Skip to content

Commit 5cb2103

Browse files
philljjphilljj
authored
Merge pull request wolfSSL#9206 from douzzer/20250916-linuxkm-module-update-fips-hash
20250916-linuxkm-module-update-fips-hash
2 parents 65108be + bf5536d commit 5cb2103

File tree

3 files changed

+52
-17
lines changed

3 files changed

+52
-17
lines changed

.wolfssl_known_macro_extras

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -737,7 +737,6 @@ WOLFSSL_IMXRT_DCP
737737
WOLFSSL_ISOTP
738738
WOLFSSL_KEIL
739739
WOLFSSL_KEIL_NET
740-
WOLFSSL_KEY_TO_DER
741740
WOLFSSL_KYBER_NO_DECAPSULATE
742741
WOLFSSL_KYBER_NO_ENCAPSULATE
743742
WOLFSSL_KYBER_NO_MAKE_KEY

Makefile.am

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,9 @@ if BUILD_LINUXKM
225225
module:
226226
+$(MAKE) -C linuxkm libwolfssl.ko
227227

228+
module-update-fips-hash:
229+
+$(MAKE) -C linuxkm module-update-fips-hash
230+
228231
clean_module:
229232
+$(MAKE) -C linuxkm clean
230233

linuxkm/Makefile

Lines changed: 49 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,6 @@ SHELL=bash
2222

2323
all: libwolfssl.ko libwolfssl.ko.signed
2424

25-
.PHONY: libwolfssl.ko
26-
2725
ifndef MODULE_TOP
2826
MODULE_TOP=$(CURDIR)
2927
endif
@@ -90,19 +88,17 @@ ifndef AWK
9088
AWK := awk
9189
endif
9290

93-
libwolfssl.ko:
94-
@if test -z '$(KERNEL_ROOT)'; then echo '$$KERNEL_ROOT is unset' >&2; exit 1; fi
95-
@if test -z '$(AM_CFLAGS)$(CFLAGS)'; then echo '$$AM_CFLAGS and $$CFLAGS are both unset.' >&2; exit 1; fi
96-
@if test -z '$(src_libwolfssl_la_OBJECTS)'; then echo '$$src_libwolfssl_la_OBJECTS is unset.' >&2; exit 1; fi
97-
# after commit 9a0ebe5011 (6.10), sources must be in $(obj). work around this by making links to all needed sources:
98-
@mkdir -p '$(MODULE_TOP)/linuxkm'
99-
@test '$(MODULE_TOP)/module_hooks.c' -ef '$(MODULE_TOP)/linuxkm/module_hooks.c' || cp --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
100-
@test '$(SRC_TOP)/wolfcrypt/src/wc_port.c' -ef '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' || cp --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
101-
@test '$(SRC_TOP)/src/wolfio.c' -ef '$(MODULE_TOP)/src/wolfio.c' || cp --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
102-
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
103-
@echo -e "const unsigned int wc_linuxkm_pie_reloc_tab[] = { ~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = 1;" > wc_linuxkm_pie_reloc_tab.c
104-
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
105-
@$(READELF) --wide -r libwolfssl.ko | \
91+
ifndef TMPDIR
92+
TMPDIR := /tmp
93+
endif
94+
95+
ifndef MAKE_TMPDIR
96+
MAKE_TMPDIR := $(TMPDIR)
97+
endif
98+
99+
libwolfssl.ko: libwolfssl.o
100+
101+
GENERATE_RELOC_TAB := $(READELF) --wide -r libwolfssl.ko | \
106102
$(AWK) 'BEGIN { \
107103
n=0; \
108104
bad_relocs=0; \
@@ -133,12 +129,49 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
133129
exit(1); \
134130
} \
135131
print "~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];";\
136-
}' > wc_linuxkm_pie_reloc_tab.c
132+
}'
133+
134+
libwolfssl.o:
135+
@if test -z '$(KERNEL_ROOT)'; then echo '$$KERNEL_ROOT is unset' >&2; exit 1; fi
136+
@if test -z '$(AM_CFLAGS)$(CFLAGS)'; then echo '$$AM_CFLAGS and $$CFLAGS are both unset.' >&2; exit 1; fi
137+
@if test -z '$(src_libwolfssl_la_OBJECTS)'; then echo '$$src_libwolfssl_la_OBJECTS is unset.' >&2; exit 1; fi
138+
# after commit 9a0ebe5011 (6.10), sources must be in $(obj). work around this by making links to all needed sources:
139+
@mkdir -p '$(MODULE_TOP)/linuxkm'
140+
@test '$(MODULE_TOP)/module_hooks.c' -ef '$(MODULE_TOP)/linuxkm/module_hooks.c' || cp --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
141+
@test '$(SRC_TOP)/wolfcrypt/src/wc_port.c' -ef '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' || cp --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
142+
@test '$(SRC_TOP)/src/wolfio.c' -ef '$(MODULE_TOP)/src/wolfio.c' || cp --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
143+
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
144+
@echo -e "const unsigned int wc_linuxkm_pie_reloc_tab[] = { ~0U };\nconst size_t wc_linuxkm_pie_reloc_tab_length = 1;" > wc_linuxkm_pie_reloc_tab.c
145+
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
146+
@$(GENERATE_RELOC_TAB) > wc_linuxkm_pie_reloc_tab.c
137147
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
148+
@$(eval RELOC_TMP := $(shell mktemp "$(MAKE_TMPDIR)/wc_linuxkm_pie_reloc_tab.c.XXXXXX"))
149+
@$(GENERATE_RELOC_TAB) >| $(RELOC_TMP)
150+
@if diff wc_linuxkm_pie_reloc_tab.c $(RELOC_TMP); then echo " Relocation table is stable."; else echo "PIE failed: relocation table is unstable." 1>&2; rm $(RELOC_TMP); exit 1; fi
151+
@rm $(RELOC_TMP)
138152
else
139153
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS)
140154
endif
141155

156+
.PHONY: module-update-fips-hash
157+
module-update-fips-hash: libwolfssl.ko
158+
@if test -z '$(FIPS_HASH)'; then echo ' $$FIPS_HASH is unset' >&2; exit 1; fi
159+
@if [[ ! '$(FIPS_HASH)' =~ [0-9a-fA-F]{64} ]]; then echo ' $$FIPS_HASH is malformed' >&2; exit 1; fi
160+
@readarray -t rodata_segment < <($(READELF) --wide --sections libwolfssl.ko | \
161+
sed -E -n 's/^[[:space:]]*\[[[:space:]]*([0-9]+)\][[:space:]]+\.rodata\.wolfcrypt[[:space:]]+PROGBITS[[:space:]]+[0-9a-fA-F]+[[:space:]]+([0-9a-fA-F]+)[[:space:]].*$$/\1\n\2/p'); \
162+
if [[ $${#rodata_segment[@]} != 2 ]]; then echo ' unexpected rodata_segment.' >&2; exit 1; fi; \
163+
readarray -t verifyCore_attrs < <($(READELF) --wide --symbols libwolfssl.ko | \
164+
sed -E -n 's/^[[:space:]]*[0-9]+: ([0-9a-fA-F]+)[[:space:]]+([0-9]+)[[:space:]]+OBJECT[[:space:]]+[A-Z]+[[:space:]]+[A-Z]+[[:space:]]+'"$${rodata_segment[0]}"'[[:space:]]+verifyCore$$/\1\n\2/p'); \
165+
if [[ $${#verifyCore_attrs[@]} != 2 ]]; then echo ' unexpected verifyCore_attrs.' >&2; exit 1; fi; \
166+
if [[ "$${verifyCore_attrs[1]}" != "65" ]]; then echo " verifyCore has unexpected length $${verifyCore_attrs[1]}." >&2; exit 1; fi; \
167+
verifyCore_offset=$$((0x$${rodata_segment[1]} + 0x$${verifyCore_attrs[0]})); \
168+
current_verifyCore=$$(dd bs=1 if=libwolfssl.ko skip=$$verifyCore_offset count=64 status=none); \
169+
if [[ ! "$$current_verifyCore" =~ [0-9a-fA-F]{64} ]]; then echo " verifyCore at offset $$verifyCore_offset has unexpected value." >&2; exit 1; fi; \
170+
if [[ '$(FIPS_HASH)' == "$$current_verifyCore" ]]; then echo ' Supplied FIPS_HASH matches existing verifyCore -- no update needed.'; exit 0; fi; \
171+
echo -n '$(FIPS_HASH)' | dd bs=1 conv=notrunc of=libwolfssl.ko seek=$$verifyCore_offset count=64 status=none && \
172+
echo " FIPS verifyCore updated successfully." && \
173+
if [[ -f libwolfssl.ko.signed ]]; then $(MAKE) -C . libwolfssl.ko.signed; fi
174+
142175
libwolfssl.ko.signed: libwolfssl.ko
143176
ifdef FORCE_NO_MODULE_SIG
144177
@echo 'Skipping module signature operation because FORCE_NO_MODULE_SIG.'

0 commit comments

Comments
 (0)