linuxkm/Makefile:

* add module-update-fips-hash rule, for in-place FIPS hash update without rebuild;
* improve PIE sequence in module build rule to double-check stability of the relocation table after final rebuild;

Makefile.am: add a module-update-fips-hash passthrough target.

.wolfssl_known_macro_extras

@@ -737,7 +737,6 @@ WOLFSSL_IMXRT_DCP
 WOLFSSL_ISOTP
 WOLFSSL_KEIL
 WOLFSSL_KEIL_NET
-WOLFSSL_KEY_TO_DER
 WOLFSSL_KYBER_NO_DECAPSULATE
 WOLFSSL_KYBER_NO_ENCAPSULATE
 WOLFSSL_KYBER_NO_MAKE_KEY

Makefile.am

@@ -225,6 +225,9 @@ if BUILD_LINUXKM
 module:
 	+$(MAKE) -C linuxkm libwolfssl.ko
 
+module-update-fips-hash:
+	+$(MAKE) -C linuxkm module-update-fips-hash
+
 clean_module:
 	+$(MAKE) -C linuxkm clean
 

linuxkm/Makefile

@@ -22,8 +22,6 @@ SHELL=bash
 
 all: libwolfssl.ko libwolfssl.ko.signed
 
-.PHONY: libwolfssl.ko
-
 ifndef MODULE_TOP
     MODULE_TOP=$(CURDIR)
 endif
@@ -90,19 +88,17 @@ ifndef AWK
     AWK := awk
 endif
 
-libwolfssl.ko:
-	@if test -z '$(KERNEL_ROOT)'; then echo '$$KERNEL_ROOT is unset' >&2; exit 1; fi
-	@if test -z '$(AM_CFLAGS)$(CFLAGS)'; then echo '$$AM_CFLAGS and $$CFLAGS are both unset.' >&2; exit 1; fi
-	@if test -z '$(src_libwolfssl_la_OBJECTS)'; then echo '$$src_libwolfssl_la_OBJECTS is unset.' >&2; exit 1; fi
-        # after commit 9a0ebe5011 (6.10), sources must be in $(obj).  work around this by making links to all needed sources:
-	@mkdir -p '$(MODULE_TOP)/linuxkm'
-	@test '$(MODULE_TOP)/module_hooks.c' -ef '$(MODULE_TOP)/linuxkm/module_hooks.c' || cp --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
-	@test '$(SRC_TOP)/wolfcrypt/src/wc_port.c' -ef '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' || cp --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
-	@test '$(SRC_TOP)/src/wolfio.c' -ef '$(MODULE_TOP)/src/wolfio.c' || cp --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
-ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
-	@echo -e "const unsigned int wc_linuxkm_pie_reloc_tab[] = { ~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = 1;" > wc_linuxkm_pie_reloc_tab.c
-	+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
-	@$(READELF) --wide -r libwolfssl.ko |						\
+ifndef TMPDIR
+    TMPDIR := /tmp
+endif
+
+ifndef MAKE_TMPDIR
+    MAKE_TMPDIR := $(TMPDIR)
+endif
+
+libwolfssl.ko: libwolfssl.o
+
+GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko |				\
 	$(AWK) 'BEGIN {									\
 	    n=0;									\
 	    bad_relocs=0;								\
@@ -133,12 +129,49 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
 	        exit(1);								\
 	    }										\
 	    print "~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];";\
-	}' > wc_linuxkm_pie_reloc_tab.c
+	}'
+
+libwolfssl.o:
+	@if test -z '$(KERNEL_ROOT)'; then echo '$$KERNEL_ROOT is unset' >&2; exit 1; fi
+	@if test -z '$(AM_CFLAGS)$(CFLAGS)'; then echo '$$AM_CFLAGS and $$CFLAGS are both unset.' >&2; exit 1; fi
+	@if test -z '$(src_libwolfssl_la_OBJECTS)'; then echo '$$src_libwolfssl_la_OBJECTS is unset.' >&2; exit 1; fi
+        # after commit 9a0ebe5011 (6.10), sources must be in $(obj).  work around this by making links to all needed sources:
+	@mkdir -p '$(MODULE_TOP)/linuxkm'
+	@test '$(MODULE_TOP)/module_hooks.c' -ef '$(MODULE_TOP)/linuxkm/module_hooks.c' || cp --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
+	@test '$(SRC_TOP)/wolfcrypt/src/wc_port.c' -ef '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' || cp --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
+	@test '$(SRC_TOP)/src/wolfio.c' -ef '$(MODULE_TOP)/src/wolfio.c' || cp --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
+ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
+	@echo -e "const unsigned int wc_linuxkm_pie_reloc_tab[] = { ~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = 1;" > wc_linuxkm_pie_reloc_tab.c
 	+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
+	@$(GENERATE_RELOC_TAB) > wc_linuxkm_pie_reloc_tab.c
+	+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
+	@$(eval RELOC_TMP := $(shell mktemp "$(MAKE_TMPDIR)/wc_linuxkm_pie_reloc_tab.c.XXXXXX"))
+	@$(GENERATE_RELOC_TAB) >| $(RELOC_TMP)
+	@if diff wc_linuxkm_pie_reloc_tab.c $(RELOC_TMP); then echo " Relocation table is stable."; else echo "PIE failed: relocation table is unstable." 1>&2; rm $(RELOC_TMP); exit 1; fi
+	@rm $(RELOC_TMP)
 else
 	+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS)
 endif
 
+.PHONY: module-update-fips-hash
+module-update-fips-hash: libwolfssl.ko
+	@if test -z '$(FIPS_HASH)'; then echo '  $$FIPS_HASH is unset' >&2; exit 1; fi
+	@if [[ ! '$(FIPS_HASH)' =~ [0-9a-fA-F]{64} ]]; then echo '  $$FIPS_HASH is malformed' >&2; exit 1; fi
+	@readarray -t rodata_segment < <($(READELF) --wide --sections libwolfssl.ko | \
+	    sed -E -n 's/^[[:space:]]*\[[[:space:]]*([0-9]+)\][[:space:]]+\.rodata\.wolfcrypt[[:space:]]+PROGBITS[[:space:]]+[0-9a-fA-F]+[[:space:]]+([0-9a-fA-F]+)[[:space:]].*$$/\1\n\2/p'); \
+	if [[ $${#rodata_segment[@]} != 2 ]]; then echo '  unexpected rodata_segment.' >&2; exit 1; fi; \
+	readarray -t verifyCore_attrs < <($(READELF) --wide --symbols libwolfssl.ko | \
+	    sed -E -n 's/^[[:space:]]*[0-9]+: ([0-9a-fA-F]+)[[:space:]]+([0-9]+)[[:space:]]+OBJECT[[:space:]]+[A-Z]+[[:space:]]+[A-Z]+[[:space:]]+'"$${rodata_segment[0]}"'[[:space:]]+verifyCore$$/\1\n\2/p'); \
+	if [[ $${#verifyCore_attrs[@]} != 2 ]]; then echo '  unexpected verifyCore_attrs.' >&2; exit 1; fi; \
+	if [[ "$${verifyCore_attrs[1]}" != "65" ]]; then echo "  verifyCore has unexpected length $${verifyCore_attrs[1]}." >&2; exit 1; fi; \
+	verifyCore_offset=$$((0x$${rodata_segment[1]} + 0x$${verifyCore_attrs[0]})); \
+	current_verifyCore=$$(dd bs=1 if=libwolfssl.ko skip=$$verifyCore_offset count=64 status=none); \
+	if [[ ! "$$current_verifyCore" =~ [0-9a-fA-F]{64} ]]; then echo "  verifyCore at offset $$verifyCore_offset has unexpected value." >&2; exit 1; fi; \
+	if [[ '$(FIPS_HASH)' == "$$current_verifyCore" ]]; then echo '  Supplied FIPS_HASH matches existing verifyCore -- no update needed.'; exit 0; fi; \
+	echo -n '$(FIPS_HASH)' | dd bs=1 conv=notrunc of=libwolfssl.ko seek=$$verifyCore_offset count=64 status=none && \
+	echo "  FIPS verifyCore updated successfully." && \
+	if [[ -f libwolfssl.ko.signed ]]; then $(MAKE) -C . libwolfssl.ko.signed; fi
+
 libwolfssl.ko.signed: libwolfssl.ko
 ifdef FORCE_NO_MODULE_SIG
 	@echo 'Skipping module signature operation because FORCE_NO_MODULE_SIG.'