From a36dd35e59b0bf888f723f43e8914e6319e159b3 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Sat, 18 Oct 2025 03:23:38 -0500
Subject: [PATCH] linuxkm: rename FIPS container segments from foo.wolfcrypt to
 foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds
 klp/kpatch clauses expected in kernel 6.19.

---
 linuxkm/Kbuild        | 26 +++++++++++++-------------
 linuxkm/Makefile      |  4 ++--
 linuxkm/wolfcrypt.lds | 16 ++++++++--------
 3 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild
index 4246e176c..2b47bcf81 100644
--- a/linuxkm/Kbuild
+++ b/linuxkm/Kbuild
@@ -215,16 +215,16 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \
 	fi; \
 	cd "$(obj)" || exit $$?; \
 	for file in $(WOLFCRYPT_PIE_FILES); do			\
-	    $(OBJCOPY) --rename-section .text=.text.wolfcrypt	\
-	    --rename-section .text.unlikely=.text.wolfcrypt	\
-	    --rename-section .rodata=.rodata.wolfcrypt		\
-	    --rename-section .rodata.str1.1=.rodata.wolfcrypt	\
-	    --rename-section .rodata.str1.8=.rodata.wolfcrypt	\
-	    --rename-section .rodata.cst16=.rodata.wolfcrypt	\
-	    --rename-section .rodata.cst32=.rodata.wolfcrypt	\
-	    --rename-section .data=.data.wolfcrypt		\
-	    --rename-section .data.rel.local=.data.wolfcrypt    \
-	    --rename-section .bss=.bss.wolfcrypt "$$file" || exit $$?; \
+	    $(OBJCOPY) --rename-section .text=.text_wolfcrypt	\
+	    --rename-section .text.unlikely=.text_wolfcrypt	\
+	    --rename-section .rodata=.rodata_wolfcrypt		\
+	    --rename-section .rodata.str1.1=.rodata_wolfcrypt	\
+	    --rename-section .rodata.str1.8=.rodata_wolfcrypt	\
+	    --rename-section .rodata.cst16=.rodata_wolfcrypt	\
+	    --rename-section .rodata.cst32=.rodata_wolfcrypt	\
+	    --rename-section .data=.data_wolfcrypt		\
+	    --rename-section .data.rel.local=.data_wolfcrypt    \
+	    --rename-section .bss=.bss_wolfcrypt "$$file" || exit $$?; \
 	done; \
 	[ "$(KERNEL_ARCH_X86)" != "yes" ] ||			\
 	{ $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) |	\
@@ -253,12 +253,12 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \
 		if (phase == 1) {					\
 		    if (match($$0, "^ *\\[ *([0-9]+)\\] +([^ ]+) ", a)) {\
 			switch (a[2]) {					\
-			case ".text.wolfcrypt":				\
+			case ".text_wolfcrypt":				\
 			{						\
 			    wolfcrypt_text_sections[a[1]] = a[2];	\
 			    next;					\
 			}						\
-			case /^\.(data|rodata|bss)\.wolfcrypt$$/:	\
+			case /^\.(data|rodata|bss)_wolfcrypt$$/:	\
 			{						\
 			    wolfcrypt_data_sections[a[1]] = a[2];	\
 			    next;					\
@@ -301,7 +301,7 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \
 	    }}'; } || \
 	{ echo 'Error: symbol(s) missed by containerization.' >&2; exit 1; }; \
 	if [[ "$(quiet)" != "silent_" ]]; then \
-	    echo '  wolfCrypt .{text,data,rodata} sections containerized to .{text,data,rodata}.wolfcrypt'; \
+	    echo '  wolfCrypt .{text,data,rodata,bss} sections containerized to .{text,data,rodata}_wolfcrypt'; \
 	fi
 endif
 
diff --git a/linuxkm/Makefile b/linuxkm/Makefile
index 1ab64c671..e3bcba401 100644
--- a/linuxkm/Makefile
+++ b/linuxkm/Makefile
@@ -107,7 +107,7 @@ GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko |				\
 	    printf("%s\n    ",								\
 	        "const unsigned int wc_linuxkm_pie_reloc_tab[] = { ");			\
 	}										\
-	/^Relocation section '\''\.rela\.text\.wolfcrypt'\''/ {				\
+	/^Relocation section '\''\.rela\.text_wolfcrypt'\''/ {				\
 	    p=1;									\
 	    next;									\
 	}										\
@@ -171,7 +171,7 @@ module-update-fips-hash: libwolfssl.ko
 	@if test -z '$(FIPS_HASH)'; then echo '  $$FIPS_HASH is unset' >&2; exit 1; fi
 	@if [[ ! '$(FIPS_HASH)' =~ [0-9a-fA-F]{64} ]]; then echo '  $$FIPS_HASH is malformed' >&2; exit 1; fi
 	@readarray -t rodata_segment < <($(READELF) --wide --sections libwolfssl.ko | \
-	    sed -E -n 's/^[[:space:]]*\[[[:space:]]*([0-9]+)\][[:space:]]+\.rodata\.wolfcrypt[[:space:]]+PROGBITS[[:space:]]+[0-9a-fA-F]+[[:space:]]+([0-9a-fA-F]+)[[:space:]].*$$/\1\n\2/p'); \
+	    sed -E -n 's/^[[:space:]]*\[[[:space:]]*([0-9]+)\][[:space:]]+\.rodata_wolfcrypt[[:space:]]+PROGBITS[[:space:]]+[0-9a-fA-F]+[[:space:]]+([0-9a-fA-F]+)[[:space:]].*$$/\1\n\2/p'); \
 	if [[ $${#rodata_segment[@]} != 2 ]]; then echo '  unexpected rodata_segment.' >&2; exit 1; fi; \
 	readarray -t verifyCore_attrs < <($(READELF) --wide --symbols libwolfssl.ko | \
 	    sed -E -n 's/^[[:space:]]*[0-9]+: ([0-9a-fA-F]+)[[:space:]]+([0-9]+)[[:space:]]+OBJECT[[:space:]]+[A-Z]+[[:space:]]+[A-Z]+[[:space:]]+'"$${rodata_segment[0]}"'[[:space:]]+verifyCore$$/\1\n\2/p'); \
diff --git a/linuxkm/wolfcrypt.lds b/linuxkm/wolfcrypt.lds
index 6399a0c26..9b466d710 100644
--- a/linuxkm/wolfcrypt.lds
+++ b/linuxkm/wolfcrypt.lds
@@ -1,29 +1,29 @@
 SECTIONS {
     . = ALIGN(4096);
-    .text.wolfcrypt : {
+    .text_wolfcrypt : {
         __wc_text_start = .;
-        *(.text.wolfcrypt)
+        *(.text_wolfcrypt)
 	. = ALIGN(4096);
         __wc_text_end = .;
     }
     . = ALIGN(4096);
-    .rodata.wolfcrypt : {
+    .rodata_wolfcrypt : {
         __wc_rodata_start = .;
-        *(.rodata.wolfcrypt)
+        *(.rodata_wolfcrypt)
         . = ALIGN(4096);
         __wc_rodata_end = .;
     }
     . = ALIGN(4096);
-    .data.wolfcrypt : {
+    .data_wolfcrypt : {
         __wc_rwdata_start = .;
-        *(.data.wolfcrypt)
+        *(.data_wolfcrypt)
         . = ALIGN(4096);
         __wc_rwdata_end = .;
     }
     . = ALIGN(4096);
-    .bss.wolfcrypt : {
+    .bss_wolfcrypt : {
         __wc_bss_start = .;
-        *(.bss.wolfcrypt)
+        *(.bss_wolfcrypt)
         . = ALIGN(4096);
         __wc_bss_end = .;
     }