|
| 1 | +# Linux kernel-native Makefile ("Kbuild") for wolfentropy.ko |
| 2 | +# |
| 3 | +# Builds the minimal wolfEntropy SP 800-90B entropy source kernel module. |
| 4 | +# Exports only wc_Entropy_Get(), wc_Entropy_GetRawEntropy(), and |
| 5 | +# wc_Entropy_OnDemandTest() -- no other wolfSSL symbols -- so it can be |
| 6 | +# loaded as an ESV-validated entropy source alongside a separately-built |
| 7 | +# FIPS libwolfssl.ko. |
| 8 | +# |
| 9 | +# Build flow: |
| 10 | +# ./configure --enable-linuxkm --enable-wolfentropy [KERNEL_ROOT=...] |
| 11 | +# make wolfentropy # produces wolfentropy.ko |
| 12 | +# |
| 13 | +# Usage at runtime: |
| 14 | +# modprobe wolfentropy # must load before libwolfssl.ko |
| 15 | +# modprobe libwolfssl |
| 16 | +# |
| 17 | +# When libwolfssl.ko is built with WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER |
| 18 | +# (auto-set by linuxkm_wc_port.h when HAVE_FIPS + HAVE_ENTROPY_MEMUSE are |
| 19 | +# both present, or manually via KERNEL_EXTRA_CFLAGS), its module_init |
| 20 | +# registers wc_linuxkm_GenerateSeed_wolfEntropy as the DRBG seed callback. |
| 21 | +# That function calls wc_Entropy_Get(), exported from this module. |
| 22 | +# The kernel's module dependency resolution enforces load order automatically |
| 23 | +# because libwolfssl.ko has an unresolved reference to wc_Entropy_Get. |
| 24 | +# |
| 25 | +# Note for ARM platforms: if sha3_asm.S acceleration is enabled |
| 26 | +# (WOLFSSL_ARMASM / WOLFSSL_SP_ARM64_ASM), add |
| 27 | +# wolfcrypt/src/sha3_asm.o to WOLFENTROPY_OBJ_FILES. |
| 28 | +# |
| 29 | +# Copyright (C) 2006-2026 wolfSSL Inc. |
| 30 | +# |
| 31 | +# This file is part of wolfSSL. |
| 32 | +# |
| 33 | +# wolfSSL is free software; you can redistribute it and/or modify |
| 34 | +# it under the terms of the GNU General Public License as published by |
| 35 | +# the Free Software Foundation; either version 3 of the License, or |
| 36 | +# (at your option) any later version. |
| 37 | +# |
| 38 | +# wolfSSL is distributed in the hope that it will be useful, |
| 39 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 40 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 41 | +# GNU General Public License for more details. |
| 42 | +# |
| 43 | +# You should have received a copy of the GNU General Public License |
| 44 | +# along with this program; if not, write to the Free Software |
| 45 | +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
| 46 | + |
| 47 | +.ONESHELL: |
| 48 | +SHELL=bash |
| 49 | + |
| 50 | +ifeq "$(KERNEL_ARCH)" "x86" |
| 51 | + KERNEL_ARCH_X86 := yes |
| 52 | +else ifeq "$(KERNEL_ARCH)" "x86_64" |
| 53 | + KERNEL_ARCH_X86 := yes |
| 54 | +else |
| 55 | + KERNEL_ARCH_X86 := no |
| 56 | +endif |
| 57 | + |
| 58 | +ifeq "$(WOLFENTROPY_OBJ_FILES)" "" |
| 59 | + $(error $$WOLFENTROPY_OBJ_FILES is unset.) |
| 60 | +endif |
| 61 | + |
| 62 | +ifeq "$(WOLFENTROPY_CFLAGS)" "" |
| 63 | + $(error $$WOLFENTROPY_CFLAGS is unset.) |
| 64 | +endif |
| 65 | + |
| 66 | +override WOLFENTROPY_CFLAGS += -ffreestanding -Wframe-larger-than=$(MAX_STACK_FRAME_SIZE) \ |
| 67 | + -isystem $(shell $(CC) -print-file-name=include) |
| 68 | + |
| 69 | +AARCH64_NO_OUTLINE_ATOMICS := $(shell { echo -e 'int f(void) {\n return 0;\n}\n' | \ |
| 70 | + $(CC) -mno-outline-atomics -x c -c - -o /dev/null 2>/dev/null; } && \ |
| 71 | + echo -mno-outline-atomics) |
| 72 | + |
| 73 | +ifeq "$(KERNEL_ARCH)" "aarch64" |
| 74 | + override WOLFENTROPY_CFLAGS += $(AARCH64_NO_OUTLINE_ATOMICS) |
| 75 | +else ifeq "$(KERNEL_ARCH)" "arm64" |
| 76 | + override WOLFENTROPY_CFLAGS += $(AARCH64_NO_OUTLINE_ATOMICS) |
| 77 | +else ifeq "$(KERNEL_ARCH)" "arm" |
| 78 | + override WOLFENTROPY_CFLAGS += -fno-optimize-sibling-calls -Os |
| 79 | +endif |
| 80 | + |
| 81 | +obj-m := wolfentropy.o |
| 82 | + |
| 83 | +WOLFENTROPY_OBJ_TARGETS := $(patsubst %, $(obj)/%, $(WOLFENTROPY_OBJ_FILES)) |
| 84 | + |
| 85 | +# Stack-size detection: use the same host program as the main module build. |
| 86 | +ifndef KERNEL_THREAD_STACK_SIZE |
| 87 | + hostprogs := linuxkm/get_thread_size |
| 88 | + always-y := $(hostprogs) |
| 89 | +endif |
| 90 | + |
| 91 | +HOST_EXTRACFLAGS += $(NOSTDINC_FLAGS) $(LINUXINCLUDE) $(KBUILD_CFLAGS) -static \ |
| 92 | + -fno-omit-frame-pointer |
| 93 | + |
| 94 | +ifeq "$(KERNEL_ARCH_X86)" "yes" |
| 95 | + HOST_EXTRACFLAGS += -mindirect-branch=keep -mfunction-return=keep |
| 96 | +endif |
| 97 | + |
| 98 | +$(obj)/linuxkm/get_thread_size: $(src)/linuxkm/get_thread_size.c |
| 99 | + |
| 100 | +ifndef KERNEL_THREAD_STACK_SIZE |
| 101 | + $(WOLFENTROPY_OBJ_TARGETS): | $(obj)/linuxkm/get_thread_size |
| 102 | + KERNEL_THREAD_STACK_SIZE=$(shell \ |
| 103 | + test -x $(obj)/linuxkm/get_thread_size && \ |
| 104 | + $(obj)/linuxkm/get_thread_size || echo 16384) |
| 105 | +endif |
| 106 | +MAX_STACK_FRAME_SIZE=$(shell echo $$(( $(KERNEL_THREAD_STACK_SIZE) / 4))) |
| 107 | + |
| 108 | +wolfentropy-y := $(WOLFENTROPY_OBJ_FILES) \ |
| 109 | + linuxkm/module_hooks_entropy.o \ |
| 110 | + linuxkm/module_exports_entropy.o |
| 111 | + |
| 112 | +# module_exports_entropy.c is a static file (not auto-generated from |
| 113 | +# readelf output). It exports only the three public wc_Entropy_* symbols. |
| 114 | +# All other symbols compiled into wolfentropy.ko remain unexported and |
| 115 | +# therefore private to this module, avoiding collisions with libwolfssl.ko. |
| 116 | + |
| 117 | +ccflags-y = $(WOLFENTROPY_CFLAGS) |
| 118 | +asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPUSIMD_DISABLE) |
| 119 | + |
| 120 | +# Compile SHA3 without SIMD to keep the entropy conditioning path |
| 121 | +# free of vector-register save/restore overhead in the seed callback. |
| 122 | +$(obj)/wolfcrypt/src/sha3.o: ccflags-y := \ |
| 123 | + $(WOLFENTROPY_CFLAGS) $(CFLAGS_SIMD_DISABLE) $(CFLAGS_FPU_DISABLE) |
| 124 | + |
| 125 | +ifdef KERNEL_EXTRA_CFLAGS_REMOVE |
| 126 | + ccflags-remove-y += $(KERNEL_EXTRA_CFLAGS_REMOVE) |
| 127 | +endif |
| 128 | + |
| 129 | +clean-files := linuxkm wolfcrypt |
0 commit comments