Skip to content

Commit b4b2b34

Browse files
committed
Implement Linux kernel module offline integrity hash calculation:
Add: * linuxkm/linuxkm-fips-hash.c * linuxkm/linuxkm-fips-hash-wrapper.sh * linuxkm/linuxkm_memory.h Move from linuxkm/module_hooks.c to linuxkm/linuxkm_memory.c: * reloc_layouts[] * find_reloc_tab_offset() * the body of wc_linuxkm_normalize_relocations() as wc_reloc_normalize_text() * most of updateFipsHash() as wc_fips_generate_hash() Move from linuxkm/linuxkm_wc_port.h to linuxkm/linuxkm_memory.h: * struct wc_linuxkm_pie_reloc_tab_ent * enum wc_reloc_dest_segment * enum wc_reloc_type linuxkm/Makefile: * Update GENERATE_RELOC_TAB recipe to populate new fields in struct wc_reloc_table_ent. * Add targets: * libwolfssl-user-build/src/.libs/libwolfssl.so * linuxkm-fips-hash * module-with-matching-fips-hash * module-with-matching-fips-hash-no-sign * Add support for alternate target module name, via LIBWOLFSSL_NAME make variable. linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: * Fixes to make linuxkm-pie work with CONFIG_KASAN. * Implement WC_LINUXKM_STACK_DEBUG: * wc_linuxkm_stack_bottom() * wc_linuxkm_stack_top() * wc_linuxkm_stack_current() * wc_linuxkm_stack_left() * wc_linuxkm_stack_hwm_prepare() * wc_linuxkm_stack_hwm_measure_rel() * wc_linuxkm_stack_hwm_measure_total() wolfssl/wolfcrypt/settings.h: * When WOLFSSL_KERNEL_MODE, make sure WOLFSSL_GENERAL_ALIGNMENT is at least SIZEOF_LONG. * When WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sure WOLFSSL_BASE16 is defined. configure.ac and wolfcrypt/benchmark/benchmark.c: Disable scrypt when KERNEL_MODE_DEFAULTS, due to excessive memory requirements.
1 parent 3a1aa83 commit b4b2b34

File tree

17 files changed

+2073
-780
lines changed

17 files changed

+2073
-780
lines changed

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -245,6 +245,8 @@ linuxkm/linuxkm/get_thread_size
245245
linuxkm/linuxkm
246246
linuxkm/src
247247
linuxkm/patches/src
248+
linuxkm/libwolfssl-user-build
249+
linuxkm/linuxkm-fips-hash
248250
*.nds
249251

250252
# Generated during FreeBSD kernel module build.

.wolfssl_known_macro_extras

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,8 @@ CONFIG_PTHREAD_IPC
141141
CONFIG_SCHED_INFO
142142
CONFIG_SMP
143143
CONFIG_SNTP_TIME_SYNC_METHOD_SMOOTH
144+
CONFIG_STACK_GROWSUP
145+
CONFIG_THREAD_INFO_IN_TASK
144146
CONFIG_TIMER_TASK_STACK_DEPTH
145147
CONFIG_TIMER_TASK_STACK_SIZE
146148
CONFIG_TLS_STACK_WOLFSSL
@@ -293,6 +295,7 @@ HAVE_THREADX
293295
HAVE_TM_TYPE
294296
HAVE_VALIDATE_DATE
295297
HAVE_VA_COPY
298+
HAVE_WC_FIPS_OPTEST_CONTESTFAILURE_EXPORT
296299
HAVE_X448
297300
HONOR_MATH_USED_LENGTH
298301
HSM_KEY_TYPE_HMAC_224
@@ -656,7 +659,7 @@ WIFI_101
656659
WIFI_AVAILABLE
657660
WIFI_NINA
658661
WIN_REUSE_CRYPT_HANDLE
659-
WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
662+
WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE_SUPPORT
660663
WOLFSENTRY_H
661664
WOLFSENTRY_NO_JSON
662665
WOLFSSL_32BIT_MILLI_TIME

Makefile.am

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -225,14 +225,21 @@ if BUILD_LINUXKM
225225
CFLAGS_FPU_DISABLE CFLAGS_FPU_ENABLE CFLAGS_SIMD_DISABLE CFLAGS_SIMD_ENABLE \
226226
CFLAGS_AUTO_VECTORIZE_DISABLE CFLAGS_AUTO_VECTORIZE_ENABLE \
227227
ASFLAGS_FPU_DISABLE_SIMD_ENABLE ASFLAGS_FPU_ENABLE_SIMD_DISABLE \
228-
ASFLAGS_FPUSIMD_DISABLE ASFLAGS_FPUSIMD_ENABLE ENABLED_KERNEL_BENCHMARKS
228+
ASFLAGS_FPUSIMD_DISABLE ASFLAGS_FPUSIMD_ENABLE ENABLED_KERNEL_BENCHMARKS \
229+
FIPS_FLAVOR
229230

230231
module:
231232
+$(MAKE) -C linuxkm libwolfssl.ko
232233

233234
module-update-fips-hash:
234235
+$(MAKE) -C linuxkm module-update-fips-hash
235236

237+
module-with-matching-fips-hash:
238+
+$(MAKE) -C linuxkm module-with-matching-fips-hash
239+
240+
module-with-matching-fips-hash-no-sign:
241+
+$(MAKE) -C linuxkm module-with-matching-fips-hash-no-sign
242+
236243
clean_module:
237244
+$(MAKE) -C linuxkm clean
238245

configure.ac

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -415,6 +415,9 @@ AC_ARG_ENABLE([fips],
415415
[ENABLED_FIPS=$enableval],
416416
[ENABLED_FIPS="no"])
417417

418+
FIPS_FLAVOR="$ENABLED_FIPS"
419+
AC_SUBST([FIPS_FLAVOR])
420+
418421
# wolfProvider Options
419422
AC_ARG_ENABLE([wolfprovider],
420423
[AS_HELP_STRING([--enable-wolfprovider],[Enable wolfProvider options (default: disabled)])],
@@ -1463,7 +1466,6 @@ then
14631466
test "$enable_pwdbased" = "" && enable_pwdbased=yes
14641467
test "$enable_aeskeywrap" = "" && enable_aeskeywrap=yes
14651468
test "$enable_x963kdf" = "" && enable_x963kdf=yes
1466-
test "$enable_scrypt" = "" && test "$enable_hmac" != "no" && enable_scrypt=yes
14671469
test "$enable_indef" = "" && enable_indef=yes
14681470
test "$enable_enckeys" = "" && enable_enckeys=yes
14691471
test "$enable_hashflags" = "" && enable_hashflags=yes
@@ -1480,11 +1482,11 @@ then
14801482
test "$enable_ssh" = "" && test "$enable_hmac" != "no" && enable_ssh=yes
14811483
test "$enable_rng_bank" = "" && enable_rng_bank=yes
14821484

1483-
# the compiler optimizer generates a weird out-of-bounds bss reference for
1484-
# find_hole() in the FP_ECC implementation.
1485-
if test "$ENABLED_LINUXKM_PIE" != yes
1485+
if test "$KERNEL_MODE_DEFAULTS" != "yes"
14861486
then
1487-
test "$enable_fpecc" = "" && test "$enable_ecc" != "no" && enable_fpecc=yes
1487+
# Scrypt is excluded from kernel module builds (unless explicitly
1488+
# enabled) because of its excessive memory requirements.
1489+
test "$enable_scrypt" = "" && test "$enable_hmac" != "no" && enable_scrypt=yes
14881490
fi
14891491

14901492
if test "x$FIPS_VERSION" != "xv1"

linuxkm/Kbuild

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,11 @@ else ifeq "$(KERNEL_ARCH)" "arm"
4949
WOLFSSL_CFLAGS += -fno-optimize-sibling-calls -Os
5050
endif
5151

52-
obj-m := libwolfssl.o
52+
ifndef LIBWOLFSSL_NAME
53+
LIBWOLFSSL_NAME := libwolfssl
54+
endif
55+
56+
obj-m := $(LIBWOLFSSL_NAME).o
5357

5458
WOLFSSL_OBJ_TARGETS := $(patsubst %, $(obj)/%, $(WOLFSSL_OBJ_FILES))
5559

@@ -88,10 +92,10 @@ ifndef KERNEL_THREAD_STACK_SIZE
8892
endif
8993
MAX_STACK_FRAME_SIZE=$(shell echo $$(( $(KERNEL_THREAD_STACK_SIZE) / 4)))
9094

91-
libwolfssl-y := $(WOLFSSL_OBJ_FILES) linuxkm/module_hooks.o linuxkm/module_exports.o
95+
$(LIBWOLFSSL_NAME)-y := $(WOLFSSL_OBJ_FILES) linuxkm/module_hooks.o linuxkm/module_exports.o
9296

9397
ifeq "$(FIPS_OPTEST)" "1"
94-
libwolfssl-y += linuxkm/optest-140-3/linuxkm_optest_wrapper.o
98+
$(LIBWOLFSSL_NAME)-y += linuxkm/optest-140-3/linuxkm_optest_wrapper.o
9599
endif
96100

97101
WOLFSSL_CFLAGS_NO_VECTOR_INSNS := $(CFLAGS_SIMD_DISABLE) $(CFLAGS_FPU_DISABLE)
@@ -162,7 +166,7 @@ ifdef KERNEL_EXTRA_CFLAGS_REMOVE
162166
ccflags-remove-y += $(KERNEL_EXTRA_CFLAGS_REMOVE)
163167
endif
164168

165-
$(obj)/libwolfssl.mod.o: ccflags-y := $(PIE_SUPPORT_FLAGS)
169+
$(obj)/$(LIBWOLFSSL_NAME).mod.o: ccflags-y := $(PIE_SUPPORT_FLAGS)
166170
$(obj)/wolfcrypt/test/test.o: ccflags-y += -DNO_MAIN_DRIVER -DWOLFSSL_NO_OPTIONS_H
167171
$(obj)/wolfcrypt/src/aes.o: ccflags-y := $(WOLFSSL_CFLAGS) $(WOLFSSL_CFLAGS_YES_VECTOR_INSNS) $(PIE_FLAGS) $(PIE_SUPPORT_FLAGS)
168172
$(obj)/wolfcrypt/benchmark/benchmark.o: ccflags-y := $(WOLFSSL_CFLAGS) $(CFLAGS_FPU_ENABLE) $(CFLAGS_SIMD_ENABLE) $(PIE_SUPPORT_FLAGS) -DNO_MAIN_FUNCTION -DWOLFSSL_NO_OPTIONS_H
@@ -331,15 +335,19 @@ endif
331335
# auto-generate the exported symbol list, leveraging the WOLFSSL_API visibility tags.
332336
# exclude symbols that don't match wc_* or wolf*.
333337
EXPORT_SYMBOL := EXPORT_SYMBOL_NS_GPL
338+
ifndef WOLFSSL_NS
339+
WOLFSSL_NS := WOLFSSL
340+
endif
334341
$(obj)/linuxkm/module_exports.c: $(src)/module_exports.c.template $(WOLFSSL_OBJ_TARGETS) $(obj)/linuxkm/module_hooks.o
335342
@$(RENAME_PIE_TEXT_AND_DATA_SECTIONS)
336343
@cp $< $@ || exit $$?
337344
if [[ "$${VERSION}" -gt 6 || ("$${VERSION}" -eq 6 && "$${PATCHLEVEL}" -ge 13) ]]; then
338345
# use ASCII octal escape to avoid syntax disruption in the awk script.
339-
ns='\042WOLFSSL\042'
346+
ns='\042$(WOLFSSL_NS)\042'
340347
else
341-
ns='WOLFSSL'
348+
ns='$(WOLFSSL_NS)'
342349
fi
350+
ifndef NO_EXPORTS
343351
$(READELF) --symbols --wide $(filter %.o,$^) |
344352
$(AWK) '/^ *[0-9]+: / {
345353
if ($$8 !~ /^(wc_|wolf|WOLF|TLSX_)/){next;}
@@ -348,5 +356,6 @@ $(obj)/linuxkm/module_exports.c: $(src)/module_exports.c.template $(WOLFSSL_OBJ_
348356
}
349357
}' >> $@ || exit $$?
350358
echo -e "#ifndef NO_CRYPT_TEST\n$(EXPORT_SYMBOL)(wolfcrypt_test, $${ns});\n#endif" >> $@
359+
endif
351360

352361
clean-files := linuxkm src wolfcrypt

linuxkm/Makefile

Lines changed: 75 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,11 @@
2121
.ONESHELL:
2222
SHELL=bash
2323

24-
all: libwolfssl.ko libwolfssl.ko.signed
24+
ifndef LIBWOLFSSL_NAME
25+
LIBWOLFSSL_NAME := libwolfssl
26+
endif
27+
28+
all: $(LIBWOLFSSL_NAME).ko $(LIBWOLFSSL_NAME).ko.signed
2529

2630
ifndef MODULE_TOP
2731
MODULE_TOP=$(CURDIR)
@@ -147,8 +151,9 @@ GENERATE_RELOC_TAB := $(AWK) ' \
147151
n=0; \
148152
bad_relocs=0; \
149153
print "\#include <wolfssl/wolfcrypt/libwolfssl_sources.h>"; \
154+
print "\#include <wolfssl/wolfcrypt/memory.h>"; \
150155
printf("%s\n ", \
151-
"WOLFSSL_LOCAL const struct wc_linuxkm_pie_reloc_tab_ent wc_linuxkm_pie_reloc_tab[] = { "); \
156+
"WOLFSSL_LOCAL const struct wc_reloc_table_ent wc_linuxkm_pie_reloc_tab[] = { "); \
152157
if ("SECTION_MAP" in ENVIRON) { \
153158
while (getline <ENVIRON["SECTION_MAP"] > 0) \
154159
section_map[$$1] = $$2; \
@@ -204,8 +209,10 @@ GENERATE_RELOC_TAB := $(AWK) ' \
204209
print >"/dev/stderr"; \
205210
exit(1); \
206211
} \
207-
printf(" { .offset = 0x%xU, .dest_segment = %s, .reloc_type = WC_%s },\n", \
208-
strtonum("0x" gensub("^0*","",1,$$1)), \
212+
printf(" { .offset = 0x%xU, .dest_offset = 0x%xU, .dest_addend = %+d, .dest_segment = %s, .reloc_type = WC_%s },\n", \
213+
strtonum("0x" $$1), \
214+
strtonum("0x" $$4), \
215+
$$6 strtonum("0x" $$7), \
209216
section_tag, reloc_type); \
210217
} \
211218
} \
@@ -214,8 +221,8 @@ GENERATE_RELOC_TAB := $(AWK) ' \
214221
print "Found " bad_relocs " unresolvable relocations." >"/dev/stderr"; \
215222
exit(1); \
216223
} \
217-
print " { .offset = ~0U, .dest_segment = WC_R_SEG_NONE, .reloc_type = WC_R_NONE } };"; \
218-
print "WOLFSSL_LOCAL const unsigned long wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];"; \
224+
print " { .offset = ~0U, .dest_offset = ~0U, .dest_addend = 0, .dest_segment = WC_R_SEG_NONE, .reloc_type = WC_R_NONE } };"; \
225+
print "WOLFSSL_LOCAL const unsigned int wc_linuxkm_pie_reloc_tab_length = (unsigned int)(sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0]);"; \
219226
}'
220227

221228
ifeq "$(V)" "1"
@@ -225,8 +232,8 @@ endif
225232
# This rule is .PHONY because it doesn't actually build the module -- Kbuild
226233
# does, and we always need to call Kbuild to enforce rebuild for dependencies
227234
# and config changes.
228-
.PHONY: libwolfssl.ko
229-
libwolfssl.ko:
235+
.PHONY: $(LIBWOLFSSL_NAME).ko
236+
$(LIBWOLFSSL_NAME).ko:
230237
@set -e
231238
@[[ '$(V)' == 1 ]] && { echo 'MODULE_TOP = "$(MODULE_TOP)"';
232239
echo 'SRC_TOP = "$(SRC_TOP)"';
@@ -303,7 +310,7 @@ else
303310
endif
304311

305312
.PHONY: module-update-fips-hash
306-
module-update-fips-hash: libwolfssl.ko
313+
module-update-fips-hash: $(LIBWOLFSSL_NAME).ko
307314
@set -e
308315
@if test -z '$(FIPS_HASH)'; then echo ' $$FIPS_HASH is unset' >&2; exit 1; fi
309316
@if [[ ! '$(FIPS_HASH)' =~ [0-9a-fA-F]{64} ]]; then echo ' $$FIPS_HASH is malformed' >&2; exit 1; fi
@@ -320,9 +327,64 @@ module-update-fips-hash: libwolfssl.ko
320327
if [[ '$(FIPS_HASH)' == "$$current_verifyCore" ]]; then echo ' Supplied FIPS_HASH matches existing verifyCore -- no update needed.'; exit 0; fi; \
321328
echo -n '$(FIPS_HASH)' | dd bs=1 conv=notrunc of="$<" seek=$$verifyCore_offset count=64 status=none && \
322329
echo " FIPS verifyCore updated successfully." && \
323-
if [[ -f libwolfssl.ko.signed ]]; then $(MAKE) -C . libwolfssl.ko.signed; fi
330+
if [[ -f '$(LIBWOLFSSL_NAME).ko.signed' ]]; then $(MAKE) -C . '$(LIBWOLFSSL_NAME).ko.signed'; fi
331+
332+
333+
# linuxkm-fips-hash implements offline (no-load) FIPS hash calculation and graft-in.
334+
#
335+
# libwolfssl.so is built from the same sources as the kernel module, with the
336+
# same FIPS setting, then used with linuxkm-fips-hash to calculate and overwrite
337+
# the hash in libwolfssl.ko. Finally, the module is [re]signed.
338+
#
339+
# Note that libwolfssl.so has to be built from a hierarchy of symlinks, to avoid
340+
# depending on changes/config in the source directory. Also, aside from
341+
# FIPS_FLAVOR, inherited configuration settings in the environment are cleansed.
342+
343+
libwolfssl-user-build/src/.libs/libwolfssl.so:
344+
@set -e
345+
@$(RM) -rf '$(MODULE_TOP)/libwolfssl-user-build'
346+
@mkdir '$(MODULE_TOP)/libwolfssl-user-build'
347+
@cd '$(MODULE_TOP)/libwolfssl-user-build'
348+
@pushd '$(SRC_TOP)' >/dev/null
349+
@echo -n 'Populating tree of symlinks...'
350+
@readarray -d '' -t srcfiles < <(find examples src support tests testsuite wolfcrypt wolfssl configure *.in build-aux debian rpm scripts certs doc mcapi cmake linuxkm/*.[ch] \( -name options.h -o -name user_settings\* \) -prune -o \( ! -type d \) \( -name '*.[chsSi]' -o -name configure -o -name '*.in' -o -name \*.sh -o -path support/\* -o -path build-aux/\* -o -path debian/\* -o -path rpm/\* -o -path scripts/\* -o -path certs/\* -o -path doc/\* -o -path mcapi/\* -o -path cmake/\* \) -print0)
351+
@popd >/dev/null
352+
@for file in "$${srcfiles[@]}"; do if [[ ! -e "$$file" ]]; then mkdir -p "$$(dirname "$$file")" && cp --no-dereference --symbolic-link --no-clobber '$(SRC_TOP)'/"$$file" "$$file"; fi; done
353+
@echo ' done.'
354+
@echo '__attribute__ ((visibility("default"))) extern const char coreKey[];' > user_settings.h
355+
@echo > user_settings_asm.h
356+
@echo -n 'Configuring libwolfssl.so...'
357+
@unset WOLFSSL_CFLAGS WOLFCRYPT_PIE_FILES ASFLAGS_FPUSIMD_ENABLE ASFLAGS_FPU_DISABLE_SIMD_ENABLE src_libwolfssl_la_OBJECTS WOLFSSL_ASFLAGS AM_CFLAGS WOLFSSL_OBJ_FILES ENABLED_LINUXKM_LKCAPI_REGISTER EXTRA_LDFLAGS CC LD
358+
@./configure --quiet --disable-jobserver --enable-cryptonly --enable-fips="$$FIPS_FLAVOR" CFLAGS='-DWC_SYM_RELOC_TABLES_SUPPORT -DWOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE -DWOLFSSL_USER_SETTINGS -DWOLFSSL_USER_SETTINGS_ASM'
359+
@echo ' done.'
360+
@echo -n 'Compiling and linking libwolfssl.so...'
361+
@$(MAKE) >/dev/null
362+
@echo ' done.'
363+
@echo -n 'Fixing FIPS hash...'
364+
@userhash=$$(wolfcrypt/test/testwolfcrypt 2>&1 | sed -n -E 's/^hash = (.+)$$/\1/p')
365+
@if [[ -z "$$userhash" ]]; then echo ' FIPS hash not found!' >&2; exit 1; fi
366+
@find wolfcrypt/src -name '*fips_test*o' -delete
367+
@$(MAKE) EXTRA_CFLAGS=-DWOLFCRYPT_FIPS_CORE_HASH_VALUE="$$userhash"
368+
@echo ' done.'
369+
370+
linuxkm-fips-hash: libwolfssl-user-build/src/.libs/libwolfssl.so linuxkm-fips-hash.c
371+
@echo -n 'Compiling linuxkm-fips-hash...'
372+
# note direct invocation of cc -- we are compiling for the build host, not the target host.
373+
@cc -I'$(MODULE_TOP)/libwolfssl-user-build' -o linuxkm-fips-hash linuxkm/linuxkm-fips-hash.c -L '$(MODULE_TOP)/libwolfssl-user-build/src/.libs' -Wl,-rpath-link='$(MODULE_TOP)/libwolfssl-user-build/src/.libs' -Wl,-rpath='$(MODULE_TOP)/libwolfssl-user-build/src/.libs' -lwolfssl
374+
@echo ' done.'
375+
376+
.PHONY: module-with-matching-fips-hash
377+
module-with-matching-fips-hash: $(LIBWOLFSSL_NAME).ko linuxkm-fips-hash
378+
@set -e
379+
./linuxkm-fips-hash-wrapper.sh "$<"
380+
$(MAKE) -C . '$(LIBWOLFSSL_NAME).ko.signed'
381+
382+
.PHONY: module-with-matching-fips-hash-no-sign
383+
module-with-matching-fips-hash-no-sign: $(LIBWOLFSSL_NAME).ko linuxkm-fips-hash
384+
@set -e
385+
./linuxkm-fips-hash-wrapper.sh "$<"
324386

325-
libwolfssl.ko.signed: libwolfssl.ko
387+
$(LIBWOLFSSL_NAME).ko.signed: $(LIBWOLFSSL_NAME).ko
326388
ifdef FORCE_NO_MODULE_SIG
327389
@echo 'Skipping module signature operation because FORCE_NO_MODULE_SIG.'
328390
else
@@ -371,6 +433,8 @@ clean:
371433
$(RM) -rf '$(MODULE_TOP)/linuxkm'
372434
$(RM) -rf '$(MODULE_TOP)/wolfcrypt'
373435
$(RM) -rf '$(MODULE_TOP)/src'
436+
$(RM) -rf '$(MODULE_TOP)/libwolfssl-user-build'
437+
$(RM) -f '$(MODULE_TOP)/linuxkm-fips-hash'
374438

375439
.PHONY: check
376440
check:

linuxkm/include.am

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,13 @@ EXTRA_DIST += m4/ax_linuxkm.m4 \
77
linuxkm/Makefile \
88
linuxkm/README.md \
99
linuxkm/get_thread_size.c \
10+
linuxkm/linuxkm-fips-hash.c \
11+
linuxkm/linuxkm-fips-hash-wrapper.sh \
1012
linuxkm/module_hooks.c \
1113
linuxkm/module_exports.c.template \
1214
linuxkm/pie_redirect_table.c \
1315
linuxkm/linuxkm_memory.c \
16+
linuxkm/linuxkm_memory.h \
1417
linuxkm/linuxkm_wc_port.h \
1518
linuxkm/x86_vector_register_glue.c \
1619
linuxkm/lkcapi_glue.c \
Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
#!/bin/bash
2+
3+
set -o noclobber -o nounset -o pipefail -o errexit
4+
5+
mod_path=$1
6+
7+
readarray -t fenceposts < <(readelf --wide --sections --symbols "$mod_path" | awk '
8+
BEGIN {
9+
fips_fenceposts["wc_linuxkm_pie_reloc_tab"] = "reloc_tab_start";
10+
fips_fenceposts["wc_linuxkm_pie_reloc_tab_length"] = "reloc_tab_len_start";
11+
fips_fenceposts["verifyCore"] = "verifyCore_start";
12+
fips_fenceposts["wolfCrypt_FIPS_first"] = "fips_text_start";
13+
fips_fenceposts["wolfCrypt_FIPS_last"] = "fips_text_end";
14+
fips_fenceposts["wolfCrypt_FIPS_ro_start"] = "fips_rodata_start";
15+
fips_fenceposts["wolfCrypt_FIPS_ro_end"] = "fips_rodata_end";
16+
singleton_ends["wc_linuxkm_pie_reloc_tab"] = "reloc_tab_end";
17+
singleton_ends["wc_linuxkm_pie_reloc_tab_length"] = "reloc_tab_len_end";
18+
singleton_ends["verifyCore"] = "verifyCore_end";
19+
}
20+
21+
/^Section Headers:/ {
22+
in_sections = 1;
23+
in_symbols = 0;
24+
next;
25+
}
26+
27+
/^Symbol table / {
28+
if (! in_sections) {
29+
print "symbol table appeared before section headers." >"/dev/stderr";
30+
exit(1);
31+
}
32+
in_sections = 0;
33+
in_symbols = 1;
34+
next;
35+
}
36+
{
37+
if (in_sections) {
38+
if (match($0,
39+
"^[[:space:]]*\\[([^]]+)\\][[:space:]]+\\.([^[:space:].]+)_wolfcrypt[[:space:]]+[^[:space:]]+[[:space:]]+[^[:space:]]+[[:space:]]+([0-9a-f]+)[[:space:]]+([0-9a-f]+)[[:space:]]",
40+
section_line_a)) {
41+
segnum = strtonum(section_line_a[1]);
42+
segname = section_line_a[2];
43+
segstart = section_line_a[3];
44+
segsize = section_line_a[4];
45+
seg_starts_by_id[segnum] = strtonum("0x" segstart);
46+
printf("--%s_start\n0x%x\n--%s_end\n0x%x\n", segname, strtonum("0x" segstart), segname, strtonum("0x" segstart) + strtonum("0x" segsize));
47+
next;
48+
}
49+
}
50+
if (in_symbols) {
51+
if ($7 !~ "^[0-9]+$")
52+
next;
53+
if (($4 != "NOTYPE") && ($4 != "OBJECT") && ($4 != "FUNC"))
54+
next;
55+
if (! ($8 in fips_fenceposts))
56+
next;
57+
if (! ($7 in seg_starts_by_id)) {
58+
print "segment offset missing for segment " $7 " for symbol " $8 "." >"/dev/stderr";
59+
exit(1);
60+
}
61+
printf("--%s\n0x%x\n", fips_fenceposts[$8], seg_starts_by_id[$7] + strtonum("0x" $2));
62+
if ($8 in singleton_ends)
63+
printf("--%s\n0x%x\n", singleton_ends[$8], seg_starts_by_id[$7] + strtonum("0x" $2) + strtonum($3));
64+
}
65+
}')
66+
67+
./linuxkm-fips-hash "${fenceposts[@]}" --mod-path "$mod_path" --in-place --quiet

0 commit comments

Comments
 (0)