1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
|
# libwolfssl Linux kernel module Makefile (wraps Kbuild-native makefile)
#
# Copyright (C) 2006-2025 wolfSSL Inc.
#
# This file is part of wolfSSL.
#
# wolfSSL is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# wolfSSL is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
.ONESHELL:
SHELL=bash
all: libwolfssl.ko libwolfssl.ko.signed
ifndef MODULE_TOP
MODULE_TOP=$(CURDIR)
endif
ifndef SRC_TOP
SRC_TOP=$(shell dirname $(MODULE_TOP))
endif
WOLFSSL_CFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -Wno-declaration-after-statement -Wno-redundant-decls -DLIBWOLFSSL_GLOBAL_EXTRA_CFLAGS="\" $(KERNEL_EXTRA_CFLAGS)\""
ifdef KERNEL_EXTRA_CFLAGS
WOLFSSL_CFLAGS += $(KERNEL_EXTRA_CFLAGS)
endif
ifeq "$(FIPS_OPTEST)" "1"
WOLFSSL_CFLAGS += -DFIPS_OPTEST
endif
WOLFSSL_ASFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CCASFLAGS) $(CCASFLAGS)
WOLFSSL_OBJ_FILES=$(patsubst %.lo, %.o, $(patsubst src/src_libwolfssl_la-%, src/%, $(patsubst src/libwolfssl_la-%, src/%, $(patsubst wolfcrypt/src/src_libwolfssl_la-%, wolfcrypt/src/%, $(src_libwolfssl_la_OBJECTS)))))
ifeq "$(ENABLED_CRYPT_TESTS)" "yes"
WOLFSSL_OBJ_FILES+=wolfcrypt/test/test.o
else ifneq "$(ENABLED_LINUXKM_LKCAPI_REGISTER)" "none"
WOLFSSL_OBJ_FILES+=wolfcrypt/test/test.o
else
WOLFSSL_CFLAGS+=-DNO_CRYPT_TEST
endif
ifeq "$(ENABLED_KERNEL_BENCHMARKS)" "yes"
WOLFSSL_OBJ_FILES+=wolfcrypt/benchmark/benchmark.o
endif
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
WOLFCRYPT_PIE_FILES := \
$(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) \
linuxkm/pie_redirect_table.o \
linuxkm/wc_linuxkm_pie_reloc_tab.o
WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES))
endif
export WOLFSSL_CFLAGS WOLFSSL_ASFLAGS WOLFSSL_OBJ_FILES WOLFCRYPT_PIE_FILES
ifneq "$(host_triplet)" "$(build_triplet)"
CROSS_COMPILE := 'CROSS_COMPILE=$(host_triplet)-'
endif
OVERRIDE_PATHS :=
ifdef CC
ifneq "$(CC)" "cc"
OVERRIDE_PATHS := $(OVERRIDE_PATHS) 'CC=$(CC)'
endif
endif
ifdef AS
ifneq "$(AS)" "as"
OVERRIDE_PATHS := $(OVERRIDE_PATHS) 'AS=$(AS)'
endif
endif
ifdef LD
ifneq "$(LD)" "ld"
OVERRIDE_PATHS := $(OVERRIDE_PATHS) 'LD=$(LD)'
endif
endif
ifndef READELF
READELF := readelf
endif
ifndef AWK
AWK := awk
endif
ifndef TMPDIR
TMPDIR := /tmp
endif
ifndef MAKE_TMPDIR
MAKE_TMPDIR := $(TMPDIR)
endif
GENERATE_SECTION_MAP := $(AWK) 'BEGIN { printf("") >ENVIRON["SECTION_MAP"]; } \
{ \
if ($$7 !~ "^[0-9]+$$") \
next; \
if ($$4 == "SECTION") { \
sections[$$7] = $$8; \
next; \
} \
if (($$4 == "NOTYPE") || ($$4 == "OBJECT") || ($$4 == "FUNC")) { \
if (($$8 == "$$d") || ($$8 == "$$t")) \
next; \
if ($$7 in sections) { \
if (sections[$$7] ~ "_wolfcrypt$$") \
print $$8 "\t" sections[$$7] >>ENVIRON["SECTION_MAP"]; \
} else \
print $$8 " is in section " $$7 " with no name mapping." >"/dev/stderr";\
} \
}'
GENERATE_RELOC_TAB := $(AWK) ' \
BEGIN { \
n=0; \
bad_relocs=0; \
print "\#include <wolfssl/wolfcrypt/libwolfssl_sources.h>"; \
printf("%s\n ", \
"WOLFSSL_LOCAL const unsigned int wc_linuxkm_pie_reloc_tab[] = { "); \
if ("SECTION_MAP" in ENVIRON) { \
while (getline <ENVIRON["SECTION_MAP"] > 0) \
section_map[$$1] = $$2; \
close(ENVIRON["SECTION_MAP"]); \
} \
} \
/^Relocation section '\''\.rela?\.text_wolfcrypt'\''/ { \
p=1; \
next; \
} \
/^Relocation section/ { \
p=0; \
} \
/^0/ { \
if (p) { \
if ($$3 !~ "^(R_X86_64_PLT32|R_X86_64_PC32|R_AARCH64_.*|R_ARM.*)$$") { \
print "Unexpected relocation type:\n" $$0 >"/dev/stderr"; \
++bad_relocs; \
} \
if ($$5 in section_map) \
section = section_map[$$5]; \
else if ($$5 ~ "^\\.") \
section = $$5; \
else \
section = ""; \
if (section) { \
switch (section) { \
case ".text_wolfcrypt": \
section_tag = 0; \
break; \
case ".rodata_wolfcrypt": \
section_tag = 1; \
break; \
case ".data_wolfcrypt": \
section_tag = 2; \
break; \
case ".bss_wolfcrypt": \
section_tag = 3; \
break; \
default: \
print "Unexpected section:\n" $$0 >"/dev/stderr"; \
++bad_relocs; \
section_tag = 4; \
} \
} else { \
print "Unresolvable symbol reference for relocation:\n" $$0 >"/dev/stderr";\
++bad_relocs; \
section_tag = 4; \
} \
if (strtonum("0x" gensub("^0*","",1,$$1)) >= lshift(1, 29)) { \
print "Relocation offset overflow:" >"/dev/stderr"; \
print >"/dev/stderr"; \
exit(1); \
} \
printf("0x%xU%s", \
or(strtonum("0x" gensub("^0*","",1,$$1)), \
lshift(section_tag, 29)), \
((++n%8) ? ", " : ",\n ")); \
} \
} \
END { \
if (bad_relocs) { \
print "Found " bad_relocs " unresolvable relocations." >"/dev/stderr"; \
exit(1); \
} \
print "~0U };\nWOLFSSL_LOCAL const unsigned long wc_linuxkm_pie_reloc_tab_length = sizeof wc_linuxkm_pie_reloc_tab / sizeof wc_linuxkm_pie_reloc_tab[0];";\
}'
ifeq "$(V)" "1"
vflag := --verbose
endif
# This rule is .PHONY because it doesn't actually build the module -- Kbuild
# does, and we always need to call Kbuild to enforce rebuild for dependencies
# and config changes.
.PHONY: libwolfssl.ko
libwolfssl.ko:
@set -e
@[[ '$(V)' == 1 ]] && { echo 'MODULE_TOP = "$(MODULE_TOP)"';
echo 'SRC_TOP = "$(SRC_TOP)"';
echo 'AM_CPPFLAGS = "$(AM_CPPFLAGS)"';
echo 'CPPFLAGS = "$(CPPFLAGS)"';
echo 'AM_CFLAGS = "$(AM_CFLAGS)"';
echo 'CFLAGS = "$(CFLAGS)"';
echo 'KERNEL_EXTRA_CFLAGS = "$(KERNEL_EXTRA_CFLAGS)"';
echo 'FIPS_OPTEST = "$(FIPS_OPTEST)"';
echo 'AM_CCASFLAGS = "$(AM_CCASFLAGS)"';
echo 'CCASFLAGS = "$(CCASFLAGS)"';
echo 'src_libwolfssl_la_OBJECTS = "$(src_libwolfssl_la_OBJECTS)"';
echo 'ENABLED_CRYPT_TESTS = "$(ENABLED_CRYPT_TESTS)"';
echo 'ENABLED_LINUXKM_LKCAPI_REGISTER = "$(ENABLED_LINUXKM_LKCAPI_REGISTER)"';
echo 'ENABLED_LINUXKM_BENCHMARKS = "$(ENABLED_LINUXKM_BENCHMARKS)"';
echo 'ENABLED_LINUXKM_PIE = "$(ENABLED_LINUXKM_PIE)"';
echo 'host_triplet = "$(host_triplet)"';
echo 'build_triplet = "$(build_triplet)"';
echo 'CC = "$(CC)"';
echo 'AS = "$(AS)"';
echo 'LD = "$(LD)"';
echo 'READELF = "$(READELF)"';
echo 'AWK = "$(AWK)"';
echo 'TMPDIR = "$(TMPDIR)"';
echo 'MAKE_TMPDIR = "$(MAKE_TMPDIR)"';
echo 'KERNEL_ROOT = "$(KERNEL_ROOT)"';
echo 'obj = "$(obj)"';
echo 'RM = "$(RM)"';
echo 'KERNEL_ARCH = "$(KERNEL_ARCH)"';
echo 'FIPS_HASH = "$(FIPS_HASH)"';
echo 'MAKE = "$(MAKE)"';
echo 'ENABLED_ASM = "$(ENABLED_ASM)"';
echo 'CFLAGS_FPU_DISABLE = "$(CFLAGS_FPU_DISABLE)"';
echo 'CFLAGS_FPU_ENABLE = "$(CFLAGS_FPU_ENABLE)"';
echo 'CFLAGS_SIMD_DISABLE = "$(CFLAGS_SIMD_DISABLE)"';
echo 'CFLAGS_SIMD_ENABLE = "$(CFLAGS_SIMD_ENABLE)"';
echo 'CFLAGS_AUTO_VECTORIZE_DISABLE = "$(CFLAGS_AUTO_VECTORIZE_DISABLE)"';
echo 'CFLAGS_AUTO_VECTORIZE_ENABLE = "$(CFLAGS_AUTO_VECTORIZE_ENABLE)"';
echo 'ASFLAGS_FPU_DISABLE_SIMD_ENABLE = "$(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)"';
echo 'ASFLAGS_FPU_ENABLE_SIMD_DISABLE = "$(ASFLAGS_FPU_ENABLE_SIMD_DISABLE)"';
echo 'ASFLAGS_FPUSIMD_DISABLE = "$(ASFLAGS_FPUSIMD_DISABLE)"';
echo 'ASFLAGS_FPUSIMD_ENABLE = "$(ASFLAGS_FPUSIMD_ENABLE)"'; }
@function resolved_link_is_equal() { [[ -L "$$1" && "$$(readlink -f "$$1")" == "$$(readlink -f "$$2")" ]]; }
@if test -z '$(KERNEL_ROOT)'; then echo '$$KERNEL_ROOT is unset' >&2; exit 1; fi
@if test -z '$(AM_CFLAGS)$(CFLAGS)'; then echo '$$AM_CFLAGS and $$CFLAGS are both unset.' >&2; exit 1; fi
@if test -z '$(src_libwolfssl_la_OBJECTS)'; then echo '$$src_libwolfssl_la_OBJECTS is unset.' >&2; exit 1; fi
# after commit 9a0ebe5011 (6.10), sources must be in $(obj). work around this by making links to all needed sources:
@mkdir -p '$(MODULE_TOP)/linuxkm'
@resolved_link_is_equal '$(MODULE_TOP)/linuxkm/module_hooks.c' '$(MODULE_TOP)/module_hooks.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber '$(MODULE_TOP)'/*.[ch] '$(MODULE_TOP)/linuxkm/'
@resolved_link_is_equal '$(MODULE_TOP)/wolfcrypt/src/wc_port.c' '$(SRC_TOP)/wolfcrypt/src/wc_port.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/wolfcrypt' '$(MODULE_TOP)/'
@resolved_link_is_equal '$(MODULE_TOP)/src/wolfio.c' '$(SRC_TOP)/src/wolfio.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/src' '$(MODULE_TOP)/'
ifeq "$(FIPS_OPTEST)" "1"
@resolved_link_is_equal '$(MODULE_TOP)/linuxkm/optest-140-3/linuxkm_optest_wrapper.c' '$(SRC_TOP)/../fips/optest-140-3/linuxkm_optest_wrapper.c' || cp $(vflag) --no-dereference --symbolic-link --no-clobber --recursive '$(SRC_TOP)/../fips/optest-140-3' '$(MODULE_TOP)/linuxkm/'
endif
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
@[[ -f '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' && ! -L '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' ]] || \
{ $(RM) -f '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' && $(GENERATE_RELOC_TAB) < /dev/null > '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c'; }
@RELOC_TMP=$$(mktemp "$(MAKE_TMPDIR)/wc_linuxkm_pie_reloc_tab.c.XXXXXX")
@trap 'rm "$$RELOC_TMP"' EXIT
@if [[ -f "$@" ]]; then touch -r "$@" "$$RELOC_TMP"; fi
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
# if the above make didn't build a fresh libwolfssl.ko, then the module is already up to date and we leave it untouched, assuring stability for purposes of module-update-fips-hash.
@if [[ ! "$@" -nt "$$RELOC_TMP" ]]; then echo ' Module already up-to-date.'; exit 0; fi
@SECTION_MAP=$$(mktemp)
@trap 'rm "$$SECTION_MAP"' EXIT
@export SECTION_MAP
@$(READELF) --wide --symbols "$@" | $(GENERATE_SECTION_MAP)
@$(READELF) --wide --relocs "$@" | $(GENERATE_RELOC_TAB) >| '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c'
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
@$(READELF) --wide --relocs "$@" | $(GENERATE_RELOC_TAB) >| "$$RELOC_TMP"
@if diff '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c' "$$RELOC_TMP"; then echo " Relocation table is stable."; else echo "PIE failed: relocation table is unstable." 1>&2; exit 1; fi
else
+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS)
endif
.PHONY: module-update-fips-hash
module-update-fips-hash: libwolfssl.ko
@set -e
@if test -z '$(FIPS_HASH)'; then echo ' $$FIPS_HASH is unset' >&2; exit 1; fi
@if [[ ! '$(FIPS_HASH)' =~ [0-9a-fA-F]{64} ]]; then echo ' $$FIPS_HASH is malformed' >&2; exit 1; fi
@readarray -t rodata_segment < <($(READELF) --wide --sections "$<" | \
sed -E -n 's/^[[:space:]]*\[[[:space:]]*([0-9]+)\][[:space:]]+\.rodata_wolfcrypt[[:space:]]+PROGBITS[[:space:]]+[0-9a-fA-F]+[[:space:]]+([0-9a-fA-F]+)[[:space:]].*$$/\1\n\2/p'); \
if [[ $${#rodata_segment[@]} != 2 ]]; then echo ' unexpected rodata_segment.' >&2; exit 1; fi; \
readarray -t verifyCore_attrs < <($(READELF) --wide --symbols "$<" | \
sed -E -n 's/^[[:space:]]*[0-9]+: ([0-9a-fA-F]+)[[:space:]]+([0-9]+)[[:space:]]+OBJECT[[:space:]]+[A-Z]+[[:space:]]+[A-Z]+[[:space:]]+'"$${rodata_segment[0]}"'[[:space:]]+verifyCore$$/\1\n\2/p'); \
if [[ $${#verifyCore_attrs[@]} != 2 ]]; then echo ' unexpected verifyCore_attrs.' >&2; exit 1; fi; \
if [[ "$${verifyCore_attrs[1]}" != "65" ]]; then echo " verifyCore has unexpected length $${verifyCore_attrs[1]}." >&2; exit 1; fi; \
verifyCore_offset=$$((0x$${rodata_segment[1]} + 0x$${verifyCore_attrs[0]})); \
current_verifyCore=$$(dd bs=1 if="$<" skip=$$verifyCore_offset count=64 status=none); \
if [[ ! "$$current_verifyCore" =~ [0-9a-fA-F]{64} ]]; then echo " verifyCore at offset $$verifyCore_offset has unexpected value." >&2; exit 1; fi; \
if [[ '$(FIPS_HASH)' == "$$current_verifyCore" ]]; then echo ' Supplied FIPS_HASH matches existing verifyCore -- no update needed.'; exit 0; fi; \
echo -n '$(FIPS_HASH)' | dd bs=1 conv=notrunc of="$<" seek=$$verifyCore_offset count=64 status=none && \
echo " FIPS verifyCore updated successfully." && \
if [[ -f libwolfssl.ko.signed ]]; then $(MAKE) -C . libwolfssl.ko.signed; fi
libwolfssl.ko.signed: libwolfssl.ko
ifdef FORCE_NO_MODULE_SIG
@echo 'Skipping module signature operation because FORCE_NO_MODULE_SIG.'
else
@set -e
@cd '$(KERNEL_ROOT)'
while read configline; do
case "$$configline" in
CONFIG_MODULE_SIG*=*)
declare "$${configline%=*}"="$${configline#*=}"
;;
esac
done < .config
if [[ "$${CONFIG_MODULE_SIG}" = "y" && -n "$${CONFIG_MODULE_SIG_KEY}" && \
-n "$${CONFIG_MODULE_SIG_HASH}" && ( ! -f '$(MODULE_TOP)/$@' || \
'$(MODULE_TOP)/$<' -nt '$(MODULE_TOP)/$@' ) ]]; then
CONFIG_MODULE_SIG_KEY="$${CONFIG_MODULE_SIG_KEY#\"}"
CONFIG_MODULE_SIG_KEY="$${CONFIG_MODULE_SIG_KEY%\"}"
CONFIG_MODULE_SIG_HASH="$${CONFIG_MODULE_SIG_HASH#\"}"
CONFIG_MODULE_SIG_HASH="$${CONFIG_MODULE_SIG_HASH%\"}"
cp -p '$(MODULE_TOP)/$<' '$(MODULE_TOP)/$@' || exit $$?
./scripts/sign-file "$${CONFIG_MODULE_SIG_HASH}" \
"$${CONFIG_MODULE_SIG_KEY}" \
"$${CONFIG_MODULE_SIG_KEY/%.pem/.x509}" \
'$(MODULE_TOP)/$@'
sign_file_exitval=$$?
if [[ $$sign_file_exitval != 0 ]]; then
$(RM) -f '$(MODULE_TOP)/$@'
exit $$sign_file_exitval
fi
if [[ "$(quiet)" != "silent_" ]]; then
echo " Module $@ signed by $${CONFIG_MODULE_SIG_KEY}."
fi
fi
endif
.PHONY: install modules_install
install modules_install:
+$(MAKE) -C $(KERNEL_ROOT) M=$(MODULE_TOP) src=$(SRC_TOP) INSTALL_MOD_DIR=wolfssl modules_install
.PHONY: clean
# note, must supply $(MODULE_TOP) as the src value for clean so that Kbuild is included, else
# the top Makefile (which is not for the kernel build) would be included here.
clean:
+$(MAKE) -C $(KERNEL_ROOT) M=$(MODULE_TOP) src=$(MODULE_TOP) clean
$(RM) -rf '$(MODULE_TOP)/linuxkm'
$(RM) -rf '$(MODULE_TOP)/wolfcrypt'
$(RM) -rf '$(MODULE_TOP)/src'
.PHONY: check
check:
.PHONY: distclean
distclean: clean
.PHONY: dist
dist:
.PHONY: distdir
distdir:
|
