clean up setup code for kernel modules:

configure.ac:
* remove -DWC_SHA3_NO_ASM from ENABLED_LINUXKM AM_CFLAGS.
* refactor initial setup for KERNEL_MODE_DEFAULTS, adding generic --enable-kernel-settings while retaining legacy --enable-linuxkm-defaults.
* rename $DEF_SP_MATH to $DEF_SP_MATH_ALL.
* remove redundant and unneeded setup for KERNEL_MODE_DEFAULTS and ENABLED_LINUXKM (leverage existing setup in settings.h).
* move some still-needed KERNEL_MODE_DEFAULTS and ENABLED_LINUXKM setup from configure.ac to settings.h.
* set up -DWOLFSSL_KERNEL_MODE_DEFAULTS, so that settings.h can pivot on it.

wolfssl/wolfcrypt/settings.h:
* revise WOLFSSL_LINUXKM section of settings.h to require WOLFSSL_MIN_AUTH_TAG_SZ at least 8 for old FIPS and 12 for new FIPS.  still force down to 4 bytes if crypto fuzzer is enabled, otherwise force down to 8 to support legacy IPsec ESP.
* in the WOLFSSL_LINUXKM section, don't set WC_MLKEM_NO_ASM, and disable DEBUG_VECTOR_REGISTER_ACCESS_FUZZING in ML-KEM, ML-DSA, and SLH-DSA -- intelasm works right, but fuzzing doesn't (yet).
This commit is contained in:
Daniel Pouzzner
2026-06-27 14:26:56 -05:00
parent 7a402566b6
commit 7545798248
2 changed files with 99 additions and 55 deletions
+51 -47
View File
@@ -165,12 +165,6 @@ AC_ARG_ENABLE([linuxkm],
[ENABLED_LINUXKM=no]
)
AC_ARG_ENABLE([linuxkm-defaults],
[AS_HELP_STRING([--enable-linuxkm-defaults],[Enable feature defaults for Linux Kernel Module (default: disabled)])],
[KERNEL_MODE_DEFAULTS=$enableval],
[KERNEL_MODE_DEFAULTS=$ENABLED_LINUXKM]
)
# FreeBSD Kernel Module
AC_ARG_ENABLE([freebsdkm],
[AS_HELP_STRING([--enable-freebsdkm],[Enable FreeBSD Kernel Module (default: disabled)])],
@@ -178,6 +172,29 @@ AC_ARG_ENABLE([freebsdkm],
[ENABLED_BSDKM=no]
)
if test "$ENABLED_LINUXKM" != "no" || test "$ENABLED_BSDKM" != "no"
then
KERNEL_MODE_DEFAULTS=yes
else
KERNEL_MODE_DEFAULTS=no
fi
AC_ARG_ENABLE([kernel-settings],
[AS_HELP_STRING([--enable-kernel-settings],[Enable default settings appropriate for kernel modules (default: disabled)])],
[KERNEL_MODE_DEFAULTS=$enableval]
)
# backward-compat alias for --enable-kernel-settings
AC_ARG_ENABLE([linuxkm-defaults],
[AS_HELP_STRING([--enable-linuxkm-defaults],[Enable default settings appropriate for kernel modules (default: disabled)])],
[KERNEL_MODE_DEFAULTS=$enableval]
)
if test "$KERNEL_MODE_DEFAULTS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KERNEL_MODE_DEFAULTS"
fi
AC_ARG_ENABLE([freebsdkm-crypto-register],
[AS_HELP_STRING([--enable-freebsdkm-crypto-register],[Register wolfCrypt implementations with the FreeBSD kernel opencrypto framework. (default: disabled)])],
[ENABLED_BSDKM_REGISTER=$enableval],
@@ -446,7 +463,7 @@ AC_SUBST([ENABLED_ASM])
# Default math is SP Math all and not fast math
# FIPS v1 and v2 must use fast math
DEF_SP_MATH="yes"
DEF_SP_MATH_ALL="yes"
DEF_FAST_MATH="no"
# FIPS 140
@@ -557,7 +574,7 @@ AS_CASE([$ENABLED_FIPS],
FIPS_VERSION="v1"
HAVE_FIPS_VERSION_MAJOR=1
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_SP_MATH_ALL="no"
DEF_FAST_MATH="yes"
],
[v2|cert3389],[
@@ -565,7 +582,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MAJOR=2
HAVE_FIPS_VERSION_MINOR=0
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_SP_MATH_ALL="no"
DEF_FAST_MATH="yes"
],
[rand],[
@@ -573,7 +590,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MAJOR=2
HAVE_FIPS_VERSION_MINOR=1
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_SP_MATH_ALL="no"
DEF_FAST_MATH="no"
],
[v5|cert4718],[
@@ -582,7 +599,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=2
HAVE_FIPS_VERSION_PATCH=1
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_SP_MATH_ALL="no"
DEF_FAST_MATH="yes"
],
[v5.2.3],[
@@ -591,7 +608,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=2
HAVE_FIPS_VERSION_PATCH=3
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_SP_MATH_ALL="yes"
DEF_FAST_MATH="no"
],
[v5.2.4],[
@@ -600,7 +617,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=2
HAVE_FIPS_VERSION_PATCH=4
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_SP_MATH_ALL="yes"
DEF_FAST_MATH="no"
],
[v5-RC12],[
@@ -609,7 +626,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=2
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_SP_MATH_ALL="no"
DEF_FAST_MATH="yes"
],
[v5-ready],[
@@ -617,7 +634,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MAJOR=5
HAVE_FIPS_VERSION_MINOR=3
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_SP_MATH_ALL="no"
DEF_FAST_MATH="yes"
],
[v5-dev],[
@@ -626,7 +643,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=2
HAVE_FIPS_VERSION_PATCH=1
ENABLED_FIPS="yes"
# for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
# for dev, DEF_SP_MATH_ALL and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
],
[v5-kcapi],[
FIPS_VERSION="v5-dev"
@@ -634,7 +651,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=3
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
# for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
# for dev, DEF_SP_MATH_ALL and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
],
[v6|v6-dev],[
FIPS_VERSION="v6"
@@ -643,7 +660,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_SP_MATH_ALL="yes"
DEF_FAST_MATH="no"
],
[v7],[
@@ -653,7 +670,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_SP_MATH_ALL="yes"
DEF_FAST_MATH="no"
],
# Should always remain one ahead of the latest so as not to be confused with
@@ -665,7 +682,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_SP_MATH_ALL="yes"
DEF_FAST_MATH="no"
],
[dev|v7-dev],[
@@ -674,7 +691,7 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
# for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
# for dev, DEF_SP_MATH_ALL and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
],
[lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
FIPS_VERSION="$ENABLED_FIPS"
@@ -809,16 +826,10 @@ then
fi
AC_SUBST([ENABLED_KERNEL_BENCHMARKS])
if test "$ENABLED_LINUXKM" = "yes" && test "$KERNEL_MODE_DEFAULTS" = "yes"
# Kernel mode only supports sp-math-all with smallstack.
if test "$KERNEL_MODE_DEFAULTS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_CONST -DWOLFSSL_SP_MOD_WORD_RP -DWOLFSSL_SP_DIV_64 -DWOLFSSL_SP_DIV_WORD_HALF -DWOLFSSL_SMALL_STACK_STATIC -DWC_SHA3_NO_ASM"
if test "$ENABLED_LINUXKM_PIE" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_OCSP_ISSUER_CHECK"
fi
if test "$ENABLED_FIPS" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_PRIME_CHECK"
fi
DEF_SP_MATH="yes"
DEF_SP_MATH_ALL="yes"
DEF_FAST_MATH="no"
fi
@@ -848,11 +859,11 @@ then
# Currently DWARF 5 is the default debug format, but it results in
# "Unsupported DW_TAG_atomic_type(0x47): type: 0x1eefc" in some
# kernel module builds.
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -DWC_SIPHASH_NO_ASM -gdwarf-4"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -gdwarf-4"
AS_IF([test "$ax_enable_debug" = "yes"],
[AM_CFLAGS="$AM_CFLAGS -g3"],
[AM_CFLAGS="$AM_CFLAGS -g1"])
AM_CCASFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -DWC_SIPHASH_NO_ASM -gdwarf-4"
AM_CCASFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -gdwarf-4"
AS_IF([test "$ax_enable_debug" = "yes"],
[AM_CCASFLAGS="$AM_CFLAGS -g3"],
[AM_CCASFLAGS="$AM_CFLAGS -g1"])
@@ -879,8 +890,6 @@ then
if test "${KERNEL_ARCH}" = ""; then
AC_MSG_ERROR([Linux kernel target architecture for build tree ${KERNEL_ROOT} could not be determined. Is target kernel configured?])
fi
AM_CFLAGS="$AM_CFLAGS -DNO_DEV_RANDOM -DNO_WRITEV -DNO_STDIO_FILESYSTEM -DWOLFSSL_NO_SOCK -DWOLFSSL_USER_IO"
fi
#
@@ -894,7 +903,6 @@ if test "x$ENABLED_BSDKM" = "xyes"
then
# note: bsdkm is wolfcrypt only for now.
HAVE_KERNEL_MODE=yes
KERNEL_MODE_DEFAULTS=yes
ENABLED_NO_LIBRARY=yes
ENABLED_BENCHMARK=no
@@ -938,9 +946,9 @@ then
DEF_FAST_MATH=no
fi
if test "$DEF_SP_MATH" = "yes" && (test "$enable_fastmath" = "yes" || test "$enable_fasthugemath" = "yes" || test "$enable_heapmath" = "yes")
if test "$DEF_SP_MATH_ALL" = "yes" && (test "$enable_fastmath" = "yes" || test "$enable_fasthugemath" = "yes" || test "$enable_heapmath" = "yes")
then
DEF_SP_MATH=no
DEF_SP_MATH_ALL=no
fi
# Single Precision maths implementation
@@ -953,7 +961,7 @@ AC_ARG_ENABLE([sp],
AC_ARG_ENABLE([sp-math-all],
[AS_HELP_STRING([--enable-sp-math-all],[Enable Single Precision math implementation for full algorithm suite (default: enabled)])],
[ ENABLED_SP_MATH_ALL=$enableval ],
[ ENABLED_SP_MATH_ALL=$DEF_SP_MATH ],
[ ENABLED_SP_MATH_ALL=$DEF_SP_MATH_ALL ],
)
# Single Precision maths (acceleration for common key sizes and curves)
@@ -985,7 +993,7 @@ then
fi
fi
# enable SP math assembly support automatically for x86_64 and aarch64 (except Linux kernel module)
# enable SP math assembly support automatically for x86_64 and aarch64 (except kernel modules)
SP_ASM_DEFAULT=no
if test "$ENABLED_SP_MATH" = "yes" && test "$KERNEL_MODE_DEFAULTS" = "no"
then
@@ -1272,7 +1280,7 @@ then
if test "$ENABLED_SP_MATH" != "yes"
then
# linuxkm is incompatible with opensslextra and its dependents.
# kernel modules are currently incompatible with opensslextra and its dependents.
if test "$KERNEL_MODE_DEFAULTS" != "yes"
then
test "$enable_opensslextra" = "" && enable_opensslextra=yes
@@ -1318,7 +1326,7 @@ if test "$ENABLED_ALL_OSP" = "yes"
then
if test "$KERNEL_MODE_DEFAULTS" = "yes"
then
AC_MSG_ERROR([--enable-all-osp is incompatible with --enable-linuxkm-defaults])
AC_MSG_ERROR([--enable-all-osp is incompatible with kernel mode defaults])
fi
test "$enable_tailscale" = "" && enable_tailscale=yes
@@ -1593,12 +1601,8 @@ then
# AFALG lacks AES-EAX
test "$enable_aeseax" = "" && test "$enable_afalg" != "yes" && enable_aeseax=yes
test "$enable_sakke" = "" && test "$enable_ecc" != "no" && enable_sakke=yes
if test "$KERNEL_MODE_DEFAULTS" != "yes"
then
test "$enable_cryptocb" = "" && enable_cryptocb=yes
test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes
fi
test "$enable_cryptocb" = "" && enable_cryptocb=yes
test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes
fi
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6
+48 -8
View File
@@ -3998,8 +3998,31 @@
#undef HAVE_PUBLIC_FFDHE
#endif
#undef WOLFSSL_MIN_AUTH_TAG_SZ
#define WOLFSSL_MIN_AUTH_TAG_SZ 4
#if defined(HAVE_FIPS)
#if FIPS_VERSION3_LT(7, 0, 0)
/* support RFC 4106 IPsec ESP 64 bit tags */
#undef WOLFSSL_MIN_AUTH_TAG_SZ
#define WOLFSSL_MIN_AUTH_TAG_SZ 8
#else
/* No short (<96 bit) tags per SP 800-38D 2026 revision in process. */
#if WOLFSSL_MIN_AUTH_TAG_SZ < 12
#undef WOLFSSL_MIN_AUTH_TAG_SZ
#define WOLFSSL_MIN_AUTH_TAG_SZ 12
#endif
#endif
#elif defined(CONFIG_CRYPTO_MANAGER_EXTRA_TESTS) || defined(CONFIG_CRYPTO_SELFTESTS_FULL)
/* The Linux kernel native crypto fuzzer expects small AES-GCM tag sizes to succeed. */
#if WOLFSSL_MIN_AUTH_TAG_SZ > 4
#undef WOLFSSL_MIN_AUTH_TAG_SZ
#define WOLFSSL_MIN_AUTH_TAG_SZ 4
#endif
#else
/* support RFC 4106 IPsec ESP */
#if WOLFSSL_MIN_AUTH_TAG_SZ > 8
#undef WOLFSSL_MIN_AUTH_TAG_SZ
#define WOLFSSL_MIN_AUTH_TAG_SZ 8
#endif
#endif
#if defined(LINUXKM_LKCAPI_REGISTER) && !defined(WOLFSSL_ASN_INT_LEAD_0_ANY)
/* kernel 5.10 crypto manager tests key(s) that fail unless leading
@@ -4011,9 +4034,20 @@
#define WOLFSSL_AARCH64_PRIVILEGE_MODE
#endif
/* USE_INTEL_SPEEDUP currently gives wrong results for ML-KEM in linuxkm. */
#if !defined(WC_MLKEM_NO_ASM) && !defined(WC_MLKEM_KERNEL_ASM)
#define WC_MLKEM_NO_ASM
/* SHA-3 low level state can't alternate freely between C and intelasm. */
#ifdef _WC_BUILDING_WC_MLKEM_POLY_C
#undef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING
#endif
#ifdef _WC_BUILDING_WC_MLDSA_C
#undef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING
#endif
#ifdef _WC_BUILDING_WC_SLHDSA_C
#undef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING
#endif
#ifndef WC_SIPHASH_NO_ASM
/* siphash asm produces wrong results in kernel mode. */
#define WC_SIPHASH_NO_ASM
#endif
#endif /* WOLFSSL_LINUXKM */
@@ -4094,8 +4128,10 @@
#define WOLFSSL_HAVE_MAX
#endif /* WOLFSSL_BSDKM */
/* Common setup for kernel mode builds */
#ifdef WOLFSSL_KERNEL_MODE
/* Common setup for kernel mode builds, also compatible with user library via
* WOLFSSL_KERNEL_MODE_DEFAULTS.
*/
#if defined(WOLFSSL_KERNEL_MODE) || defined(WOLFSSL_KERNEL_MODE_DEFAULTS)
#ifndef WOLFSSL_API_PREFIX_MAP
#define WOLFSSL_API_PREFIX_MAP
#endif
@@ -4149,7 +4185,11 @@
#undef WOLFSSL_GENERAL_ALIGNMENT
#define WOLFSSL_GENERAL_ALIGNMENT SIZEOF_LONG
#endif
#endif /* WOLFSSL_KERNEL_MODE */
#ifndef WOLFSSL_SMALL_STACK_STATIC
#define WOLFSSL_SMALL_STACK_STATIC
#endif
#endif /* WOLFSSL_KERNEL_MODE || WOLFSSL_KERNEL_MODE_DEFAULTS */
#if defined(WC_SYM_RELOC_TABLES) && defined(HAVE_FIPS) && \
!defined(WC_PIE_RELOC_TABLES)