Conversation
|
Hey @douzzer, Nice work on the offline FIPS hash PR! A few docs suggestions: README update -- A section in linuxkm/README.md about the offline hash workflow and the new make targets (module-with-matching-fips-hash, etc.) would help discoverability. |
There was a problem hiding this comment.
Pull request overview
Implements an offline workflow to compute and graft the Linux kernel module FIPS integrity hash (including relocation normalization support), and refactors relocation/FIPS-hash logic into shared linuxkm memory utilities to support both in-kernel and offline calculation.
Changes:
- Add
linuxkm-fips-hashhost tool + wrapper script to compute/updateverifyCorein a.kowithout loading it. - Refactor relocation normalization and FIPS hash generation helpers into
linuxkm_memory.[ch], and wire them into the module. - Update build/config glue for linuxkm (new targets, module name override support, KASAN/stack debug hooks, and kernel-mode config tweaks).
Reviewed changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/wolfcrypt/settings.h |
Kernel-mode alignment floor; ensure Base16 enabled for dynamic FIPS hash output. |
wolfssl/wolfcrypt/memory.h |
Include new linuxkm memory header when linuxkm/reloc-table features are enabled. |
wolfcrypt/src/memory.c |
Include linuxkm memory implementation when linuxkm/reloc-table features are enabled. |
wolfcrypt/benchmark/benchmark.c |
Fix comment typo; hard-stop scrypt benchmark in kernel mode. |
linuxkm/module_hooks.c |
Integrate new relocation/FIPS hash helpers; add stack debug instrumentation; add KASAN hooks in redirect table. |
linuxkm/linuxkm_wc_port.h |
Add stack debug helpers and KASAN indirections; adjust ARM64 LSE atomics disable placement. |
linuxkm/linuxkm_memory.h |
New shared declarations for relocation-table parsing and FIPS hash generation. |
linuxkm/linuxkm_memory.c |
New shared implementation for relocation normalization and generic FIPS HMAC hashing over fenced segments. |
linuxkm/linuxkm-fips-hash.c |
New host-side tool to compute/update verifyCore in-place for a module file. |
linuxkm/linuxkm-fips-hash-wrapper.sh |
New wrapper to extract fenceposts via readelf and invoke the host tool. |
linuxkm/include.am |
Distribute new linuxkm host tool and memory header in autotools packaging. |
linuxkm/Makefile |
Add userland lib build + offline hash targets; update reloc-table generator for new struct fields; support alternate module name. |
linuxkm/Kbuild |
Support alternate module object name; allow custom export namespace and optional export suppression. |
configure.ac |
Export FIPS_FLAVOR; avoid enabling scrypt under kernel-mode defaults unless explicitly requested. |
Makefile.am |
Export FIPS_FLAVOR; add linuxkm targets for offline hash workflow. |
.wolfssl_known_macro_extras |
Update known macros for new linuxkm/kernel config flags and dynamic hash support macro. |
.gitignore |
Ignore new linuxkm user-build directory and host tool binary. |
Comments suppressed due to low confidence (1)
Makefile.am:233
- The top-level
moduletarget still hard-codeslibwolfssl.ko. With the newLIBWOLFSSL_NAMEsupport in linuxkm/Makefile and linuxkm/Kbuild, this target won't work whenLIBWOLFSSL_NAMEis overridden. Consider calling$(MAKE) -C linuxkm $(LIBWOLFSSL_NAME).ko(and ensuring the variable is forwarded) or using the linuxkmalltarget.
module:
+$(MAKE) -C linuxkm libwolfssl.ko
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
philljj
left a comment
philljj
left a comment
There was a problem hiding this comment.
Looks really cool!
First review pass: just some suggestions to manage complexity.
douzzer
force-pushed
the
20260204-linuxkm-fips-hash
branch
from
b4b2b34 to
bc665a8
Compare
Did that -- README.md greatly improved.
Realistically nobody should be using that tool separate from the wrapper script. Far too fidgety. I added a comment pointing readers at the wrapper script.
We want these to remain undocumented. We should probably have a different attribute label for functions like this that we use internally in our tools, but that we don't support externally or keep stable. I'll think about it but don't let that hold up merge -- lack of documentation is enough documentation for now :-)
That's a |
Add: * linuxkm/linuxkm-fips-hash.c * linuxkm/linuxkm-fips-hash-wrapper.sh * linuxkm/linuxkm_memory.h Move from linuxkm/module_hooks.c to linuxkm/linuxkm_memory.c: * reloc_layouts[] * find_reloc_tab_offset() * the body of wc_linuxkm_normalize_relocations() as wc_reloc_normalize_text() * most of updateFipsHash() as wc_fips_generate_hash() Move from linuxkm/linuxkm_wc_port.h to linuxkm/linuxkm_memory.h: * struct wc_linuxkm_pie_reloc_tab_ent * enum wc_reloc_dest_segment * enum wc_reloc_type linuxkm/Makefile: * Update GENERATE_RELOC_TAB recipe to populate new fields in struct wc_reloc_table_ent. * Add targets: * libwolfssl-user-build/src/.libs/libwolfssl.so * linuxkm-fips-hash * module-with-matching-fips-hash * module-with-matching-fips-hash-no-sign * Add support for alternate target module name, via LIBWOLFSSL_NAME make variable. linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: * Fixes to make linuxkm-pie work with CONFIG_KASAN. * Implement WC_LINUXKM_STACK_DEBUG: * wc_linuxkm_stack_bottom() * wc_linuxkm_stack_top() * wc_linuxkm_stack_current() * wc_linuxkm_stack_left() * wc_linuxkm_stack_hwm_prepare() * wc_linuxkm_stack_hwm_measure_rel() * wc_linuxkm_stack_hwm_measure_total() wolfssl/wolfcrypt/settings.h: * When WOLFSSL_KERNEL_MODE, make sure WOLFSSL_GENERAL_ALIGNMENT is at least SIZEOF_LONG. * When WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sure WOLFSSL_BASE16 is defined. configure.ac and wolfcrypt/benchmark/benchmark.c: Disable scrypt when KERNEL_MODE_DEFAULTS, due to excessive memory requirements.
configure.ac: add --enable-kernel-verbose-debug and --enable-kernel-stack-debug; linuxkm/Makefile: * add QFLAG and VFLAG setup, and pass their values appropriately; * add missing `@set -e` and `-Wall -Wextra` to the linuxkm-fips-hash recipe; * use +$(MAKE), not @$(MAKE), for proper dry run recursion. linuxkm/README.md: update to reflect new goodies, and generally revise+extend remarks. linuxkm/linuxkm-fips-hash-wrapper.sh: add copyright header; pass through extra caller arguments to ./linuxkm-fips-hash. linuxkm/linuxkm-fips-hash.c: * add copyright header; * fix code around user_coreKey; * add explicit wolfCrypt_Cleanup() and cleanup of mod_fd and mod_map at end; * remove unused reloc_tab_len * fix a couple -Wsign-compares; * add missing fprintf arguments * properly set ret = -1 in a couple failure paths. linuxkm/linuxkm_wc_port.h: set WOLFSSL_LINUXKM_VERBOSE_DEBUG when WOLFSSL_KERNEL_VERBOSE_DEBUG, and recognize WOLFSSL_KERNEL_STACK_DEBUG as a synonym for WC_LINUXKM_STACK_DEBUG. linuxkm/linuxkm_memory.c and linuxkm/linuxkm_memory.h: add brief explanatory comments.
.wolfssl_known_macro_extras: fix lexical order.
…review:
linuxkm/linuxkm_memory.c:
* fix straddle check in wc_reloc_normalize_text();
* fix seg_map bounds checks in wc_fips_generate_hash();
linuxkm/linuxkm_memory.h: fix initializer for wc_reloc_table_segments.bss_end;
wolfssl/wolfcrypt/settings.h: add WC_BITS_TO_BYTES() and WC_BITS_FULL_BYTES() and deploy opportunistically to wolfssl/internal.h, wolfssl/wolfcrypt/{asn.h,dh.h,rsa.h,types.h}, wolfcrypt/src/sakke.c, and wolfcrypt/test/test.c.
douzzer
force-pushed
the
20260204-linuxkm-fips-hash
branch
from
bc665a8 to
70aa3dc
Compare
…STDRNG_DRIVER to advertise the seed source.
linuxkm/linuxkm_memory.c and linuxkm/linuxkm_memory.h: set up and use WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ.
5 participants
Implement Linux kernel module FIPS integrity hash offline calculation:
Add:
linuxkm/linuxkm-fips-hash.clinuxkm/linuxkm-fips-hash-wrapper.shlinuxkm/linuxkm_memory.hMove from
linuxkm/module_hooks.ctolinuxkm/linuxkm_memory.c:reloc_layouts[]find_reloc_tab_offset()wc_linuxkm_normalize_relocations()aswc_reloc_normalize_text()updateFipsHash()aswc_fips_generate_hash()Move from
linuxkm/linuxkm_wc_port.htolinuxkm/linuxkm_memory.h:struct wc_linuxkm_pie_reloc_tab_entenum wc_reloc_dest_segmentenum wc_reloc_typelinuxkm/Makefile:GENERATE_RELOC_TABrecipe to populate new fields instruct wc_reloc_table_ent.libwolfssl-user-build/src/.libs/libwolfssl.solinuxkm-fips-hashmodule-with-matching-fips-hashmodule-with-matching-fips-hash-no-signLIBWOLFSSL_NAMEmake variable.linuxkm/linuxkm_wc_port.handlinuxkm/module_hooks.c:CONFIG_KASAN.WC_LINUXKM_STACK_DEBUG:wc_linuxkm_stack_bottom()wc_linuxkm_stack_top()wc_linuxkm_stack_current()wc_linuxkm_stack_left()wc_linuxkm_stack_hwm_prepare()wc_linuxkm_stack_hwm_measure_rel()wc_linuxkm_stack_hwm_measure_total()wolfssl/wolfcrypt/settings.h:WOLFSSL_KERNEL_MODE, make sureWOLFSSL_GENERAL_ALIGNMENTis at leastSIZEOF_LONG.WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sureWOLFSSL_BASE16is defined.configure.acandwolfcrypt/benchmark/benchmark.c: Disable scrypt whenKERNEL_MODE_DEFAULTS, due to excessive memory requirements.tested with
with tweaks to
wolfssl-multi-test.shto exercise and verify offline hash calculation by default in FIPSdo_linuxkm_scenario_load_with_self_test()scenarios, and in the FIPS aarch64 linuxkm scenarios.