linuxkm: rename FIPS container segments from foo.wolfcrypt to foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds klp/kpatch clauses expected in kernel 6.19.

2026-01-29 12:42:13 +01:00 · 2025-10-18 03:23:38 -05:00
parent 2bbc3a0ae2
commit a36dd35e59
3 changed files with 23 additions and 23 deletions
--- a/linuxkm/Kbuild
+++ b/linuxkm/Kbuild
@@ -215,16 +215,16 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \
 	fi; \
 	cd "$(obj)" || exit $$?; \
 	for file in $(WOLFCRYPT_PIE_FILES); do			\
-	    $(OBJCOPY) --rename-section .text=.text.wolfcrypt	\
-	    --rename-section .text.unlikely=.text.wolfcrypt	\
-	    --rename-section .rodata=.rodata.wolfcrypt		\
-	    --rename-section .rodata.str1.1=.rodata.wolfcrypt	\
-	    --rename-section .rodata.str1.8=.rodata.wolfcrypt	\
-	    --rename-section .rodata.cst16=.rodata.wolfcrypt	\
-	    --rename-section .rodata.cst32=.rodata.wolfcrypt	\
-	    --rename-section .data=.data.wolfcrypt		\
-	    --rename-section .data.rel.local=.data.wolfcrypt    \
-	    --rename-section .bss=.bss.wolfcrypt "$$file" || exit $$?; \
+	    $(OBJCOPY) --rename-section .text=.text_wolfcrypt	\
+	    --rename-section .text.unlikely=.text_wolfcrypt	\
+	    --rename-section .rodata=.rodata_wolfcrypt		\
+	    --rename-section .rodata.str1.1=.rodata_wolfcrypt	\
+	    --rename-section .rodata.str1.8=.rodata_wolfcrypt	\
+	    --rename-section .rodata.cst16=.rodata_wolfcrypt	\
+	    --rename-section .rodata.cst32=.rodata_wolfcrypt	\
+	    --rename-section .data=.data_wolfcrypt		\
+	    --rename-section .data.rel.local=.data_wolfcrypt    \
+	    --rename-section .bss=.bss_wolfcrypt "$$file" || exit $$?; \
 	done; \
 	[ "$(KERNEL_ARCH_X86)" != "yes" ] ||			\
 	{ $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) |	\
@@ -253,12 +253,12 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \
 		if (phase == 1) {					\
 		    if (match($$0, "^ *\\[ *([0-9]+)\\] +([^ ]+) ", a)) {\
 			switch (a[2]) {					\
-			case ".text.wolfcrypt":				\
+			case ".text_wolfcrypt":				\
 			{						\
 			    wolfcrypt_text_sections[a[1]] = a[2];	\
 			    next;					\
 			}						\
-			case /^\.(data|rodata|bss)\.wolfcrypt$$/:	\
+			case /^\.(data|rodata|bss)_wolfcrypt$$/:	\
 			{						\
 			    wolfcrypt_data_sections[a[1]] = a[2];	\
 			    next;					\
@@ -301,7 +301,7 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \
 	    }}'; } || \
 	{ echo 'Error: symbol(s) missed by containerization.' >&2; exit 1; }; \
 	if [[ "$(quiet)" != "silent_" ]]; then \
-	    echo '  wolfCrypt .{text,data,rodata} sections containerized to .{text,data,rodata}.wolfcrypt'; \
+	    echo '  wolfCrypt .{text,data,rodata,bss} sections containerized to .{text,data,rodata}_wolfcrypt'; \
 	fi
 endif

--- a/linuxkm/Makefile
+++ b/linuxkm/Makefile
@@ -107,7 +107,7 @@ GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko |				\
 	    printf("%s\n    ",								\
 	        "const unsigned int wc_linuxkm_pie_reloc_tab[] = { ");			\
 	}										\
-	/^Relocation section '\''\.rela\.text\.wolfcrypt'\''/ {				\
+	/^Relocation section '\''\.rela\.text_wolfcrypt'\''/ {				\
 	    p=1;									\
 	    next;									\
 	}										\
@@ -171,7 +171,7 @@ module-update-fips-hash: libwolfssl.ko
 	@if test -z '$(FIPS_HASH)'; then echo '  $$FIPS_HASH is unset' >&2; exit 1; fi
 	@if [[ ! '$(FIPS_HASH)' =~ [0-9a-fA-F]{64} ]]; then echo '  $$FIPS_HASH is malformed' >&2; exit 1; fi
 	@readarray -t rodata_segment < <($(READELF) --wide --sections libwolfssl.ko | \
-	    sed -E -n 's/^[[:space:]]*\[[[:space:]]*([0-9]+)\][[:space:]]+\.rodata\.wolfcrypt[[:space:]]+PROGBITS[[:space:]]+[0-9a-fA-F]+[[:space:]]+([0-9a-fA-F]+)[[:space:]].*$$/\1\n\2/p'); \
+	    sed -E -n 's/^[[:space:]]*\[[[:space:]]*([0-9]+)\][[:space:]]+\.rodata_wolfcrypt[[:space:]]+PROGBITS[[:space:]]+[0-9a-fA-F]+[[:space:]]+([0-9a-fA-F]+)[[:space:]].*$$/\1\n\2/p'); \
 	if [[ $${#rodata_segment[@]} != 2 ]]; then echo '  unexpected rodata_segment.' >&2; exit 1; fi; \
 	readarray -t verifyCore_attrs < <($(READELF) --wide --symbols libwolfssl.ko | \
 	    sed -E -n 's/^[[:space:]]*[0-9]+: ([0-9a-fA-F]+)[[:space:]]+([0-9]+)[[:space:]]+OBJECT[[:space:]]+[A-Z]+[[:space:]]+[A-Z]+[[:space:]]+'"$${rodata_segment[0]}"'[[:space:]]+verifyCore$$/\1\n\2/p'); \
--- a/linuxkm/wolfcrypt.lds
+++ b/linuxkm/wolfcrypt.lds
@@ -1,29 +1,29 @@
 SECTIONS {
    . = ALIGN(4096);
-    .text.wolfcrypt : {
+    .text_wolfcrypt : {
        __wc_text_start = .;
-        *(.text.wolfcrypt)
+        *(.text_wolfcrypt)
 	. = ALIGN(4096);
        __wc_text_end = .;
    }
    . = ALIGN(4096);
-    .rodata.wolfcrypt : {
+    .rodata_wolfcrypt : {
        __wc_rodata_start = .;
-        *(.rodata.wolfcrypt)
+        *(.rodata_wolfcrypt)
        . = ALIGN(4096);
        __wc_rodata_end = .;
    }
    . = ALIGN(4096);
-    .data.wolfcrypt : {
+    .data_wolfcrypt : {
        __wc_rwdata_start = .;
-        *(.data.wolfcrypt)
+        *(.data_wolfcrypt)
        . = ALIGN(4096);
        __wc_rwdata_end = .;
    }
    . = ALIGN(4096);
-    .bss.wolfcrypt : {
+    .bss_wolfcrypt : {
        __wc_bss_start = .;
-        *(.bss.wolfcrypt)
+        *(.bss_wolfcrypt)
        . = ALIGN(4096);
        __wc_bss_end = .;
    }