Conversation
Add: * linuxkm/linuxkm-fips-hash.c * linuxkm/linuxkm-fips-hash-wrapper.sh * linuxkm/linuxkm_memory.h Move from linuxkm/module_hooks.c to linuxkm/linuxkm_memory.c: * reloc_layouts[] * find_reloc_tab_offset() * the body of wc_linuxkm_normalize_relocations() as wc_reloc_normalize_text() * most of updateFipsHash() as wc_fips_generate_hash() Move from linuxkm/linuxkm_wc_port.h to linuxkm/linuxkm_memory.h: * struct wc_linuxkm_pie_reloc_tab_ent * enum wc_reloc_dest_segment * enum wc_reloc_type linuxkm/Makefile: * Update GENERATE_RELOC_TAB recipe to populate new fields in struct wc_reloc_table_ent. * Add targets: * libwolfssl-user-build/src/.libs/libwolfssl.so * linuxkm-fips-hash * module-with-matching-fips-hash * module-with-matching-fips-hash-no-sign * Add support for alternate target module name, via LIBWOLFSSL_NAME make variable. linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: * Fixes to make linuxkm-pie work with CONFIG_KASAN. * Implement WC_LINUXKM_STACK_DEBUG: * wc_linuxkm_stack_bottom() * wc_linuxkm_stack_top() * wc_linuxkm_stack_current() * wc_linuxkm_stack_left() * wc_linuxkm_stack_hwm_prepare() * wc_linuxkm_stack_hwm_measure_rel() * wc_linuxkm_stack_hwm_measure_total() wolfssl/wolfcrypt/settings.h: * When WOLFSSL_KERNEL_MODE, make sure WOLFSSL_GENERAL_ALIGNMENT is at least SIZEOF_LONG. * When WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sure WOLFSSL_BASE16 is defined. configure.ac and wolfcrypt/benchmark/benchmark.c: Disable scrypt when KERNEL_MODE_DEFAULTS, due to excessive memory requirements.
| #endif | ||
|
|
||
| /* use kB instead of mB for embedded benchmarking */ | ||
| /* use kB instead of MB for embedded benchmarking */ |
There was a problem hiding this comment.
Should we make the k capital as well?
| ret = wc_fips_generate_hash( | ||
| &seg_map, | ||
| FIPS_IN_CORE_DIGEST_SIZE, | ||
| coreKey, |
There was a problem hiding this comment.
user_coreKey is never used after assignment, only coreKey.
| (seg_map.reloc_tab_len_start >= seg_map.reloc_tab_len_end) || | ||
| (seg_map.reloc_tab_len_end >= st.st_size)) | ||
| { | ||
| fprintf(stderr, "%s: supplied reloc_tab fencepost(s) are out of bounds.\n", progname, mod_path, st.st_size); |
There was a problem hiding this comment.
format arguments are missing
|
|
||
| if (seg_map.verifyCore_end - seg_map.verifyCore_start != new_verifyCore_size) { | ||
| fprintf(stderr, "%s: unexpected verifyCore length %zu.\n", progname, (size_t)(seg_map.verifyCore_end - seg_map.verifyCore_start)); | ||
| goto out; |
There was a problem hiding this comment.
should ret be set to non zero here?
|
|
||
| if (new_verifyCore_size < sizeof new_verifyCore) { | ||
| fprintf(stderr, "%s: wc_fips_generate_hash() returned unexpected verifyCore length %u.\n", progname, new_verifyCore_size); | ||
| goto out; |
| int mod_fd; | ||
| struct stat st; | ||
| byte *mod_map = NULL; | ||
| word32 reloc_tab_len; |
| { } | ||
| }; | ||
|
|
||
| ret = wolfCrypt_Init(); |
There was a problem hiding this comment.
we need to call wolfCrypt_Cleanup() at the end
|
|
||
| ret = wc_HmacInit(&hmac, NULL, INVALID_DEVID); | ||
| if (ret != 0) { | ||
| fprintf(stderr, "%s: wc_HmacInit() failed: %s.\n", progname, wc_GetErrorString(ret)); |
There was a problem hiding this comment.
mmap cleanup on error path
|
Hey @douzzer, Nice work on the offline FIPS hash PR! A few docs suggestions: README update -- A section in linuxkm/README.md about the offline hash workflow and the new make targets (module-with-matching-fips-hash, etc.) would help discoverability. |
3 participants
Implement Linux kernel module FIPS integrity hash offline calculation:
Add:
linuxkm/linuxkm-fips-hash.clinuxkm/linuxkm-fips-hash-wrapper.shlinuxkm/linuxkm_memory.hMove from
linuxkm/module_hooks.ctolinuxkm/linuxkm_memory.c:reloc_layouts[]find_reloc_tab_offset()wc_linuxkm_normalize_relocations()aswc_reloc_normalize_text()updateFipsHash()aswc_fips_generate_hash()Move from
linuxkm/linuxkm_wc_port.htolinuxkm/linuxkm_memory.h:struct wc_linuxkm_pie_reloc_tab_entenum wc_reloc_dest_segmentenum wc_reloc_typelinuxkm/Makefile:GENERATE_RELOC_TABrecipe to populate new fields instruct wc_reloc_table_ent.libwolfssl-user-build/src/.libs/libwolfssl.solinuxkm-fips-hashmodule-with-matching-fips-hashmodule-with-matching-fips-hash-no-signLIBWOLFSSL_NAMEmake variable.linuxkm/linuxkm_wc_port.handlinuxkm/module_hooks.c:CONFIG_KASAN.WC_LINUXKM_STACK_DEBUG:wc_linuxkm_stack_bottom()wc_linuxkm_stack_top()wc_linuxkm_stack_current()wc_linuxkm_stack_left()wc_linuxkm_stack_hwm_prepare()wc_linuxkm_stack_hwm_measure_rel()wc_linuxkm_stack_hwm_measure_total()wolfssl/wolfcrypt/settings.h:WOLFSSL_KERNEL_MODE, make sureWOLFSSL_GENERAL_ALIGNMENTis at leastSIZEOF_LONG.WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sureWOLFSSL_BASE16is defined.configure.acandwolfcrypt/benchmark/benchmark.c: Disable scrypt whenKERNEL_MODE_DEFAULTS, due to excessive memory requirements.tested with
with tweaks to
wolfssl-multi-test.shto exercise and verify offline hash calculation by default in FIPSdo_linuxkm_scenario_load_with_self_test()scenarios, and in the FIPS aarch64 linuxkm scenarios.