globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;

globally replace defined(__PIE__) with defined(WC_CONTAINERIZE_THIS) to decouple containerization from -fPIE;

configure.ac:
* add --enable-kernel-reloc-tables as an alias for --enable-linuxkm-pie;
* always activate ENABLED_ENTROPY_MEMUSE_DEFAULT when KERNEL_MODE_DEFAULTS and not RDSEED/RDRAND, regardless of FIPS presence/version;

linuxkm/Kbuild:
* add -DWC_CONTAINERIZE_THIS to PIE_FLAGS;
* add support for NO_PIE_FLAG, which inhibits -fPIE on ENABLED_LINUXKM_PIE builds, and adds -DWC_NO_PIE_FLAG to PIE_FLAGS;

linuxkm/linuxkm_wc_port.h: add setup for WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER;

linuxkm/module_hooks.c: add wc_linuxkm_GenerateSeed_wolfEntropy().

Author: douzzer

configure.ac

@@ -704,14 +704,19 @@ AC_ARG_ENABLE([benchmark],
 
 # Remainder of Linux kernel module options, continued from earlier:
 
+ENABLED_LINUXKM_PIE=$ENABLED_FIPS
+
 AC_ARG_ENABLE([linuxkm-pie],
     [AS_HELP_STRING([--enable-linuxkm-pie],[Enable relocatable object build of Linux kernel module (default: disabled)])],
-    [ENABLED_LINUXKM_PIE=$enableval],
-    [ENABLED_LINUXKM_PIE=$ENABLED_FIPS]
-    )
+    [ENABLED_LINUXKM_PIE=$enableval])
+
+AC_ARG_ENABLE([kernel-reloc-tables],
+    [AS_HELP_STRING([--enable-kernel-reloc-tables],[Enable containerized object build of wolfCrypt module in kernel build (default: disabled)])],
+    [ENABLED_LINUXKM_PIE=$enableval])
+
 if test "$ENABLED_LINUXKM" = "yes" && test "$ENABLED_LINUXKM_PIE" = "yes"
 then
-    AM_CFLAGS="$AM_CFLAGS -DWC_PIE_RELOC_TABLES"
+    AM_CFLAGS="$AM_CFLAGS -DWC_SYM_RELOC_TABLES"
 fi
 AC_SUBST([ENABLED_LINUXKM_PIE])
 
@@ -5820,8 +5825,7 @@ AC_ARG_ENABLE([pwdbased],
 if test "$KERNEL_MODE_DEFAULTS" = "yes" && \
    test "$ENABLED_AMDRDSEED" != "yes" && \
    test "$ENABLED_INTELRDRAND" != "yes" && \
-   test "$ENABLED_INTELRDSEED" != "yes" && \
-   (test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6)
+   test "$ENABLED_INTELRDSEED" != "yes"
 then
     ENABLED_ENTROPY_MEMUSE_DEFAULT=yes
 else

linuxkm/Kbuild

@@ -106,7 +106,13 @@ ccflags-y = $(WOLFSSL_CFLAGS) $(WOLFSSL_CFLAGS_NO_VECTOR_INSNS)
 ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
     # note, we need -fno-stack-protector to avoid references to
     # "__stack_chk_fail" from the wolfCrypt container.
-    PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder
+    PIE_FLAGS := -DWC_CONTAINERIZE_THIS -fno-stack-protector -fno-toplevel-reorder
+    # some targets can't handle -fpie.  E.g. ARM32 on kernel <=5.10 has no handling for R_ARM_REL32.
+    ifdef NO_PIE_FLAG
+        PIE_FLAGS += -DWC_NO_PIE_FLAG
+    else
+        PIE_FLAGS += -fPIE
+    endif
     # the kernel sanitizers generate external references to
     # __ubsan_handle_out_of_bounds(), __ubsan_handle_shift_out_of_bounds(), etc.
     KASAN_SANITIZE := n

linuxkm/linuxkm_memory.c

@@ -21,7 +21,7 @@
 
 /* included by wolfcrypt/src/memory.c */
 
-#if defined(__PIE__) && defined(CONFIG_FORTIFY_SOURCE)
+#if defined(WC_SYM_RELOC_TABLES) && defined(CONFIG_FORTIFY_SOURCE)
 /* needed because FORTIFY_SOURCE inline implementations call fortify_panic(). */
 void __my_fortify_panic(const char *name) {
     pr_emerg("__my_fortify_panic in %s\n", name);

linuxkm/linuxkm_wc_port.h

@@ -178,12 +178,21 @@
         #endif
     #endif
 
-    #if defined(HAVE_HASHDRBG) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6, 0, 0) && \
+    #if defined(HAVE_HASHDRBG) && defined(HAVE_FIPS) && \
+            defined(HAVE_ENTROPY_MEMUSE) && \
+            !defined(WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER)
+        #define WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER
+    #elif defined(HAVE_HASHDRBG) && defined(HAVE_FIPS) && \
             (defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)) && \
+            !defined(HAVE_ENTROPY_MEMUSE) && \
             !defined(WC_LINUXKM_RDSEED_IN_GLUE_LAYER)
         #define WC_LINUXKM_RDSEED_IN_GLUE_LAYER
     #endif
-    #ifdef WC_LINUXKM_RDSEED_IN_GLUE_LAYER
+    #if defined(WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER)
+        struct OS_Seed;
+        extern int wc_linuxkm_GenerateSeed_wolfEntropy(struct OS_Seed* os, unsigned char* output, unsigned int sz);
+        #define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_wolfEntropy
+    #elif defined(WC_LINUXKM_RDSEED_IN_GLUE_LAYER)
         struct OS_Seed;
         extern int wc_linuxkm_GenerateSeed_IntelRD(struct OS_Seed* os, unsigned char* output, unsigned int sz);
         #define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_IntelRD
@@ -208,7 +217,7 @@
         #endif
     #endif
 
-    #if defined(CONFIG_MIPS) && defined(WC_PIE_RELOC_TABLES)
+    #if defined(CONFIG_MIPS) && defined(WC_SYM_RELOC_TABLES)
         /* __ZBOOT__ disables some unhelpful macros around the mem*() funcs in
          * legacy arch/mips/include/asm/string.h
          */
@@ -255,7 +264,7 @@
 
     #if defined(CONFIG_FORTIFY_SOURCE) && \
         !defined(WC_FORCE_LINUXKM_FORTIFY_SOURCE) && \
-        (defined(WC_PIE_RELOC_TABLES) || \
+        (defined(WC_SYM_RELOC_TABLES) || \
          (LINUX_VERSION_CODE < KERNEL_VERSION(5, 18, 0)))
         /* fortify-source causes all sorts of awkward problems for the PIE
          * build, up to and including stubborn external references and multiple
@@ -272,7 +281,7 @@
         #error WC_FORCE_LINUXKM_FORTIFY_SOURCE without CONFIG_FORTIFY_SOURCE.
     #endif
 
-    #if defined(__PIE__) && defined(CONFIG_ARM64)
+    #if defined(WC_CONTAINERIZE_THIS) && defined(CONFIG_ARM64)
         #define alt_cb_patch_nops my__alt_cb_patch_nops
         #define queued_spin_lock_slowpath my__queued_spin_lock_slowpath
     #endif
@@ -281,7 +290,7 @@
     #include <linux/ctype.h>
 
     #if defined(CONFIG_FORTIFY_SOURCE) || defined(DEBUG_LINUXKM_FORTIFY_OVERLAY)
-        #ifdef __PIE__
+        #ifdef WC_CONTAINERIZE_THIS
             /* the inline definitions in fortify-string.h use non-inline
              * fortify_panic().
              */
@@ -412,7 +421,7 @@
 
     #endif /* !CONFIG_FORTIFY_SOURCE */
 
-    #ifndef __PIE__
+    #ifndef WC_CONTAINERIZE_THIS
         #include <linux/init.h>
         #include <linux/module.h>
         #include <linux/delay.h>
@@ -426,7 +435,7 @@
          * mm.h.  however, mm.h brings in static, but not inline, pmd_to_page(),
          * with direct references to global vmem variables.
          */
-        #ifdef __PIE__
+        #ifdef WC_CONTAINERIZE_THIS
             #include <linux/mm_types.h>
             #if USE_SPLIT_PMD_PTLOCKS
             static __always_inline struct page *pmd_to_page(pmd_t *pmd);
@@ -435,7 +444,7 @@
         #include <linux/mm.h>
     #endif
 
-#ifndef __PIE__
+#ifndef WC_CONTAINERIZE_THIS
     #include <linux/kthread.h>
     #include <linux/net.h>
 #endif
@@ -450,7 +459,7 @@
     #endif
     #include <linux/random.h>
 
-    #if !defined(__PIE__) && defined(CONFIG_HAVE_KPROBES)
+    #if !defined(WC_CONTAINERIZE_THIS) && defined(CONFIG_HAVE_KPROBES)
         #include <linux/kprobes.h>
     #endif
 
@@ -483,7 +492,7 @@
             #define LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT
         #endif
 
-        #ifndef __PIE__
+        #ifndef WC_CONTAINERIZE_THIS
             #include <linux/crypto.h>
             #include <linux/scatterlist.h>
             #include <crypto/scatterwalk.h>
@@ -513,7 +522,7 @@
                 }
             #endif
             #define WC_LKM_REFCOUNT_TO_INT(refcount) wc_lkm_refcount_to_int(&(refcount))
-        #endif /* !__PIE__ */
+        #endif /* !WC_CONTAINERIZE_THIS */
     #endif /* LINUXKM_LKCAPI_REGISTER */
 
     /* benchmarks.c uses floating point math, so needs a working
@@ -730,11 +739,11 @@
 
     #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */
 
-    #if defined(__PIE__) && !defined(WC_PIE_RELOC_TABLES)
-        #error "compiling -fPIE requires PIE relocation tables."
+    #if defined(WC_CONTAINERIZE_THIS) && !defined(WC_SYM_RELOC_TABLES)
+        #error "compiling -DWC_CONTAINERIZE_THIS requires relocation tables."
     #endif
 
-    #ifdef WC_PIE_RELOC_TABLES
+    #ifdef WC_SYM_RELOC_TABLES
 
     #ifndef WOLFSSL_TEXT_SEGMENT_CANONICALIZER
         #define WOLFSSL_TEXT_SEGMENT_CANONICALIZER(text_in, text_in_len, text_out, cur_index_p) \
@@ -759,6 +768,7 @@
         __wc_rwdata_end[],
         __wc_bss_start[],
         __wc_bss_end[];
+
     extern const unsigned int wc_linuxkm_pie_reloc_tab[];
     extern const unsigned long wc_linuxkm_pie_reloc_tab_length;
     extern ssize_t wc_linuxkm_normalize_relocations(
@@ -1013,7 +1023,7 @@
         #endif
 
         #ifdef CONFIG_ARM64
-        #ifdef __PIE__
+        #ifdef WC_CONTAINERIZE_THIS
             /* alt_cb_patch_nops and queued_spin_lock_slowpath are defined early
              * to allow shimming in system headers, but now we need the native
              * ones.
@@ -1088,7 +1098,7 @@
         #error no WC_PIE_INDIRECT_SYM method defined.
     #endif
 
-    #ifdef __PIE__
+    #ifdef WC_CONTAINERIZE_THIS
 
     #define wc_linuxkm_normalize_relocations \
         WC_PIE_INDIRECT_SYM(wc_linuxkm_normalize_relocations)
@@ -1237,8 +1247,8 @@
     #endif
 
     /* per linux/ctype.h, tolower() and toupper() are macros bound to static inlines
-     * that use macros that bring in the _ctype global.  for __PIE__, this needs to
-     * be masked out.
+     * that use macros that bring in the _ctype global.  for WC_CONTAINERIZE_THIS,
+     * this needs to be masked out.
      */
     #undef tolower
     #undef toupper
@@ -1296,9 +1306,9 @@
     #define wc_linuxkm_check_for_intr_signals WC_PIE_INDIRECT_SYM(wc_linuxkm_check_for_intr_signals)
     #define wc_linuxkm_relax_long_loop WC_PIE_INDIRECT_SYM(wc_linuxkm_relax_long_loop)
 
-    #endif /* __PIE__ */
+    #endif /* WC_CONTAINERIZE_THIS */
 
-    #endif /* WC_PIE_RELOC_TABLES */
+    #endif /* WC_SYM_RELOC_TABLES */
 
     /* remove this multifariously conflicting macro, picked up from
      * Linux arch/<arch>/include/asm/current.h.
@@ -1456,23 +1466,23 @@
             return 0;
         }
 
-        #ifdef __PIE__
-        /* wc_lkm_LockMutex() can't be used inline in __PIE__ objects, due to
+        #ifdef WC_CONTAINERIZE_THIS
+        /* wc_lkm_LockMutex() can't be used inline in WC_CONTAINERIZE_THIS objects, due to
          * direct access to pv_ops.
          */
         static __must_check __always_inline int wc_LockMutex(wolfSSL_Mutex *m)
         {
             return WC_PIE_INDIRECT_SYM(wc_lkm_LockMutex)(m);
         }
 
-        #else /* !__PIE__ */
+        #else /* !WC_CONTAINERIZE_THIS */
 
         static __must_check __always_inline int wc_LockMutex(wolfSSL_Mutex *m)
         {
             return wc_lkm_LockMutex(m);
         }
 
-        #endif /* !__PIE__ */
+        #endif /* !WC_CONTAINERIZE_THIS */
 
         static __always_inline int wc_UnLockMutex(wolfSSL_Mutex* m)
         {

linuxkm/module_hooks.c

@@ -92,7 +92,7 @@ static int libwolfssl_cleanup(void) {
 extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1];
 #endif
 
-#ifdef WC_PIE_RELOC_TABLES
+#ifdef WC_SYM_RELOC_TABLES
 
 #ifdef DEBUG_LINUXKM_PIE_SUPPORT
 
@@ -116,17 +116,17 @@ static int total_text_r = 0, total_rodata_r = 0, total_rwdata_r = 0,
 
 #endif /* DEBUG_LINUXKM_PIE_SUPPORT */
 
-#ifdef WC_PIE_RELOC_TABLES
+#ifdef WC_SYM_RELOC_TABLES
 extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table;
 static int set_up_wolfssl_linuxkm_pie_redirect_table(void);
-#endif /* WC_PIE_RELOC_TABLES */
+#endif /* WC_SYM_RELOC_TABLES */
 
 #ifdef HAVE_FIPS
 extern const unsigned int wolfCrypt_FIPS_ro_start[];
 extern const unsigned int wolfCrypt_FIPS_ro_end[];
 #endif
 
-#endif /* WC_PIE_RELOC_TABLES */
+#endif /* WC_SYM_RELOC_TABLES */
 
 #ifdef HAVE_FIPS
 static void lkmFipsCb(int ok, int err, const char* hash)
@@ -301,8 +301,17 @@ void wc_linuxkm_relax_long_loop(void) {
     #endif
 }
 
-/* backported wc_GenerateSeed_IntelRD() for FIPS v5. */
-#ifdef WC_LINUXKM_RDSEED_IN_GLUE_LAYER
+#if defined(WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER)
+
+int wc_linuxkm_GenerateSeed_wolfEntropy(OS_Seed* os, byte* output, word32 sz)
+{
+    (void)os;
+    return wc_Entropy_Get(MAX_ENTROPY_BITS, output, sz);
+}
+
+#elif defined(WC_LINUXKM_RDSEED_IN_GLUE_LAYER)
+
+/* backported wc_GenerateSeed_IntelRD() for FIPS v5, before breakout of wolfentropy.c. */
 
 #include <wolfssl/wolfcrypt/cpuid.h>
 #include <wolfssl/wolfcrypt/random.h>
@@ -497,13 +506,13 @@ static int wolfssl_init(void)
 
 #endif /* HAVE_FIPS */
 
-#ifdef WC_PIE_RELOC_TABLES
+#ifdef WC_SYM_RELOC_TABLES
     ret = set_up_wolfssl_linuxkm_pie_redirect_table();
     if (ret < 0)
         return ret;
 #endif
 
-#if defined(HAVE_FIPS) && defined(WC_PIE_RELOC_TABLES)
+#if defined(HAVE_FIPS) && defined(WC_SYM_RELOC_TABLES)
     if (((uintptr_t)__wc_text_start > (uintptr_t)wolfCrypt_FIPS_first) ||
         ((uintptr_t)__wc_text_end < (uintptr_t)wolfCrypt_FIPS_last) ||
         ((uintptr_t)__wc_rodata_start > (uintptr_t)wolfCrypt_FIPS_ro_start) ||
@@ -514,7 +523,7 @@ static int wolfssl_init(void)
     }
 #endif
 
-#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
+#if defined(WC_SYM_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0)
     /* see linux commit ac3b432839 */
@@ -599,7 +608,7 @@ static int wolfssl_init(void)
                 total_text_r, total_rodata_r, total_rwdata_r, total_bss_r, total_other_r);
     }
 
-#endif /* WC_PIE_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT */
+#endif /* WC_SYM_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT */
 
 #ifdef HAVE_FIPS
     ret = wolfCrypt_SetCb_fips(lkmFipsCb);
@@ -608,7 +617,7 @@ static int wolfssl_init(void)
         return -ECANCELED;
     }
 
-#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
+#if defined(WC_SYM_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
     total_text_r = total_rodata_r = total_rwdata_r = total_bss_r =
         total_other_r = 0;
 #endif
@@ -620,7 +629,7 @@ static int wolfssl_init(void)
     else
         pr_err("ERROR: WC_SIG_IGNORE_BEGIN() failed.\n");
 
-#if defined(WC_PIE_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
+#if defined(WC_SYM_RELOC_TABLES) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
     pr_info("FIPS-bounded relocation normalizations: text=%d, rodata=%d, rwdata=%d, bss=%d, other=%d\n",
             total_text_r, total_rodata_r, total_rwdata_r, total_bss_r, total_other_r);
 #endif
@@ -865,7 +874,7 @@ MODULE_AUTHOR("https://www.wolfssl.com/");
 MODULE_DESCRIPTION("libwolfssl cryptographic and protocol facilities");
 MODULE_VERSION(LIBWOLFSSL_VERSION_STRING);
 
-#ifdef WC_PIE_RELOC_TABLES
+#ifdef WC_SYM_RELOC_TABLES
 
 #define WC_TEXT_TAG (0x0 << 29)
 #define WC_RODATA_TAG (0x1U << 29)
@@ -1508,7 +1517,7 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) {
     return 0;
 }
 
-#endif /* WC_PIE_RELOC_TABLES */
+#endif /* WC_SYM_RELOC_TABLES */
 
 #if defined(HAVE_FIPS) && defined(WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE)
 
@@ -1643,7 +1652,7 @@ static int updateFipsHash(void)
         goto out;
     }
 
-#if defined(WOLFSSL_LINUXKM) && defined(WC_PIE_RELOC_TABLES)
+#if defined(WOLFSSL_LINUXKM) && defined(WC_SYM_RELOC_TABLES)
     {
         ssize_t cur_reloc_index = -1;
         const byte *text_p = (const byte *)first;