From 08f5c3e8b910cb5c491e534ff44f1ba52ea3b2da Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 18 Oct 2025 01:56:48 -0500 Subject: [PATCH 1/4] configure.ac: in linuxkm setup, use -g1 explicitly unless --enable-debug, whereupon use -g3. also, add -gdwarf-4 to AM_CCASFLAGS. --- configure.ac | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/configure.ac b/configure.ac index a4e4afbee..ea74b1317 100644 --- a/configure.ac +++ b/configure.ac @@ -740,6 +740,14 @@ then # "Unsupported DW_TAG_atomic_type(0x47): type: 0x1eefc" in some # kernel module builds. AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -DWC_SIPHASH_NO_ASM -gdwarf-4" + AS_IF([test "$ax_enable_debug" = "yes"], + [AM_CFLAGS="$AM_CFLAGS -g3"], + [AM_CFLAGS="$AM_CFLAGS -g1"]) + AM_CCASFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -DWC_SIPHASH_NO_ASM -gdwarf-4" + AS_IF([test "$ax_enable_debug" = "yes"], + [AM_CCASFLAGS="$AM_CFLAGS -g3"], + [AM_CCASFLAGS="$AM_CFLAGS -g1"]) + ENABLED_NO_LIBRARY=yes ENABLED_BENCHMARK=no output_objdir="$(realpath "$output_objdir")/linuxkm" From 2bbc3a0ae23f97df3913aa733665c684b34051d9 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 18 Oct 2025 02:05:55 -0500 Subject: [PATCH 2/4] wolfcrypt/test/test.c: fixes for --disable-sha256, --disable-hmac, --disable-rng, and FIPS gating on RSA-PSS. --- wolfcrypt/test/test.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 7757d01d6..a44310c45 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -621,7 +621,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t tls12_kdf_test(void); WOLFSSL_TEST_SUBROUTINE wc_test_ret_t prf_test(void); #endif WOLFSSL_TEST_SUBROUTINE wc_test_ret_t sshkdf_test(void); -#ifdef WOLFSSL_TLS13 +#if defined(WOLFSSL_TLS13) && !defined(NO_HMAC) WOLFSSL_TEST_SUBROUTINE wc_test_ret_t tls13_kdf_test(void); #endif WOLFSSL_TEST_SUBROUTINE wc_test_ret_t x963kdf_test(void); @@ -1944,14 +1944,14 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\ #endif /* WOLFSSL_HAVE_PRF && HAVE_HKDF && !NO_HMAC && */ /* WOLFSSL_BASE16 && !WOLFSSL_NO_TLS12 */ -#ifdef WOLFSSL_TLS13 +#if defined(WOLFSSL_TLS13) && !defined(NO_HMAC) PRIVATE_KEY_UNLOCK(); if ( (ret = tls13_kdf_test()) != 0) TEST_FAIL("TLSv1.3 KDF test failed!\n", ret); else TEST_PASS("TLSv1.3 KDF test passed!\n"); PRIVATE_KEY_LOCK(); -#endif /* WOLFSSL_TLS13 */ +#endif /* WOLFSSL_TLS13 && !NO_HMAC */ #if defined(HAVE_X963_KDF) && defined(HAVE_ECC) if ( (ret = x963kdf_test()) != 0) @@ -20769,7 +20769,9 @@ done: } #endif -#if defined(WC_RSA_PSS) && !defined(HAVE_FIPS_VERSION) /* not supported with FIPSv1 */ +#if defined(WC_RSA_PSS) && \ + (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,0)) && \ + !defined(WC_NO_RNG) /* Need to create known good signatures to test with this. */ #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \ !defined(WOLF_CRYPTO_CB_ONLY_RSA) @@ -21131,7 +21133,8 @@ exit_rsa_pss: return ret; } #endif /* !WOLFSSL_RSA_VERIFY_ONLY && !WOLFSSL_RSA_PUBLIC_ONLY */ -#endif +#endif /* WC_RSA_PSS && (!HAVE_FIPS || FIPS_VERSION_GE(5,0)) && !WC_NO_RNG */ + #ifdef WC_RSA_NO_PADDING WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_no_pad_test(void) @@ -23176,7 +23179,9 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void) #endif /* WOLFSSL_CERT_REQ */ #endif /* WOLFSSL_CERT_GEN */ -#if defined(WC_RSA_PSS) && !defined(HAVE_FIPS_VERSION) /* not supported with FIPSv1 */ +#if defined(WC_RSA_PSS) && \ + (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,0)) && \ + !defined(WC_NO_RNG) /* Need to create known good signatures to test with this. */ #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \ !defined(WOLF_CRYPTO_CB_ONLY_RSA) @@ -28431,7 +28436,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t tls12_kdf_test(void) #endif /* WOLFSSL_HAVE_PRF && HAVE_HKDF && !NO_HMAC && */ /* WOLFSSL_BASE16 && !WOLFSSL_NO_TLS12 */ -#ifdef WOLFSSL_TLS13 +#if defined(WOLFSSL_TLS13) && !defined(NO_HMAC) #define TLSV13_PSK_DHE_SZ 40 typedef struct { @@ -29127,7 +29132,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t tls13_kdf_test(void) return ret; } -#endif /* WOLFSSL_TLS13 */ +#endif /* WOLFSSL_TLS13 && !NO_HMAC */ static const int fiducial2 = WC_TEST_RET_LN; /* source code reference point -- * see print_fiducials() below. From a36dd35e59b0bf888f723f43e8914e6319e159b3 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 18 Oct 2025 03:23:38 -0500 Subject: [PATCH 3/4] linuxkm: rename FIPS container segments from foo.wolfcrypt to foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds klp/kpatch clauses expected in kernel 6.19. --- linuxkm/Kbuild | 26 +++++++++++++------------- linuxkm/Makefile | 4 ++-- linuxkm/wolfcrypt.lds | 16 ++++++++-------- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index 4246e176c..2b47bcf81 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -215,16 +215,16 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \ fi; \ cd "$(obj)" || exit $$?; \ for file in $(WOLFCRYPT_PIE_FILES); do \ - $(OBJCOPY) --rename-section .text=.text.wolfcrypt \ - --rename-section .text.unlikely=.text.wolfcrypt \ - --rename-section .rodata=.rodata.wolfcrypt \ - --rename-section .rodata.str1.1=.rodata.wolfcrypt \ - --rename-section .rodata.str1.8=.rodata.wolfcrypt \ - --rename-section .rodata.cst16=.rodata.wolfcrypt \ - --rename-section .rodata.cst32=.rodata.wolfcrypt \ - --rename-section .data=.data.wolfcrypt \ - --rename-section .data.rel.local=.data.wolfcrypt \ - --rename-section .bss=.bss.wolfcrypt "$$file" || exit $$?; \ + $(OBJCOPY) --rename-section .text=.text_wolfcrypt \ + --rename-section .text.unlikely=.text_wolfcrypt \ + --rename-section .rodata=.rodata_wolfcrypt \ + --rename-section .rodata.str1.1=.rodata_wolfcrypt \ + --rename-section .rodata.str1.8=.rodata_wolfcrypt \ + --rename-section .rodata.cst16=.rodata_wolfcrypt \ + --rename-section .rodata.cst32=.rodata_wolfcrypt \ + --rename-section .data=.data_wolfcrypt \ + --rename-section .data.rel.local=.data_wolfcrypt \ + --rename-section .bss=.bss_wolfcrypt "$$file" || exit $$?; \ done; \ [ "$(KERNEL_ARCH_X86)" != "yes" ] || \ { $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) | \ @@ -253,12 +253,12 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \ if (phase == 1) { \ if (match($$0, "^ *\\[ *([0-9]+)\\] +([^ ]+) ", a)) {\ switch (a[2]) { \ - case ".text.wolfcrypt": \ + case ".text_wolfcrypt": \ { \ wolfcrypt_text_sections[a[1]] = a[2]; \ next; \ } \ - case /^\.(data|rodata|bss)\.wolfcrypt$$/: \ + case /^\.(data|rodata|bss)_wolfcrypt$$/: \ { \ wolfcrypt_data_sections[a[1]] = a[2]; \ next; \ @@ -301,7 +301,7 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \ }}'; } || \ { echo 'Error: symbol(s) missed by containerization.' >&2; exit 1; }; \ if [[ "$(quiet)" != "silent_" ]]; then \ - echo ' wolfCrypt .{text,data,rodata} sections containerized to .{text,data,rodata}.wolfcrypt'; \ + echo ' wolfCrypt .{text,data,rodata,bss} sections containerized to .{text,data,rodata}_wolfcrypt'; \ fi endif diff --git a/linuxkm/Makefile b/linuxkm/Makefile index 1ab64c671..e3bcba401 100644 --- a/linuxkm/Makefile +++ b/linuxkm/Makefile @@ -107,7 +107,7 @@ GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko | \ printf("%s\n ", \ "const unsigned int wc_linuxkm_pie_reloc_tab[] = { "); \ } \ - /^Relocation section '\''\.rela\.text\.wolfcrypt'\''/ { \ + /^Relocation section '\''\.rela\.text_wolfcrypt'\''/ { \ p=1; \ next; \ } \ @@ -171,7 +171,7 @@ module-update-fips-hash: libwolfssl.ko @if test -z '$(FIPS_HASH)'; then echo ' $$FIPS_HASH is unset' >&2; exit 1; fi @if [[ ! '$(FIPS_HASH)' =~ [0-9a-fA-F]{64} ]]; then echo ' $$FIPS_HASH is malformed' >&2; exit 1; fi @readarray -t rodata_segment < <($(READELF) --wide --sections libwolfssl.ko | \ - sed -E -n 's/^[[:space:]]*\[[[:space:]]*([0-9]+)\][[:space:]]+\.rodata\.wolfcrypt[[:space:]]+PROGBITS[[:space:]]+[0-9a-fA-F]+[[:space:]]+([0-9a-fA-F]+)[[:space:]].*$$/\1\n\2/p'); \ + sed -E -n 's/^[[:space:]]*\[[[:space:]]*([0-9]+)\][[:space:]]+\.rodata_wolfcrypt[[:space:]]+PROGBITS[[:space:]]+[0-9a-fA-F]+[[:space:]]+([0-9a-fA-F]+)[[:space:]].*$$/\1\n\2/p'); \ if [[ $${#rodata_segment[@]} != 2 ]]; then echo ' unexpected rodata_segment.' >&2; exit 1; fi; \ readarray -t verifyCore_attrs < <($(READELF) --wide --symbols libwolfssl.ko | \ sed -E -n 's/^[[:space:]]*[0-9]+: ([0-9a-fA-F]+)[[:space:]]+([0-9]+)[[:space:]]+OBJECT[[:space:]]+[A-Z]+[[:space:]]+[A-Z]+[[:space:]]+'"$${rodata_segment[0]}"'[[:space:]]+verifyCore$$/\1\n\2/p'); \ diff --git a/linuxkm/wolfcrypt.lds b/linuxkm/wolfcrypt.lds index 6399a0c26..9b466d710 100644 --- a/linuxkm/wolfcrypt.lds +++ b/linuxkm/wolfcrypt.lds @@ -1,29 +1,29 @@ SECTIONS { . = ALIGN(4096); - .text.wolfcrypt : { + .text_wolfcrypt : { __wc_text_start = .; - *(.text.wolfcrypt) + *(.text_wolfcrypt) . = ALIGN(4096); __wc_text_end = .; } . = ALIGN(4096); - .rodata.wolfcrypt : { + .rodata_wolfcrypt : { __wc_rodata_start = .; - *(.rodata.wolfcrypt) + *(.rodata_wolfcrypt) . = ALIGN(4096); __wc_rodata_end = .; } . = ALIGN(4096); - .data.wolfcrypt : { + .data_wolfcrypt : { __wc_rwdata_start = .; - *(.data.wolfcrypt) + *(.data_wolfcrypt) . = ALIGN(4096); __wc_rwdata_end = .; } . = ALIGN(4096); - .bss.wolfcrypt : { + .bss_wolfcrypt : { __wc_bss_start = .; - *(.bss.wolfcrypt) + *(.bss_wolfcrypt) . = ALIGN(4096); __wc_bss_end = .; } From 9881c95c46b90df77f5a86a2185c322ceb373aa0 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 18 Oct 2025 12:07:35 -0500 Subject: [PATCH 4/4] linuxkm/Kbuild: refactor RENAME_PIE_TEXT_AND_DATA_SECTIONS to automatically derive the list of all ELF sections to rename, rather than enumerating them staticly in the objcopy recipe (motivated by changes expected in kernel 6.19). --- linuxkm/Kbuild | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index 2b47bcf81..54986a6ab 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -214,19 +214,16 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \ echo 'OK.'; \ fi; \ cd "$(obj)" || exit $$?; \ - for file in $(WOLFCRYPT_PIE_FILES); do \ - $(OBJCOPY) --rename-section .text=.text_wolfcrypt \ - --rename-section .text.unlikely=.text_wolfcrypt \ - --rename-section .rodata=.rodata_wolfcrypt \ - --rename-section .rodata.str1.1=.rodata_wolfcrypt \ - --rename-section .rodata.str1.8=.rodata_wolfcrypt \ - --rename-section .rodata.cst16=.rodata_wolfcrypt \ - --rename-section .rodata.cst32=.rodata_wolfcrypt \ - --rename-section .data=.data_wolfcrypt \ - --rename-section .data.rel.local=.data_wolfcrypt \ - --rename-section .bss=.bss_wolfcrypt "$$file" || exit $$?; \ - done; \ - [ "$(KERNEL_ARCH_X86)" != "yes" ] || \ + for file in $(WOLFCRYPT_PIE_FILES); do \ + $(OBJCOPY) $$($(READELF) --sections --wide "$$file" | \ + $(AWK) ' \ + { \ + if (match($$0, "^ *\\[ *[0-9]+\\] +\\.(text|rodata|data|bss)(\\.[^ ]+)? ", a)) { \ + printf("--rename-section .%s%s=.%s_wolfcrypt ", a[1], a[2], a[1]); \ + } \ + }') "$$file" || exit $$?; \ + done; \ + [ "$(KERNEL_ARCH_X86)" != "yes" ] || \ { $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) | \ $(AWK) -v obj="$(obj)" ' \ /^File:/ { \