linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: tweak gating for verifyCore and my_kallsyms_lookup_name, and use the latter to reach verifyCore on old FIPS. also tweak the In-core integrity hash check failure." message to supply module-update-fips-hash instructions.

Author: douzzer

.wolfssl_known_macro_extras

@@ -105,6 +105,7 @@ CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD
 CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING
 CONFIG_FREERTOS_HZ
 CONFIG_FREERTOS_UNICORE
+CONFIG_HAVE_KPROBES
 CONFIG_IDF_TARGET
 CONFIG_IDF_TARGET_ARCH_RISCV
 CONFIG_IDF_TARGET_ARCH_XTENSA

linuxkm/linuxkm_wc_port.h

@@ -447,10 +447,8 @@
     #endif
     #include <linux/random.h>
 
-    #ifndef __PIE__
-        #if defined(WOLFSSL_LINUXKM_USE_GET_RANDOM_KPROBES) || defined(FIPS_OPTEST)
-            #include <linux/kprobes.h>
-        #endif
+    #if !defined(__PIE__) && defined(CONFIG_HAVE_KPROBES)
+        #include <linux/kprobes.h>
     #endif
 
     #ifdef LINUXKM_LKCAPI_REGISTER

linuxkm/module_hooks.c

@@ -85,6 +85,10 @@ static int libwolfssl_cleanup(void) {
     return ret;
 }
 
+#if defined(HAVE_FIPS) && (FIPS_VERSION3_GE(6,0,0) || defined(WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE))
+extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1];
+#endif
+
 #ifdef HAVE_LINUXKM_PIE_SUPPORT
 
 #ifdef DEBUG_LINUXKM_PIE_SUPPORT
@@ -117,7 +121,6 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void);
 #ifdef HAVE_FIPS
 extern const unsigned int wolfCrypt_FIPS_ro_start[];
 extern const unsigned int wolfCrypt_FIPS_ro_end[];
-extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1];
 #endif
 
 #endif /* HAVE_LINUXKM_PIE_SUPPORT */
@@ -128,9 +131,15 @@ static void lkmFipsCb(int ok, int err, const char* hash)
     if ((! ok) || (err != 0))
         pr_err("ERROR: libwolfssl FIPS error: %s\n", wc_GetErrorString(err));
     if (err == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) {
-        pr_err("In-core integrity hash check failure.\n"
-               "Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n",
-               hash ? hash : "<null>");
+        if (hash) {
+            pr_err("In-core integrity hash check failure.\n"
+                   "Update FIPS hash with \"make module-update-fips-hash FIPS_HASH=%s\".\n",
+                   hash);
+        }
+        else {
+            pr_err("In-core integrity hash check failure.\n");
+            pr_err("ERROR: could not compute new hash.  Contact customer support.\n");
+        }
     }
 }
 #endif
@@ -389,6 +398,10 @@ int wc_linuxkm_GenerateSeed_IntelRD(struct OS_Seed* os, byte* output, word32 sz)
     #include "linuxkm/x86_vector_register_glue.c"
 #endif
 
+#ifdef CONFIG_HAVE_KPROBES
+    static WC_MAYBE_UNUSED void *my_kallsyms_lookup_name(const char *name);
+#endif
+
 #ifdef FIPS_OPTEST
     #ifndef HAVE_FIPS
         #error FIPS_OPTEST requires HAVE_FIPS.
@@ -398,7 +411,6 @@ int wc_linuxkm_GenerateSeed_IntelRD(struct OS_Seed* os, byte* output, word32 sz)
     #endif
     extern int linuxkm_op_test_1(int argc, const char* argv[]);
     extern int linuxkm_op_test_wrapper(void);
-    static void *my_kallsyms_lookup_name(const char *name);
     static wolfSSL_Atomic_Int *conTestFailure_ptr = NULL;
     static ssize_t FIPS_optest_trig_handler(struct kobject *kobj, struct kobj_attribute *attr,
                                        const char *buf, size_t count);
@@ -422,9 +434,29 @@ static int wolfssl_init(void)
      * updateFipsHash() (WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE) to be safe from
      * overruns.
      */
-    if (strlen(verifyCore) != WC_SHA256_DIGEST_SIZE*2) {
-        pr_err("ERROR: compile-time FIPS hash is the wrong length (expected %d hex digits).\n", WC_SHA256_DIGEST_SIZE*2);
-        return -ECANCELED;
+    {
+        size_t verifyCore_len;
+#if FIPS_VERSION3_GE(6,0,0) || defined(WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE)
+        verifyCore_len = strlen(verifyCore);
+#else
+#ifdef CONFIG_HAVE_KPROBES
+        char *verifyCore_ptr = my_kallsyms_lookup_name("verifyCore");
+        if (verifyCore_ptr)
+            verifyCore_len = strlen(verifyCore_ptr);
+        else
+#endif /* CONFIG_HAVE_KPROBES */
+        {
+            /* can't check -- have to assume. */
+#if defined(CONFIG_HAVE_KPROBES) && (defined(DEBUG_LINUXKM_PIE_SUPPORT) || defined(WOLFSSL_LINUXKM_VERBOSE_DEBUG))
+            pr_err("INFO: couldn't get verifyCore_ptr -- skipping verifyCore length check.\n");
+#endif
+            verifyCore_len = WC_SHA256_DIGEST_SIZE*2;
+        }
+#endif
+        if (verifyCore_len != WC_SHA256_DIGEST_SIZE*2) {
+            pr_err("ERROR: compile-time FIPS hash is the wrong length (expected %d hex digits, got %zu).\n", WC_SHA256_DIGEST_SIZE*2, verifyCore_len);
+            return -ECANCELED;
+        }
     }
 
 #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
@@ -573,8 +605,15 @@ static int wolfssl_init(void)
         pr_err("ERROR: wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret));
         if (ret == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) {
             const char *newhash = wolfCrypt_GetCoreHash_fips();
-            pr_err("Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n",
-                   newhash ? newhash : "<null>");
+            if (newhash) {
+                pr_err("In-core integrity hash check failure.\n"
+                       "Update FIPS hash with \"make module-update-fips-hash FIPS_HASH=%s\".\n",
+                       newhash);
+            }
+            else {
+                pr_err("In-core integrity hash check failure.\n");
+                pr_err("ERROR: could not compute new hash.  Contact customer support.\n");
+            }
         }
         return -ECANCELED;
     }
@@ -1601,6 +1640,36 @@ static int updateFipsHash(void)
 
 #endif /* WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE */
 
+#ifdef CONFIG_HAVE_KPROBES
+
+static WC_MAYBE_UNUSED void *my_kallsyms_lookup_name(const char *name) {
+    static typeof(kallsyms_lookup_name) *kallsyms_lookup_name_ptr = NULL;
+    static struct kprobe kallsyms_lookup_name_kp = {
+        .symbol_name = "kallsyms_lookup_name"
+    };
+    unsigned long a;
+
+    if (! kallsyms_lookup_name_ptr) {
+        int ret;
+        kallsyms_lookup_name_kp.addr = NULL;
+        if ((ret = register_kprobe(&kallsyms_lookup_name_kp)) != 0) {
+            pr_err_once("ERROR: register_kprobe(&kallsyms_lookup_name_kp) failed: %d", ret);
+            return 0;
+        }
+        kallsyms_lookup_name_ptr = (typeof(kallsyms_lookup_name_ptr))kallsyms_lookup_name_kp.addr;
+        unregister_kprobe(&kallsyms_lookup_name_kp);
+        if (! kallsyms_lookup_name_ptr) {
+            pr_err_once("ERROR: kallsyms_lookup_name_kp.addr is null.");
+            return 0;
+        }
+    }
+
+    a = kallsyms_lookup_name_ptr(name);
+    return (void *)a;
+}
+
+#endif /* CONFIG_HAVE_KPROBES */
+
 #ifdef HAVE_FIPS
 
 static ssize_t FIPS_rerun_self_test_handler(struct kobject *kobj, struct kobj_attribute *attr,
@@ -1651,32 +1720,6 @@ static ssize_t FIPS_rerun_self_test_handler(struct kobject *kobj, struct kobj_at
 
 #ifdef FIPS_OPTEST
 
-static void *my_kallsyms_lookup_name(const char *name) {
-    static typeof(kallsyms_lookup_name) *kallsyms_lookup_name_ptr = NULL;
-    static struct kprobe kallsyms_lookup_name_kp = {
-        .symbol_name = "kallsyms_lookup_name"
-    };
-    unsigned long a;
-
-    if (! kallsyms_lookup_name_ptr) {
-        int ret;
-        kallsyms_lookup_name_kp.addr = NULL;
-        if ((ret = register_kprobe(&kallsyms_lookup_name_kp)) != 0) {
-            pr_err_once("ERROR: register_kprobe(&kallsyms_lookup_name_kp) failed: %d", ret);
-            return 0;
-        }
-        kallsyms_lookup_name_ptr = (typeof(kallsyms_lookup_name_ptr))kallsyms_lookup_name_kp.addr;
-        unregister_kprobe(&kallsyms_lookup_name_kp);
-        if (! kallsyms_lookup_name_ptr) {
-            pr_err_once("ERROR: kallsyms_lookup_name_kp.addr is null.");
-            return 0;
-        }
-    }
-
-    a = kallsyms_lookup_name_ptr(name);
-    return (void *)a;
-}
-
 typedef struct test_func_args {
     int return_code;
 } test_func_args;