@@ -104,7 +104,17 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
104104 PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder
105105 PIE_SUPPORT_FLAGS := -DUSE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
106106 ifeq "$(KERNEL_ARCH_X86)" "yes"
107- PIE_FLAGS += -mcmodel=small -mindirect-branch=keep -mfunction-return=keep
107+ PIE_FLAGS += -mcmodel=small
108+ ifeq "$(CONFIG_MITIGATION_RETPOLINE)" "y"
109+ PIE_FLAGS += -mfunction-return=thunk-inline
110+ else
111+ PIE_FLAGS += -mfunction-return=keep
112+ endif
113+ ifeq "$(CONFIG_MITIGATION_RETHUNK)" "y"
114+ PIE_FLAGS += -mindirect-branch=thunk-inline
115+ else
116+ PIE_FLAGS += -mindirect-branch=keep
117+ endif
108118 endif
109119 ifeq "$(KERNEL_ARCH)" "mips"
110120 PIE_FLAGS += -mabicalls
@@ -193,35 +203,85 @@ endif
193203 --rename-section .rodata=.rodata.wolfcrypt \
194204 --rename-section .rodata.str1.1=.rodata.wolfcrypt \
195205 --rename-section .rodata.str1.8=.rodata.wolfcrypt \
206+ --rename-section .rodata.cst16=.rodata.wolfcrypt \
196207 --rename-section .data=.data.wolfcrypt \
197- --rename-section .data.rel.local=.data.wolfcrypt \
208+ --rename-section .data.rel.local=.data.wolfcrypt \
198209 --rename-section .bss=.bss.wolfcrypt "$$file" || exit $$?
199210 done
200211 [ "$(KERNEL_ARCH_X86)" != "yes" ] || \
201- { $(READELF) --syms $(WOLFCRYPT_PIE_FILES) | \
202- $(AWK) -v obj="$(obj)" ' \
203- /File:/ { \
204- if (substr($$2, 1, length(obj)) == obj) { \
205- curfile = substr($$2, length(obj) + 2); \
206- } else { \
207- curfile=$$2; \
208- } \
209- next; \
210- } \
211- { \
212- if (($$4 == "SECTION") && ($$8 !~ "wolfcrypt")) {\
213- if (! ((curfile ";" $$8) in warned_on)) { \
214- print curfile ": " $$8 >"/dev/stderr"; \
215- warned_on[curfile ": " $$8] = 1; \
216- ++warnings; \
217- }}} \
218- END { \
219- if (warnings) { \
220- exit(1); \
221- } else { \
222- exit(0); \
223- }}'; } || \
224- { echo 'Error: section(s) missed by containerization.' >&2; exit 1; }
212+ { $(READELF) --sections --syms --wide $(WOLFCRYPT_PIE_FILES) | \
213+ $(AWK) -v obj="$(obj)" ' \
214+ /^File:/ { \
215+ phase = 0; \
216+ delete wolfcrypt_data_sections; \
217+ delete wolfcrypt_text_sections; \
218+ delete other_sections; \
219+ if (substr($$2, 1, length(obj)) == obj) { \
220+ curfile = substr($$2, length(obj) + 2); \
221+ } else { \
222+ curfile=$$2; \
223+ } \
224+ next; \
225+ } \
226+ /^Section Headers:/ { \
227+ phase = 1; \
228+ next; \
229+ } \
230+ /^Symbol table / { \
231+ phase = 2; \
232+ next; \
233+ } \
234+ { \
235+ if (phase == 1) { \
236+ if (match($$0, "^ *\\[ *([0-9]+)\\] +([^ ]+) ", a)) {\
237+ switch (a[2]) { \
238+ case ".text.wolfcrypt": \
239+ { \
240+ wolfcrypt_text_sections[a[1]] = a[2]; \
241+ next; \
242+ } \
243+ case /^\.(data|rodata|bss)\.wolfcrypt$$/: \
244+ { \
245+ wolfcrypt_data_sections[a[1]] = a[2]; \
246+ next; \
247+ } \
248+ default: \
249+ { \
250+ other_sections[a[1]] = a[2]; \
251+ } \
252+ } \
253+ next; \
254+ } \
255+ next; \
256+ } \
257+ else if (phase == 2) { \
258+ if ($$4 == "FUNC") { \
259+ if (! ($$7 in wolfcrypt_text_sections)) { \
260+ print curfile ": " $$4 " " $$8 " " other_sections[$$7] >"/dev/stderr"; \
261+ ++warnings; \
262+ } \
263+ next; \
264+ } \
265+ else if ($$4 == "OBJECT") { \
266+ if (! ($$7 in wolfcrypt_data_sections)) { \
267+ if ((other_sections[$$7] == ".printk_index") || \
268+ (($$8 ~ /^_entry\.[0-9]+$$|^kernel_read_file_str$$/) && \
269+ (other_sections[$$7] == ".data.rel.ro.local"))) \
270+ next; \
271+ print curfile ": " $$4 " " $$8 " " other_sections[$$7] >"/dev/stderr"; \
272+ ++warnings; \
273+ } \
274+ next; \
275+ } \
276+ } \
277+ } \
278+ END { \
279+ if (warnings) { \
280+ exit(1); \
281+ } else { \
282+ exit(0); \
283+ }}'; } || \
284+ { echo 'Error: symbol(s) missed by containerization.' >&2; exit 1; }
225285ifneq "$(quiet ) " "silent_"
226286 echo ' wolfCrypt .{text,data,rodata} sections containerized to .{text,data,rodata}.wolfcrypt'
227287endif
0 commit comments