfssl_linuxkm_pie_redirect_table.__kmalloc_cache_noprof = __kmalloc_cache_noprof; wolfssl_linuxkm_pie_redirect_table.__kmalloc_cache_noprof = __kmalloc_cache_noprof;
#ifdef HAVE_KVREALLOC
wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof; wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof;
#endif
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0)
wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof; wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof;
wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof; wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof;
wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof; wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof;
wolfssl_linuxkm_pie_redirect_table.kvmalloc_node_noprof = kvmalloc_node_noprof; wolfssl_linuxkm_pie_redirect_table.kvmalloc_node_noprof = kvmalloc_node_noprof;
wolfssl_linuxkm_pie_redirect_table.kmalloc_trace_noprof = kmalloc_trace_noprof; wolfssl_linuxkm_pie_redirect_table.kmalloc_trace_noprof = kmalloc_trace_noprof;
#ifdef HAVE_KVREALLOC
wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof; wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof;
#endif
#else #else
wolfssl_linuxkm_pie_redirect_table.kmalloc = kmalloc; wolfssl_linuxkm_pie_redirect_table.kmalloc = kmalloc;
wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc; wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc;

23
src/tls.c
View File

@@ -8537,7 +8537,11 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse)
int ret = 0; int ret = 0;
int type = 0; int type = 0;
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
KyberKey kem[1]; #ifdef WOLFSSL_SMALL_STACK
KyberKey *kem = NULL;
#else
KyberKey kem[1];
#endif
byte* privKey = NULL; byte* privKey = NULL;
word32 privSz = 0; word32 privSz = 0;
#else #else
@@ -8559,6 +8563,18 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse)
} }
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
#ifdef WOLFSSL_SMALL_STACK
if (ret == 0) {
kem = (KyberKey *)XMALLOC(sizeof(*kem), ssl->heap,
DYNAMIC_TYPE_PRIVATE_KEY);
if (kem == NULL) {
WOLFSSL_MSG("KEM memory allocation failure");
ret = MEMORY_ERROR;
}
}
#endif /* WOLFSSL_SMALL_STACK */
if (ret == 0) { if (ret == 0) {
ret = wc_KyberKey_Init(type, kem, ssl->heap, ssl->devId); ret = wc_KyberKey_Init(type, kem, ssl->heap, ssl->devId);
if (ret != 0) { if (ret != 0) {
@@ -8658,6 +8674,11 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse)
#endif #endif
} }
#if !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ) && \
defined(WOLFSSL_SMALL_STACK)
XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
#endif
return ret; return ret;
} }

2
wolfssl/internal.h
View File

@@ -6806,7 +6806,7 @@ WOLFSSL_LOCAL word32 MacSize(const WOLFSSL* ssl);
WOLFSSL_LOCAL int DoClientHelloStateless(WOLFSSL* ssl, WOLFSSL_LOCAL int DoClientHelloStateless(WOLFSSL* ssl,
const byte* input, word32 helloSz, byte isFirstCHFrag, byte* tls13); const byte* input, word32 helloSz, byte isFirstCHFrag, byte* tls13);
#endif /* !defined(NO_WOLFSSL_SERVER) */ #endif /* !defined(NO_WOLFSSL_SERVER) */
#if !defined(WOLFCRYPT_ONLY) && \ #if !defined(WOLFCRYPT_ONLY) && !defined(WOLFSSL_NO_SOCK) && \
(defined(USE_WOLFSSL_IO) || defined(WOLFSSL_USER_IO)) (defined(USE_WOLFSSL_IO) || defined(WOLFSSL_USER_IO))
WOLFSSL_LOCAL int sockAddrEqual(SOCKADDR_S *a, XSOCKLENT aLen, WOLFSSL_LOCAL int sockAddrEqual(SOCKADDR_S *a, XSOCKLENT aLen,
SOCKADDR_S *b, XSOCKLENT bLen); SOCKADDR_S *b, XSOCKLENT bLen);