linuxkm/x86_vector_register_glue.c:

* refactor the save_vector_registers_x86() algorithm to depend directly on preempt_count(), and use local_bh_enable() and preempt_disable() directly, to mitigate glitchiness around irq_fpu_usable() and crypto_simd_usable();

* eliminate the WC_FPU_ALREADY_FLAG kludge.

* improve the error and warning messages, and add some additional checks and messages for unexpected states; add VRG_PR_ERR_X and VRG_PR_WARN_X for pr_*_once() semantics on regular builds, but unlimited messages when WOLFSSL_LINUXKM_VERBOSE_DEBUG.

linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c:

* move the spinlock-based implementation of wc_LockMutex() from linuxkm_wc_port.h to module_hooks.c, due to numerous stuboorn direct external symbol references;

* extensively refactor the kernel header #include strategy, keeping many more superfluous headers out of __PIE__ objects, and fixing unavoidable static header functions with grafted __always_inline attributes;

* add version exceptions for RHEL 9.5.

linuxkm/Kbuild:

* on x86 with CONFIG_MITIGATION_{RETPOLINE,RETHUNK}, use inline rethunks rather than none;

* refactor check for "Error: section(s) missed by containerization." using `readelf --sections --syms`, for 100% coverage, more informative error output, and suppression of false positives on printk-related cruft;

configure.ac and linuxkm/lkcapi_sha_glue.c: use LINUXKM_LKCAPI_[DONT_]REGISTER_{SHA,HMAC}_ALL to represent --enable-linuxkm-lkcapi-register=[-]all-{sha,hmac}, which allows alg families (notably SHA1) to be masked out piecemeal;

linuxkm/lkcapi_rsa_glue.c: in linuxkm_test_pkcs1pad_driver(), mitigate unused args when LINUXKM_AKCIPHER_NO_SIGNVERIFY.

Author: douzzer

.wolfssl_known_macro_extras

@@ -451,6 +451,7 @@ REDIRECTION_OUT1_KEYID
 REDIRECTION_OUT2_KEYELMID
 REDIRECTION_OUT2_KEYID
 RENESAS_T4_USE
+RHEL_MAJOR
 RTC_ALARMSUBSECONDMASK_ALL
 RTE_CMSIS_RTOS_RTX
 RTOS_MODULE_NET_AVAIL

configure.ac

@@ -9613,7 +9613,7 @@ then
                     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA2" ;;
         'sha3')     test "$ENABLED_SHA3" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-3 implementation not enabled.])
                     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA3" ;;
-        'all-sha') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA1 -DLINUXKM_LKCAPI_REGISTER_SHA2 -DLINUXKM_LKCAPI_REGISTER_SHA3" ;;
+        'all-sha') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA_ALL" ;;
         'hmac(sha1)') test "$ENABLED_SHA" != "no" && test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-1 HMAC implementation not enabled.])
                     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA1_HMAC" ;;
         'hmac(sha2)') (test "$ENABLED_SHA224" != "no" || test "$ENABLED_SHA256" != "no" || test "$ENABLED_SHA384" != "no" || test "$ENABLED_SHA512" != "no") && \
@@ -9622,7 +9622,7 @@ then
         'hmac(sha3)') test "$ENABLED_SHA3" != "no" && test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-3 HMAC implementation not enabled.])
                     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA3_HMAC" ;;
         'all-hmac') test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HMAC implementation not enabled.])
-                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA1_HMAC -DLINUXKM_LKCAPI_REGISTER_SHA2_HMAC -DLINUXKM_LKCAPI_REGISTER_SHA3_HMAC" ;;
+                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_HMAC_ALL" ;;
         'stdrng') test "$ENABLED_HASHDRBG" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HASHDRBG implementation not enabled.])
                     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_HASH_DRBG" ;;
         'stdrng-default') test "$ENABLED_HASHDRBG" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HASHDRBG implementation not enabled.])
@@ -9648,11 +9648,11 @@ then
         '-sha1')     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1" ;;
         '-sha2')     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2" ;;
         '-sha3')     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3" ;;
-        '-all-sha')  AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1 -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2 -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3" ;;
+        '-all-sha')  AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA_ALL" ;;
         '-hmac(sha1)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1_HMAC" ;;
         '-hmac(sha2)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2_HMAC" ;;
         '-hmac(sha3)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3_HMAC" ;;
-        '-all-hmac') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1_HMAC -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2_HMAC -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3_HMAC" ;;
+        '-all-hmac') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HMAC_ALL" ;;
         '-stdrng')   AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG" ;;
         '-stdrng-default') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG_DEFAULT" ;;
         '-ecdsa')    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_ECDSA" ;;

linuxkm/Kbuild

@@ -104,7 +104,17 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
     PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder
     PIE_SUPPORT_FLAGS := -DUSE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
     ifeq "$(KERNEL_ARCH_X86)" "yes"
-        PIE_FLAGS += -mcmodel=small -mindirect-branch=keep -mfunction-return=keep
+        PIE_FLAGS += -mcmodel=small
+        ifeq "$(CONFIG_MITIGATION_RETPOLINE)" "y"
+            PIE_FLAGS += -mfunction-return=thunk-inline
+        else
+            PIE_FLAGS += -mfunction-return=keep
+        endif
+        ifeq "$(CONFIG_MITIGATION_RETHUNK)" "y"
+            PIE_FLAGS += -mindirect-branch=thunk-inline
+        else
+            PIE_FLAGS += -mindirect-branch=keep
+        endif
     endif
     ifeq "$(KERNEL_ARCH)" "mips"
         PIE_FLAGS += -mabicalls
@@ -194,34 +204,83 @@ endif
 	    --rename-section .rodata.str1.1=.rodata.wolfcrypt	\
 	    --rename-section .rodata.str1.8=.rodata.wolfcrypt	\
 	    --rename-section .data=.data.wolfcrypt		\
-	    --rename-section .data.rel.local=.data.wolfcrypt	\
+	    --rename-section .data.rel.local=.data.wolfcrypt    \
 	    --rename-section .bss=.bss.wolfcrypt "$$file" || exit $$?
 	done
 	[ "$(KERNEL_ARCH_X86)" != "yes" ] ||			\
-	{ $(READELF) --syms $(WOLFCRYPT_PIE_FILES) |		\
-        $(AWK) -v obj="$(obj)" '				\
-	    /File:/ {						\
-		if (substr($$2, 1, length(obj)) == obj) {	\
-		    curfile = substr($$2, length(obj) + 2);	\
-		} else {					\
-		    curfile=$$2;				\
-		}						\
-		next;						\
-	    }							\
-	    {							\
-		if (($$4 == "SECTION") && ($$8 !~ "wolfcrypt")) {\
-		    if (! ((curfile ";" $$8) in warned_on)) {	\
-			print curfile ": " $$8 >"/dev/stderr";	\
-			warned_on[curfile ": " $$8] = 1;	\
-			++warnings;				\
-	    }}}							\
-	    END {						\
-		if (warnings) {					\
-		    exit(1);  					\
-		} else {					\
-		    exit(0);					\
-	    }}'; } ||						\
-	{ echo 'Error: section(s) missed by containerization.' >&2; exit 1; }
+	{ $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) |	\
+	$(AWK) -v obj="$(obj)" '					\
+	    /^File:/ {							\
+		phase = 0;						\
+		delete wolfcrypt_data_sections;				\
+		delete wolfcrypt_text_sections;				\
+		delete other_sections;					\
+		if (substr($$2, 1, length(obj)) == obj) {		\
+		    curfile = substr($$2, length(obj) + 2);		\
+		} else {						\
+		    curfile=$$2;					\
+		}							\
+		next;							\
+	    }								\
+	    /^Section Headers:/ {					\
+		phase = 1;						\
+		next;							\
+	    }								\
+	    /^Symbol table / {						\
+		phase = 2;						\
+		next;							\
+	    }								\
+	    {								\
+		if (phase == 1) {					\
+		    if (match($$0, "^ *\\[ *([0-9]+)\\] +([^ ]+) ", a)) {\
+			switch (a[2]) {					\
+			case ".text.wolfcrypt":				\
+			{						\
+			    wolfcrypt_text_sections[a[1]] = a[2];	\
+			    next;					\
+			}						\
+			case /^\.(data|rodata|bss)\.wolfcrypt$$/:	\
+			{						\
+			    wolfcrypt_data_sections[a[1]] = a[2];	\
+			    next;					\
+			}						\
+			default:					\
+			{						\
+			    other_sections[a[1]] = a[2];		\
+			}						\
+			}						\
+			next;						\
+		    }							\
+		    next;						\
+		}							\
+		else if (phase == 2) {					\
+		    if ($$4 == "FUNC") {				\
+			if (! ($$7 in wolfcrypt_text_sections)) {	\
+			    print curfile ": " $$4 " " $$8 " " other_sections[$$7] >"/dev/stderr"; \
+			    ++warnings;					\
+			}						\
+			next;						\
+		    }							\
+		    else if ($$4 == "OBJECT") {				\
+			if (! ($$7 in wolfcrypt_data_sections)) {	\
+			    if ((other_sections[$$7] == ".printk_index") || \
+				(($$8 ~ /^_entry\.[0-9]+$$|^kernel_read_file_str$$/) &&		\
+				 (other_sections[$$7] == ".data.rel.ro.local"))) \
+				next;					\
+			    print curfile ": " $$4 " " $$8 " " other_sections[$$7] >"/dev/stderr"; \
+			    ++warnings;					\
+			}						\
+			next;						\
+		    }							\
+		}							\
+	    }								\
+	    END {							\
+		if (warnings) {						\
+		    exit(1);						\
+		} else {						\
+		    exit(0);						\
+	    }}'; } || \
+	{ echo 'Error: symbol(s) missed by containerization.' >&2; exit 1; }
 ifneq "$(quiet)" "silent_"
 	echo '  wolfCrypt .{text,data,rodata} sections containerized to .{text,data,rodata}.wolfcrypt'
 endif

linuxkm/linuxkm_memory.c

@@ -21,22 +21,6 @@
 
 /* included by wolfcrypt/src/memory.c */
 
-#if defined(__PIE__) && (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0))
-/* needed in 6.1+ because show_free_areas() static definition in mm.h calls
- * __show_free_areas(), which isn't exported (neither was show_free_areas()).
- */
-void my__show_free_areas(
-    unsigned int flags,
-    nodemask_t *nodemask,
-    int max_zone_idx)
-{
-    (void)flags;
-    (void)nodemask;
-    (void)max_zone_idx;
-    return;
-}
-#endif
-
 #if defined(__PIE__) && defined(CONFIG_FORTIFY_SOURCE)
 /* needed because FORTIFY_SOURCE inline implementations call fortify_panic(). */
 void __my_fortify_panic(const char *name) {