relocation straddles the buffer at end, return the exact offset of the next
relocation, rather than blindly backing up sizeof reloc_buf - 1, otherwise
byte(s) in a relocation immediately preceding will be denormalized.
* add WC_SIG_IGNORE_BEGIN(), WC_SIG_IGNORE_END(), wc_linuxkm_sig_ignore_begin(), wc_linuxkm_sig_ignore_end();
* move WC_CHECK_FOR_INTR_SIGNALS() and WC_RELAX_LONG_LOOP() definitions outside the BUILDING_WOLFSSL gate;
* refactor linuxkm_lkcapi_registering_now as a wolfSSL_Atomic_Int and use it as a mutex for linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister();
* add WC_SIG_IGNORE_BEGIN()...WC_SIG_IGNORE_END() wrappers around all relevant critical spans in linuxkm glue.
configure.ac:
* add ML-KEM, ML-DSA, XMSS, and LMS to --enable-all-crypto when !ENABLED_FIPS.
* swap order of --enable-kyber and --enable-mlkem handler code to put mlkem first.
* add --enable-mldsa hander code.
* remove setup code that was adding -DWOLFSSL_NO_TLS12 and -DNO_OLD_TLS to
AM_CFLAGS when ENABLED_CRYPTONLY -- NO_OLD_TLS is already defined earlier for
when ENABLED_CRYPTONLY, and WOLFSSL_NO_TLS12 breaks wc_PRF_TLS(), which is
inside-the-FIPS-boundary crypto.
linuxkm/linuxkm_wc_port.h:
* adopt the WC_SANITIZE_DISABLE and WC_SANITIZE_ENABLE setup code from
settings.h (where it didn't belong).
* fix FIPS remapping of wc_InitMutex&friends to InitMutex&friends -- inhibit
when WOLFSSL_API_PREFIX_MAP.
wolfcrypt/src/ge_operations.c: add _wc_curve25519_dummy() to fix visibility of
curve25519().
wolfcrypt/src/poly1305.c: fix visibility of several unprefixed helper routines.
wolfcrypt/test/test.c: fix gating on tls12_kdf_test() and prf_test() (both
require !WOLFSSL_NO_TLS12).
wolfssl/internal.h, wolfssl/wolfio.h: add several WOLFSSL_API_PREFIX_MAPs.
wolfssl/wolfcrypt/ge_operations.h: fix visibility of several internal asm
functions.
wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM setup, add gates to avoid redef
warnings for various settings, and remove the setup for
WC_SANITIZE_{DISABLE,ENABLE} (moved to linuxkm_wc_port.h as noted above).
wolfssl/wolfcrypt/wc_port.h: add WOLFSSL_API_PREFIX_MAPs for InitMutex() and
friends.
define WOLFSSL_API_PREFIX_MAP in WOLFSSL_LINUXKM setup in settings.h;
fix gates on WOLFSSL_HAVE_PRF and WOLFSSL_NO_CT_OPS setup in settings.h;
linuxkm/: add support for FIPS_OPTEST.
linuxkm/linuxkm_wc_port.h: completely inhibit CONFIG_FORTIFY_SOURCE across the module when HAVE_LINUXKM_PIE_SUPPORT, for fidget-free backward compat;
linuxkm/module_hooks.c:
* add startup-time sanity check on fenceposts,
* enhance DEBUG_LINUXKM_PIE_SUPPORT with coverage for WOLFSSL_TEXT_SEGMENT_CANONICALIZER on the entire text segment,
* compute and report a hash on the stabilized text segment,
* fix wc_linuxkm_normalize_relocations() to allow span end == __wc_text_end, and
* add numerous verbose pr_err()s when DEBUG_LINUXKM_PIE_SUPPORT.
rename WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS to WOLFSSL_USE_SAVE_VECTOR_REGISTERS, and wherever appropriate, replace defined(WOLFSSL_LINUXKM) with defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS).
rename WC_WANT_FLAG_DONT_USE_AESNI to WC_WANT_FLAG_DONT_USE_VECTOR_OPS.
rename lkm_printf() to wc_km_printf().
replace WOLFSSL_LINUXKM gates on kernel-incompatible includes with header-specific gates NO_STRING_H, NO_STDINT_H, NO_LIMITS_H, NO_CTYPE_H, NO_STDLIB_H
remove low level threading setup section of wolfssl/internal.h, which duplicated existing logic in wc_port.h, except for off-topic WOLFSSL_APACHE_MYNEWT TLS-layer setup, which is preserved, and a defined(__NT__) clause, which is now merged into the existing section in wc_port.h.
* refactor .PHONY Kbuild target rename-pie-text-and-data-sections into macro RENAME_PIE_TEXT_AND_DATA_SECTIONS, and execute it conditional on module_exports.c regeneration;
* use .ONESHELL in the wrapper Makefile too, and rework the changes in bf5536d6b8 such that the recursive make is always executed, but will leave the target untouched if it was already up-to-date relative to its dependencies.
these tweaks fix the module build to restore automatic rebuild when dependencies are updated.
* add module-update-fips-hash rule, for in-place FIPS hash update without rebuild;
* improve PIE sequence in module build rule to double-check stability of the relocation table after final rebuild;
Makefile.am: add a module-update-fips-hash passthrough target.
linuxkm/Makefile, linuxkm/include.am, linuxkm/module_hooks.c: remove linuxkm/pie_first.c, linuxkm/pie_last.c, and references to them (replaced by fenceposts in linuxkm/wolfcrypt.lds).
WOLFSSL_TEXT_SEGMENT_CANONICALIZER() to wc_linuxkm_normalize_relocations(), and
define WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ to 8192.
linuxkm/module_hooks.c: in wc_linuxkm_normalize_relocations(), add checks for
out-of-order offsets.
linuxkm/lkcapi_sha_glue.c: revert f7c7ac275a (get_drbg() DISABLE_VECTOR_REGISTERS() for crypto_default_rng) -- compiler/inlining bug makes it break on at least one target, so caller needs to retain responsibility;
linuxkm/x86_vector_register_glue.c: in wc_save_vector_registers_x86(), always return WC_ACCEL_INHIBIT_E if already fpu_state & WC_FPU_INHIBITED_FLAG, for safe+correct dynamics on recursive calls.
wc_save_vector_registers_x86() and wc_restore_vector_registers_x86() to allow
recursive WC_SVR_FLAG_INHIBIT while already in a vector save context;
linuxkm/lkcapi_sha_glue.c: in get_drbg() and put_drbg(),
DISABLE_VECTOR_REGISTERS()...REENABLE_VECTOR_REGISTERS() if tfm ==
crypto_default_rng.
relocations 1 byte outside the destination segment, and when
DEBUG_LINUXKM_PIE_SUPPORT, tally the relocation counts by segment for final info
report;
linuxkm/module_hooks.c and linuxkm/linuxkm_wc_port.h: tweak gating on
wc_linuxkm_normalize_relocations() and related -- ifdef
HAVE_LINUXKM_PIE_SUPPORT, not ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE --
for consistency+clarity.
linuxkm/Makefile: in recipe (awk script) for wc_linuxkm_pie_reloc_tab.c, report and error on unexpected relocation types;
linuxkm/module_hooks.c: in wc_linuxkm_normalize_relocations():
* fix bounds checking on the input,
* recognize references pointing at the first byte after the end of the segment,
* and mask out pad bytes when rendering the 32 bit addresses;
linuxkm/wolfcrypt.lds: add 4k alignment directives just before the segment end fenceposts, to make the fenceposts more inclusive.
add WC_GENERATE_SEED_DEFAULT, which defaults to wc_GenerateSeed if not overridden, and replace wc_GenerateSeed with WC_GENERATE_SEED_DEFAULT in various calls to wc_SetSeed_Cb();
linuxkm/linuxkm_wc_port.h: if FIPS <v6 and RDSEED, define WC_LINUXKM_RDSEED_IN_GLUE_LAYER and define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_IntelRD;
wolfcrypt/test/test.c: update rng_seed_test() with gating and vectors for FIPS v5 with HAVE_AMD_RDSEED or HAVE_INTEL_RDSEED;
wolfssl/wolfcrypt/types.h: add WC_HAVE_VECTOR_SPEEDUPS helper macro, and enlarge fallthrough definition coverage for DISABLE_VECTOR_REGISTERS.
linuxkm/linuxkm_wc_port.h: add WC_SVR_FLAG_NONE;
wolfssl/wolfcrypt/settings.h: for WOLFSSL_LINUXKM setup for WC_RESEED_INTERVAL,
use UINT_MAX if FIPS v5-;
wolfssl/wolfcrypt/types.h: add definitions for SAVE_NO_VECTOR_REGISTERS2, and
map no-op SAVE_VECTOR_REGISTERS2() to it.
Optimize code knowing it is for Intel x64.
Change signing to calculate one polynomial at a time so that if it isn't
valid then we fail early.
Other minor improvements.
Move the SHA-3 4 blocks at a time assembly into SHA-3 asm file.
Make constants in assembly the same length (front pad with zeros).
* rename can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), with wc_ prefix, and properly export them;
* move setup for WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS outside BUILDING_WOLFSSL gate;
* fix !BUILDING_WOLFSSL bindings for DISABLE_VECTOR_REGISTERS() to properly fall through to no-ops in !WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS configs, and properly #error if WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS but !CONFIG_X86;
.github/workflows/linuxkm.yml: --enable-linuxkm-benchmarks for additional coverage.
* move enum wc_svr_flags out of BUILDING_WOLFSSL guard;
* add DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS() definitions for !BUILDING_WOLFSSL;
* add #include <linux/spinlock.h> to !WOLFSSL_LINUXKM_USE_MUTEXES implementation to fix compilation (and add usability) to caller code;
linuxkm/lkcapi_sha_glue.c: in wc_linuxkm_drbg_ctx_clear(), fix error-path deallocation of locked object;
wolfcrypt/benchmark/benchmark.c:
* in FIPS v6+ builds, and FIPS linuxkm v5+, check retval from wc_AesEncryptDirect() and wc_AesDecryptDirect();
* add WC_RELAX_LONG_LOOP() in bench_stats_sym_finish() and bench_stats_asym_finish_ex();
wolfcrypt/test/test.c: fix rng_seed_test() with correct test vectors for the relevant combinations of features, and gate the test out if there are user override defines for ENTROPY_SCALE_FACTOR or SEED_BLOCK_SZ.
* add wc_linuxkm_check_for_intr_signals(), wc_linuxkm_relax_long_loop(),
WC_CHECK_FOR_INTR_SIGNALS(), WC_RELAX_LONG_LOOP(), SAVE_NO_VECTOR_REGISTERS(),
RESTORE_NO_VECTOR_REGISTERS(), and new error code INTERRUPTED_E ("Process
interrupted");
* update the no-asm remaps in the PK implementations to use
SAVE_NO_VECTOR_REGISTERS() and RESTORE_NO_VECTOR_REGISTERS(), so that inner
loops in them are always covered by the new logic.
