Skip to content

Commit 01313cc

Browse files
committed
linuxkm/x86_vector_register_glue.c:
* refactor the save_vector_registers_x86() algorithm to depend directly on preempt_count(), and use local_bh_enable() and preempt_disable() directly, to mitigate glitchiness around irq_fpu_usable() and crypto_simd_usable(); * eliminate the WC_FPU_ALREADY_FLAG kludge. * improve the error and warning messages, and add some additional checks and messages for unexpected states; add VRG_PR_ERR_X and VRG_PR_WARN_X for pr_*_once() semantics on regular builds, but unlimited messages when WOLFSSL_LINUXKM_VERBOSE_DEBUG. linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: * move the spinlock-based implementation of wc_LockMutex() from linuxkm_wc_port.h to module_hooks.c, due to numerous stuboorn direct external symbol references; * extensively refactor the kernel header #include strategy, keeping many more superfluous headers out of __PIE__ objects, and fixing unavoidable static header functions with grafted __always_inline attributes; * add version exceptions for RHEL 9.5. linuxkm/Kbuild: * on x86 with CONFIG_MITIGATION_{RETPOLINE,RETHUNK}, use inline rethunks rather than none; * refactor check for "Error: section(s) missed by containerization." using `readelf --sections --syms`, for 100% coverage, more informative error output, and suppression of false positives on printk-related cruft; configure.ac and linuxkm/lkcapi_sha_glue.c: use LINUXKM_LKCAPI_[DONT_]REGISTER_{SHA,HMAC}_ALL to represent --enable-linuxkm-lkcapi-register=[-]all-{sha,hmac}, which allows alg families (notably SHA1) to be masked out piecemeal; linuxkm/lkcapi_rsa_glue.c: in linuxkm_test_pkcs1pad_driver(), mitigate unused args when LINUXKM_AKCIPHER_NO_SIGNVERIFY.
1 parent 2c90d15 commit 01313cc

File tree

9 files changed

+336
-262
lines changed

9 files changed

+336
-262
lines changed

.wolfssl_known_macro_extras

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -451,6 +451,7 @@ REDIRECTION_OUT1_KEYID
451451
REDIRECTION_OUT2_KEYELMID
452452
REDIRECTION_OUT2_KEYID
453453
RENESAS_T4_USE
454+
RHEL_MAJOR
454455
RTC_ALARMSUBSECONDMASK_ALL
455456
RTE_CMSIS_RTOS_RTX
456457
RTOS_MODULE_NET_AVAIL

configure.ac

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9613,7 +9613,7 @@ then
96139613
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA2" ;;
96149614
'sha3') test "$ENABLED_SHA3" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-3 implementation not enabled.])
96159615
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA3" ;;
9616-
'all-sha') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA1 -DLINUXKM_LKCAPI_REGISTER_SHA2 -DLINUXKM_LKCAPI_REGISTER_SHA3" ;;
9616+
'all-sha') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA_ALL" ;;
96179617
'hmac(sha1)') test "$ENABLED_SHA" != "no" && test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-1 HMAC implementation not enabled.])
96189618
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA1_HMAC" ;;
96199619
'hmac(sha2)') (test "$ENABLED_SHA224" != "no" || test "$ENABLED_SHA256" != "no" || test "$ENABLED_SHA384" != "no" || test "$ENABLED_SHA512" != "no") && \
@@ -9622,7 +9622,7 @@ then
96229622
'hmac(sha3)') test "$ENABLED_SHA3" != "no" && test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-3 HMAC implementation not enabled.])
96239623
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA3_HMAC" ;;
96249624
'all-hmac') test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HMAC implementation not enabled.])
9625-
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA1_HMAC -DLINUXKM_LKCAPI_REGISTER_SHA2_HMAC -DLINUXKM_LKCAPI_REGISTER_SHA3_HMAC" ;;
9625+
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_HMAC_ALL" ;;
96269626
'stdrng') test "$ENABLED_HASHDRBG" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HASHDRBG implementation not enabled.])
96279627
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_HASH_DRBG" ;;
96289628
'stdrng-default') test "$ENABLED_HASHDRBG" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HASHDRBG implementation not enabled.])
@@ -9648,11 +9648,11 @@ then
96489648
'-sha1') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1" ;;
96499649
'-sha2') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2" ;;
96509650
'-sha3') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3" ;;
9651-
'-all-sha') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1 -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2 -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3" ;;
9651+
'-all-sha') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA_ALL" ;;
96529652
'-hmac(sha1)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1_HMAC" ;;
96539653
'-hmac(sha2)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2_HMAC" ;;
96549654
'-hmac(sha3)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3_HMAC" ;;
9655-
'-all-hmac') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1_HMAC -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2_HMAC -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3_HMAC" ;;
9655+
'-all-hmac') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HMAC_ALL" ;;
96569656
'-stdrng') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG" ;;
96579657
'-stdrng-default') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG_DEFAULT" ;;
96589658
'-ecdsa') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_ECDSA" ;;

linuxkm/Kbuild

Lines changed: 85 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,17 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
104104
PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder
105105
PIE_SUPPORT_FLAGS := -DUSE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
106106
ifeq "$(KERNEL_ARCH_X86)" "yes"
107-
PIE_FLAGS += -mcmodel=small -mindirect-branch=keep -mfunction-return=keep
107+
PIE_FLAGS += -mcmodel=small
108+
ifeq "$(CONFIG_MITIGATION_RETPOLINE)" "y"
109+
PIE_FLAGS += -mfunction-return=thunk-inline
110+
else
111+
PIE_FLAGS += -mfunction-return=keep
112+
endif
113+
ifeq "$(CONFIG_MITIGATION_RETHUNK)" "y"
114+
PIE_FLAGS += -mindirect-branch=thunk-inline
115+
else
116+
PIE_FLAGS += -mindirect-branch=keep
117+
endif
108118
endif
109119
ifeq "$(KERNEL_ARCH)" "mips"
110120
PIE_FLAGS += -mabicalls
@@ -194,34 +204,83 @@ endif
194204
--rename-section .rodata.str1.1=.rodata.wolfcrypt \
195205
--rename-section .rodata.str1.8=.rodata.wolfcrypt \
196206
--rename-section .data=.data.wolfcrypt \
197-
--rename-section .data.rel.local=.data.wolfcrypt \
207+
--rename-section .data.rel.local=.data.wolfcrypt \
198208
--rename-section .bss=.bss.wolfcrypt "$$file" || exit $$?
199209
done
200210
[ "$(KERNEL_ARCH_X86)" != "yes" ] || \
201-
{ $(READELF) --syms $(WOLFCRYPT_PIE_FILES) | \
202-
$(AWK) -v obj="$(obj)" ' \
203-
/File:/ { \
204-
if (substr($$2, 1, length(obj)) == obj) { \
205-
curfile = substr($$2, length(obj) + 2); \
206-
} else { \
207-
curfile=$$2; \
208-
} \
209-
next; \
210-
} \
211-
{ \
212-
if (($$4 == "SECTION") && ($$8 !~ "wolfcrypt")) {\
213-
if (! ((curfile ";" $$8) in warned_on)) { \
214-
print curfile ": " $$8 >"/dev/stderr"; \
215-
warned_on[curfile ": " $$8] = 1; \
216-
++warnings; \
217-
}}} \
218-
END { \
219-
if (warnings) { \
220-
exit(1); \
221-
} else { \
222-
exit(0); \
223-
}}'; } || \
224-
{ echo 'Error: section(s) missed by containerization.' >&2; exit 1; }
211+
{ $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) | \
212+
$(AWK) -v obj="$(obj)" ' \
213+
/^File:/ { \
214+
phase = 0; \
215+
delete wolfcrypt_data_sections; \
216+
delete wolfcrypt_text_sections; \
217+
delete other_sections; \
218+
if (substr($$2, 1, length(obj)) == obj) { \
219+
curfile = substr($$2, length(obj) + 2); \
220+
} else { \
221+
curfile=$$2; \
222+
} \
223+
next; \
224+
} \
225+
/^Section Headers:/ { \
226+
phase = 1; \
227+
next; \
228+
} \
229+
/^Symbol table / { \
230+
phase = 2; \
231+
next; \
232+
} \
233+
{ \
234+
if (phase == 1) { \
235+
if (match($$0, "^ *\\[ *([0-9]+)\\] +([^ ]+) ", a)) {\
236+
switch (a[2]) { \
237+
case ".text.wolfcrypt": \
238+
{ \
239+
wolfcrypt_text_sections[a[1]] = a[2]; \
240+
next; \
241+
} \
242+
case /^\.(data|rodata|bss)\.wolfcrypt$$/: \
243+
{ \
244+
wolfcrypt_data_sections[a[1]] = a[2]; \
245+
next; \
246+
} \
247+
default: \
248+
{ \
249+
other_sections[a[1]] = a[2]; \
250+
} \
251+
} \
252+
next; \
253+
} \
254+
next; \
255+
} \
256+
else if (phase == 2) { \
257+
if ($$4 == "FUNC") { \
258+
if (! ($$7 in wolfcrypt_text_sections)) { \
259+
print curfile ": " $$4 " " $$8 " " other_sections[$$7] >"/dev/stderr"; \
260+
++warnings; \
261+
} \
262+
next; \
263+
} \
264+
else if ($$4 == "OBJECT") { \
265+
if (! ($$7 in wolfcrypt_data_sections)) { \
266+
if ((other_sections[$$7] == ".printk_index") || \
267+
(($$8 ~ /^_entry\.[0-9]+$$|^kernel_read_file_str$$/) && \
268+
(other_sections[$$7] == ".data.rel.ro.local"))) \
269+
next; \
270+
print curfile ": " $$4 " " $$8 " " other_sections[$$7] >"/dev/stderr"; \
271+
++warnings; \
272+
} \
273+
next; \
274+
} \
275+
} \
276+
} \
277+
END { \
278+
if (warnings) { \
279+
exit(1); \
280+
} else { \
281+
exit(0); \
282+
}}'; } || \
283+
{ echo 'Error: symbol(s) missed by containerization.' >&2; exit 1; }
225284
ifneq "$(quiet)" "silent_"
226285
echo ' wolfCrypt .{text,data,rodata} sections containerized to .{text,data,rodata}.wolfcrypt'
227286
endif

linuxkm/linuxkm_memory.c

Lines changed: 0 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -21,22 +21,6 @@
2121

2222
/* included by wolfcrypt/src/memory.c */
2323

24-
#if defined(__PIE__) && (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0))
25-
/* needed in 6.1+ because show_free_areas() static definition in mm.h calls
26-
* __show_free_areas(), which isn't exported (neither was show_free_areas()).
27-
*/
28-
void my__show_free_areas(
29-
unsigned int flags,
30-
nodemask_t *nodemask,
31-
int max_zone_idx)
32-
{
33-
(void)flags;
34-
(void)nodemask;
35-
(void)max_zone_idx;
36-
return;
37-
}
38-
#endif
39-
4024
#if defined(__PIE__) && defined(CONFIG_FORTIFY_SOURCE)
4125
/* needed because FORTIFY_SOURCE inline implementations call fortify_panic(). */
4226
void __my_fortify_panic(const char *name) {

0 commit comments

Comments
 (0)