Skip to content

add wolfentropy.ko build — SP 800-90B entropy source kernel module#10144

Open
lealem47 wants to merge 6 commits intowolfSSL:masterfrom
lealem47:standalone_wolfentropy_ko
Open

add wolfentropy.ko build — SP 800-90B entropy source kernel module#10144
lealem47 wants to merge 6 commits intowolfSSL:masterfrom
lealem47:standalone_wolfentropy_ko

Conversation

@lealem47
Copy link
Copy Markdown
Contributor

@lealem47 lealem47 commented Apr 7, 2026
edited
Loading

Summary

Adds build infrastructure and runtime glue for wolfentropy.ko, a minimal Linux kernel module that provides an SP 800-90B entropy source separate from the FIPS boundary.

New: wolfentropy.ko build target

  • linuxkm/Kbuild.entropy — dedicated Kbuild for the wolfentropy module. Uses override += for WOLFENTROPY_CFLAGS (a command-line variable), filters -pg from HOST_EXTRACFLAGS and passes CC_FLAGS_FTRACE= to suppress profiling
    flags that would cause _mcleanup: gmon.out: Permission denied from the get_thread_size host program.
  • linuxkm/Makefile — adds wolfentropy / wolfentropy-clean targets. The build symlinks source into $(MODULE_TOP)/wolfentropy/ and invokes the kernel build against Kbuild.entropy. WOLFENTROPY_OBJ_FILES pulls in random.o,
    sha256.o, sha3.o, wc_port.o, memory.o, logging.o, and linuxkm_memory.o. WOLFENTROPY_LINUXKM_USE_MUTEXES is set to bypass PIE redirect table mutex.
  • Makefile.am / configure.ac — expose wolfentropy / wolfentropy-clean targets at the top-level automake level, guarded by new BUILD_WOLFENTROPY_KO conditional (enabled when --enable-linuxkm + entropy memuse are both
    active).
  • linuxkm/module_exports_entropy.c — static export file; exports only wc_Entropy_Get, wc_Entropy_GetRawEntropy, and wc_Entropy_OnDemandTest under the WOLFSSL symbol namespace. All other symbols compiled into wolfentropy.ko
    remain unexported, preventing collisions with libwolfssl.ko.
  • linuxkm/module_hooks_entropy.c — module init/exit for wolfentropy.ko. Includes no-op wc_ecc_fp_init / wc_ecc_fp_free stubs (needed because wc_port.c references them via dead wolfCrypt_Init code).
  • linuxkm/Kbuild — adds AWK exclusion for the three wc_Entropy_* symbols in the auto-export generator, preventing duplicate EXPORT_SYMBOL_NS_GPL when wolfentropy.ko symbols are visible to libwolfssl.ko's build.
  • linuxkm/include.am — adds all new files to EXTRA_DIST.

Updated: libwolfssl.ko glue for external entropy

When libwolfssl.ko is built with -DWC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER:

  • linuxkm/module_hooks.c — adds wc_linuxkm_GenerateSeed_wolfEntropy, which calls wc_Entropy_Get(MAX_ENTROPY_BITS, output, sz). When built without --enable-wolfentropy (module trees where wolfentropy is a separate module), wc_Entropy_Get is declared attribute((weak)) at file scope so modpost does not error on the unresolved symbol; a NULL check returns -ENODEV with a clear message if wolfentropy.ko was not loaded.
  • Adds MODULE_SOFTDEP("pre: wolfentropy") and MODULE_IMPORT_NS (quoted string for kernel ≥ 6.13, unquoted for 5.4–6.12) after MODULE_VERSION.

Usage

Build entropy module

./configure --enable-linuxkm --enable-wolfentropy --with-linux-src=...
make wolfentropy # produces wolfentropy.ko

Build kernel module linked to external entropy kernel module

./configure --enable-linuxkm --with-linux-src=...
make

Runtime (order enforced by MODULE_SOFTDEP)

modprobe wolfentropy
modprobe libwolfssl

To replicate previous behavior, with libwolfssl.ko housing both the crypto and entropy

./configure --enable-linuxkm --enable-wolfentropy --with-linux-src=...
make

Testing

Tested on customers kernel module

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@lealem47 lealem47 self-assigned this Apr 7, 2026
Copilot AI review requested due to automatic review settings April 7, 2026 02:27
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds build wiring and runtime glue to support building wolfentropy.ko (an SP 800-90B entropy source kernel module) separately from libwolfssl.ko, including symbol export/import handling and updated configuration/build targets.

Changes:

  • Introduces wolfentropy.ko build/clean targets and packaging of additional linuxkm build files.
  • Adds libwolfssl.ko glue to consume wc_Entropy_Get() from an external module (softdep + import namespace + weak symbol fallback).
  • Updates build/config conditionals and related scripts to reflect new wolfEntropy build modes.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
tests/api/test_random.c Adjusts test preprocessor condition when entropy memuse is involved
src/include.am Switches wolfentropy source inclusion to new BUILD_WOLFENTROPY_C conditional
linuxkm/module_hooks.c Adds external-entropy seed generator + soft dependency and import namespace
linuxkm/include.am Adds new linuxkm entropy build/export/hook files to EXTRA_DIST
linuxkm/Makefile Adds wolfentropy.ko build/clean targets and integrates into clean
linuxkm/Kbuild Excludes wc_Entropy_* symbols from auto-export generation to avoid duplicates
fips-check.sh Updates wolfentropy option set and tag-gathering logic when no FIPS files are listed
configure.ac Changes wolfEntropy defaults/flags and adds new automake conditionals
Makefile.am Exposes top-level wolfentropy/wolfentropy-clean targets under a conditional

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/api/test_random.c Outdated
Comment thread linuxkm/Makefile
Comment thread linuxkm/Makefile
Comment thread linuxkm/Makefile
Comment thread linuxkm/module_hooks.c
Comment thread configure.ac
Comment thread fips-check.sh Outdated
@lealem47 lealem47 assigned douzzer and unassigned lealem47 Apr 10, 2026
douzzer
douzzer requested changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@douzzer douzzer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parts of this PR that do what the title says -- "add wolfentropy.ko build" -- LGTM, pending some deeper testing.

However, the ungated breaking changes to the existing linuxkm/Kbuild, linuxkm/module_hooks.c, src/include.am, tests/api/test_random.c, and configure.ac, need to be refactored to not break existing users, i.e. to be purely additive, preserving existing defaults and naming. The new alternative added here, gating out the in-tree WolfEntropy (thereby building a non-free-standing libwolfssl.ko), needs to pivot on newly added option names, macro gates, and Makefile gates.

@douzzer douzzer assigned lealem47 and unassigned douzzer Apr 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@douzzer douzzer douzzer requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@lealem47 lealem47

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lealem47 @douzzer