RHEL9 kernels (9.6+) disable RSA signing and decryption in the kernel
crypto API for security reasons (CVE-2023-6240). The kernel forcibly
overwrites akcipher sign/decrypt callbacks to return -ENOSYS, regardless
of what the driver provides.
Commit 3709c35c in the RHEL kernel:
"crypto: akcipher - Disable signing and decryption"
This affects our self-tests which call crypto_akcipher_sign() and
crypto_akcipher_decrypt(). On RHEL9, these operations return -ENOSYS
even though our driver correctly implements them.
Add compile-time checks for RHEL_RELEASE_CODE >= 9.6 to detect this
scenario and skip the affected self-tests gracefully. The tests pass
since the algorithms are registered correctly; the kernel simply
refuses to execute sign/decrypt operations as a matter of policy.
Note: encrypt and verify operations are unaffected and continue to be
tested normally.
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
* add drbg_init_from() and fork_default_rng(), and
* use the latter to define LKCAPI_INITRNG_FOR_SELFTEST() opportunistically (with fallback to plain wc_InitRng());
linuxkm/lkcapi_rsa_glue.c:
* add km_rsa_ctx_init_rng(),
* remove wc_InitRng() from km_rsa_ctx_init(),
* remove the WC_RSA_BLINDING gates around calls to wc_RsaSetRNG(), and
* call km_rsa_ctx_init_rng() before each call that needs an initialized RNG;
linuxkm/lkcapi_dh_glue.c and linuxkm/lkcapi_ecdh_glue.c: in km_ffdhe_init() and km_ecdh_init(), if linuxkm_lkcapi_registering_now, use LKCAPI_INITRNG_FOR_SELFTEST() to initialize ctx->rng;
linuxkm/lkcapi_glue.c: add notes that lkcapi_sha_glue inclusion and registrations must precede PK, and move declaration of linuxkm_lkcapi_registering_now to precede lkcapi glue inclusions.
* refactor the save_vector_registers_x86() algorithm to depend directly on preempt_count(), and use local_bh_enable() and preempt_disable() directly, to mitigate glitchiness around irq_fpu_usable() and crypto_simd_usable();
* eliminate the WC_FPU_ALREADY_FLAG kludge.
* improve the error and warning messages, and add some additional checks and messages for unexpected states; add VRG_PR_ERR_X and VRG_PR_WARN_X for pr_*_once() semantics on regular builds, but unlimited messages when WOLFSSL_LINUXKM_VERBOSE_DEBUG.
linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c:
* move the spinlock-based implementation of wc_LockMutex() from linuxkm_wc_port.h to module_hooks.c, due to numerous stuboorn direct external symbol references;
* extensively refactor the kernel header #include strategy, keeping many more superfluous headers out of __PIE__ objects, and fixing unavoidable static header functions with grafted __always_inline attributes;
* add version exceptions for RHEL 9.5.
linuxkm/Kbuild:
* on x86 with CONFIG_MITIGATION_{RETPOLINE,RETHUNK}, use inline rethunks rather than none;
* refactor check for "Error: section(s) missed by containerization." using `readelf --sections --syms`, for 100% coverage, more informative error output, and suppression of false positives on printk-related cruft;
configure.ac and linuxkm/lkcapi_sha_glue.c: use LINUXKM_LKCAPI_[DONT_]REGISTER_{SHA,HMAC}_ALL to represent --enable-linuxkm-lkcapi-register=[-]all-{sha,hmac}, which allows alg families (notably SHA1) to be masked out piecemeal;
linuxkm/lkcapi_rsa_glue.c: in linuxkm_test_pkcs1pad_driver(), mitigate unused args when LINUXKM_AKCIPHER_NO_SIGNVERIFY.
adding WOLFSSL_NO_DH_GEN_PUB in the unlikely event it needs to be disabled;
configure.ac: in --enable-linuxkm-lkcapi-register section, remove special-case
handling for -DWOLFSSL_DH_GEN_PUB, and add support for
--enable-linuxkm-lkcapi-register=all-kconfig, which disables registration of
any algs that are disabled in the target kernel, and #errors if any algs or
registrations are disabled or incompatible in libwolfssl but enabled in the
target kernel (note, it does not #error for algorithms we don't currently
shim/implement);
linuxkm/lkcapi_glue.c: change default WOLFSSL_LINUXKM_LKCAPI_PRIORITY from 10000
to INT_MAX to make masking impossible;
linuxkm/lkcapi*glue.c: move all remaining algorithm-specific gate setup into the
respective algorithm family files, and in each family file, add
LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG logic to activate shims only if the
corresponding algorithm is activated in the target kernel.
linuxkm/lkcapi_sha_glue.c: fix -Wunuseds in
wc_linuxkm_drbg_default_instance_registered() and wc_linuxkm_drbg_cleanup()
when !LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT.
in lkcapi_sha_glue.c:
in linuxkm_hmac_setkey_common(), ignore keylength even in FIPS modules (use
wc_HmacSetKey_ex(..., 1)) on kernel < 6.0 to work around crypto manager bug;
in wc_linuxkm_drbg_startup(), add rng workout routine using handle from
crypto_alloc_rng();
in lkcapi_*_glue.c: fix test routines to return valid wolfCrypt error codes
consistently;
in module_hooks.c, implement
* linuxkm_lkcapi_sysfs_install_node(),
* linuxkm_lkcapi_sysfs_deinstall_node(),
* FIPS_rerun_self_test_handler()
and add corresponding setup/teardown in wolfssl_init() and wolfssl_exit();
in lkcapi_glue.c:
refactor linuxkm_lkcapi_sysfs_install and linuxkm_lkcapi_sysfs_deinstall to
use the new helpers;
harden the REGISTER_ALG() and UNREGISTER_ALG() macros and the
linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() functions, and add
informational messages about number of algs registered/deregistered;
in x86_vector_register_glue.c: fix gate for irq_fpu_usable() workaround to
reflect backporting of fix in >=5.10.180 in 5.10-LTS and >=5.15.39 in 5.15-LTS
linuxkm/lkcapi_glue.c: move WOLFSSL_DEBUG_TRACE_ERROR_CODES coverage for
EINVAL/ENOMEM/EBADMSG to module_hooks.c.
typography fixes;
static attr on const byte arrays;
refactor km_ecdsa_verify() to use a single heap allocation;
fix linuxkm_test_ecdsa_nist_driver() to copy sig and hash to a heap allocation before passing to sg_set_buf() (avoids unmapping of rodata);
in linuxkm_test_pkcs1_driver() move hash from stack to heap;
add LINUX_VERSION_CODE >= 5.4 assertion in linuxkm/lkcapi_glue.c;
streamline macro logic in linuxkm/lkcapi_sha_glue.c.