linuxkm/Kbuild:

* for aarch64/arm64, only add -mno-outline-atomics if the compiler supports it.
* in ENABLED_LINUXKM_PIE setup, avoid -fPIE on arm32 <5.11 (missing reloc support).

linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, and wolfcrypt/src/wc_port.c: gate interception of alt_cb_patch_nops() on kernel >= 6.1.

linuxkm/linuxkm_wc_port.h: define WC_LINUXKM_SUPPORT_DUMP_TO_FILE implicitly when WC_SYM_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT.

linuxkm/module_hooks.c: fixes for text_dump_path and rodata_dump_path handler code.
This commit is contained in:
Daniel Pouzzner
2026-03-03 22:58:23 -06:00
parent 8d1b825558
commit f67c29ae51
5 changed files with 44 additions and 8 deletions
-1
View File
@@ -637,7 +637,6 @@ WC_DILITHIUM_FIXED_ARRAY
WC_DISABLE_RADIX_ZERO_PAD
WC_FLAG_DONT_USE_AESNI
WC_FORCE_LINUXKM_FORTIFY_SOURCE
WC_LINUXKM_SUPPORT_DUMP_TO_FILE
WC_LMS_FULL_HASH
WC_NO_ASYNC_SLEEP
WC_NO_RNG_SIMPLE
+20 -3
View File
@@ -39,10 +39,13 @@ endif
WOLFSSL_CFLAGS += -ffreestanding -Wframe-larger-than=$(MAX_STACK_FRAME_SIZE) -isystem $(shell $(CC) -print-file-name=include)
# -moutline-atomics added in gcc 10.1 for ARMv8.0.
AARCH64_NO_OUTLINE_ATOMICS := $(shell { echo -e 'int f(void) {\n return 0;\n}\n' | $(CC) -mno-outline-atomics -x c -c - -o /dev/null 2>/dev/null; } && echo -mno-outline-atomics)
ifeq "$(KERNEL_ARCH)" "aarch64"
WOLFSSL_CFLAGS += -mno-outline-atomics
WOLFSSL_CFLAGS += $(AARCH64_NO_OUTLINE_ATOMICS)
else ifeq "$(KERNEL_ARCH)" "arm64"
WOLFSSL_CFLAGS += -mno-outline-atomics
WOLFSSL_CFLAGS += $(AARCH64_NO_OUTLINE_ATOMICS)
else ifeq "$(KERNEL_ARCH)" "arm"
# avoids R_ARM_THM_JUMP11 relocations, including a stubborn tail recursion
# optimization from wc_sp_cmp to wc_sp_cmp_mag:
@@ -111,7 +114,21 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
# note, we need -fno-stack-protector to avoid references to
# "__stack_chk_fail" from the wolfCrypt container.
PIE_FLAGS := -DWC_CONTAINERIZE_THIS -fno-stack-protector -fno-toplevel-reorder
# some targets can't handle -fpie. E.g. ARM32 on kernel <=5.10 has no handling for R_ARM_REL32.
ifndef NO_PIE_FLAG
ifeq ($(KERNEL_ARCH),arm)
ifeq ($(intcmp $(VERSION),5,1,0,0),1)
NO_PIE_FLAG :=
$(info Note: disabling -fPIE to avoid R_ARM_REL32 on pre-5.11 target kernel.)
else
ifeq ($(intcmp $(VERSION),5,0,1,0)-$(intcmp $(PATCHLEVEL),11,1,0,0),1-1)
NO_PIE_FLAG :=
$(info Note: disabling -fPIE to avoid R_ARM_REL32 on pre-5.11 target kernel.)
endif
endif
endif
endif
ifdef NO_PIE_FLAG
PIE_FLAGS += -DWC_NO_PIE_FLAG
else
+16 -1
View File
@@ -301,7 +301,13 @@
#endif
#if defined(WC_CONTAINERIZE_THIS) && defined(CONFIG_ARM64)
#define alt_cb_patch_nops my__alt_cb_patch_nops
/* alt_cb_patch_nops and queued_spin_lock_slowpath are defined early
* to allow shimming in system headers.
*/
/* alt_cb_patch_nops added by d926079f17, release 6.1 */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
#define alt_cb_patch_nops my__alt_cb_patch_nops
#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) */
#define queued_spin_lock_slowpath my__queued_spin_lock_slowpath
#endif
@@ -509,6 +515,11 @@
#endif /* !WOLFCRYPT_ONLY */
#endif /* !WC_CONTAINERIZE_THIS */
#if defined(WC_SYM_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT) && \
!defined(WC_LINUXKM_SUPPORT_DUMP_TO_FILE)
#define WC_LINUXKM_SUPPORT_DUMP_TO_FILE
#endif
#ifdef WC_LINUXKM_SUPPORT_DUMP_TO_FILE
#include <linux/fs.h>
#include <linux/uaccess.h>
@@ -1116,12 +1127,16 @@
* to allow shimming in system headers, but now we need the native
* ones.
*/
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
#undef alt_cb_patch_nops
typeof(my__alt_cb_patch_nops) *alt_cb_patch_nops;
#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) */
#undef queued_spin_lock_slowpath
typeof(my__queued_spin_lock_slowpath) *queued_spin_lock_slowpath;
#else
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
typeof(alt_cb_patch_nops) *alt_cb_patch_nops;
#endif
typeof(queued_spin_lock_slowpath) *queued_spin_lock_slowpath;
#endif
#endif
+5 -3
View File
@@ -575,12 +575,12 @@ static int wolfssl_init(void)
#ifdef WC_SYM_RELOC_TABLES
if (text_dump_path) {
if (dump_to_file(text_dump_path, (u8 *)__wc_text_start, (size_t)((uintptr_t)__wc_text_end - (uintptr_t)__wc_text_start)) == 0)
if (dump_to_file(text_dump_path, (u8 *)__wc_text_start, (size_t)((uintptr_t)__wc_text_end - (uintptr_t)__wc_text_start)) > 0)
pr_info("libwolfssl: dumped .wolfcrypt_text (%zu bytes) to %s.\n", (size_t)((uintptr_t)__wc_text_end - (uintptr_t)__wc_text_start), text_dump_path);
}
if (rodata_dump_path) {
if (dump_to_file(rodata_dump_path, (u8 *)__wc_rodata_start, (size_t)(__wc_rodata_end - __wc_rodata_start)) == 0)
pr_info("libwolfssl: dumped .wolfcrypt_rodata (%zu bytes) to %s.\n", (size_t)((uintptr_t)__wc_rodata_end - (uintptr_t)__wc_rodata_start), text_dump_path);
if (dump_to_file(rodata_dump_path, (u8 *)__wc_rodata_start, (size_t)((uintptr_t)__wc_rodata_end - (uintptr_t)__wc_rodata_start)) > 0)
pr_info("libwolfssl: dumped .wolfcrypt_rodata (%zu bytes) to %s.\n", (size_t)((uintptr_t)__wc_rodata_end - (uintptr_t)__wc_rodata_start), rodata_dump_path);
}
#else
if ((text_dump_path != NULL) ||
@@ -1536,7 +1536,9 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) {
#ifdef CONFIG_ARM64
#ifndef CONFIG_ARCH_TEGRA
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
wolfssl_linuxkm_pie_redirect_table.alt_cb_patch_nops = alt_cb_patch_nops;
#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) */
wolfssl_linuxkm_pie_redirect_table.queued_spin_lock_slowpath = queued_spin_lock_slowpath;
#endif
#endif
+3
View File
@@ -5008,12 +5008,15 @@ char* wolfSSL_strnstr(const char* s1, const char* s2, unsigned int n)
#if defined(WOLFSSL_LINUXKM) && defined(CONFIG_ARM64) && \
defined(WC_SYM_RELOC_TABLES)
#ifndef CONFIG_ARCH_TEGRA
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
noinstr void my__alt_cb_patch_nops(struct alt_instr *alt, __le32 *origptr,
__le32 *updptr, int nr_inst)
{
return WC_PIE_INDIRECT_SYM(alt_cb_patch_nops)
(alt, origptr, updptr, nr_inst);
}
#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) */
void my__queued_spin_lock_slowpath(struct qspinlock *lock, u32 val)
{