add wolfentropy.ko build — SP 800-90B entropy source kernel module#10144
add wolfentropy.ko build — SP 800-90B entropy source kernel module#10144lealem47 wants to merge 4 commits intowolfSSL:masterfrom
Conversation
…Entropy* randomness source
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds build wiring and runtime glue to support building wolfentropy.ko (an SP 800-90B entropy source kernel module) separately from libwolfssl.ko, including symbol export/import handling and updated configuration/build targets.
Changes:
- Introduces
wolfentropy.kobuild/clean targets and packaging of additional linuxkm build files. - Adds
libwolfssl.koglue to consumewc_Entropy_Get()from an external module (softdep + import namespace + weak symbol fallback). - Updates build/config conditionals and related scripts to reflect new wolfEntropy build modes.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/api/test_random.c | Adjusts test preprocessor condition when entropy memuse is involved |
| src/include.am | Switches wolfentropy source inclusion to new BUILD_WOLFENTROPY_C conditional |
| linuxkm/module_hooks.c | Adds external-entropy seed generator + soft dependency and import namespace |
| linuxkm/include.am | Adds new linuxkm entropy build/export/hook files to EXTRA_DIST |
| linuxkm/Makefile | Adds wolfentropy.ko build/clean targets and integrates into clean |
| linuxkm/Kbuild | Excludes wc_Entropy_* symbols from auto-export generation to avoid duplicates |
| fips-check.sh | Updates wolfentropy option set and tag-gathering logic when no FIPS files are listed |
| configure.ac | Changes wolfEntropy defaults/flags and adds new automake conditionals |
| Makefile.am | Exposes top-level wolfentropy/wolfentropy-clean targets under a conditional |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| #if !defined(HAVE_ENTROPY_MEMUSE) && !defined(HAVE_FIPS) || \ | ||
| ( defined(HAVE_FIPS) && FIPS_VERSION3_GE(7,0,0) ) |
There was a problem hiding this comment.
This #if mixes && and || without parentheses, which changes semantics (e.g., when HAVE_ENTROPY_MEMUSE is defined and HAVE_FIPS is not). Please add explicit parentheses (or split into #if/#elif) to ensure the intended logic is unambiguous and stable across configurations.
| #if !defined(HAVE_ENTROPY_MEMUSE) && !defined(HAVE_FIPS) || \ | |
| ( defined(HAVE_FIPS) && FIPS_VERSION3_GE(7,0,0) ) | |
| #if ((!defined(HAVE_ENTROPY_MEMUSE) && !defined(HAVE_FIPS)) || \ | |
| (defined(HAVE_FIPS) && FIPS_VERSION3_GE(7,0,0))) |
| wolfentropy: wolfentropy.ko | ||
|
|
||
| wolfentropy.ko: | ||
| @set -e |
There was a problem hiding this comment.
This recipe relies on Bash-specific syntax (function, [[ ... ]]) and also appears to rely on shell state persisting across separate recipe lines (the function definition on one line and its use on the next). In default make behavior, each recipe line runs in a separate /bin/sh instance, so the function won’t exist and set -e won’t apply, causing the build to fail on many systems. Suggested fix: either (1) ensure the whole recipe runs in a single shell (e.g., .ONESHELL: for this target/file or line-continuations with ; \\), and (2) either set SHELL := /bin/bash explicitly or rewrite to POSIX-sh-compatible syntax.
| @function resolved_link_is_equal() { [[ -L "$$1" && "$$(readlink -f "$$1")" == "$$(readlink -f "$$2")" ]]; } | ||
| @resolved_link_is_equal \ | ||
| '$(WOLFENTROPY_MODULE_TOP)/linuxkm/module_hooks_entropy.c' \ | ||
| '$(MODULE_TOP)/module_hooks_entropy.c' || \ | ||
| cp $(vflag) --no-dereference --symbolic-link --no-clobber \ |
There was a problem hiding this comment.
This recipe relies on Bash-specific syntax (function, [[ ... ]]) and also appears to rely on shell state persisting across separate recipe lines (the function definition on one line and its use on the next). In default make behavior, each recipe line runs in a separate /bin/sh instance, so the function won’t exist and set -e won’t apply, causing the build to fail on many systems. Suggested fix: either (1) ensure the whole recipe runs in a single shell (e.g., .ONESHELL: for this target/file or line-continuations with ; \\), and (2) either set SHELL := /bin/bash explicitly or rewrite to POSIX-sh-compatible syntax.
| @resolved_link_is_equal \ | ||
| '$(WOLFENTROPY_MODULE_TOP)/wolfcrypt/src/random.c' \ | ||
| '$(SRC_TOP)/wolfcrypt/src/random.c' || \ | ||
| cp $(vflag) --no-dereference --symbolic-link --no-clobber \ |
There was a problem hiding this comment.
This recipe relies on Bash-specific syntax (function, [[ ... ]]) and also appears to rely on shell state persisting across separate recipe lines (the function definition on one line and its use on the next). In default make behavior, each recipe line runs in a separate /bin/sh instance, so the function won’t exist and set -e won’t apply, causing the build to fail on many systems. Suggested fix: either (1) ensure the whole recipe runs in a single shell (e.g., .ONESHELL: for this target/file or line-continuations with ; \\), and (2) either set SHELL := /bin/bash explicitly or rewrite to POSIX-sh-compatible syntax.
| * wc_Entropy_Get and MAX_ENTROPY_BITS are not declared via the normal header | ||
| * chain. Provide the declarations here at file scope so the compiler sees | ||
| * them before the call below. | ||
| */ | ||
| #ifndef HAVE_ENTROPY_MEMUSE | ||
| #ifndef MAX_ENTROPY_BITS | ||
| #define MAX_ENTROPY_BITS 256 | ||
| #endif |
There was a problem hiding this comment.
Hard-coding MAX_ENTROPY_BITS to 256 in the glue layer risks drifting from the actual wolfEntropy implementation (and makes it harder to reason about correctness if the limit changes upstream). Prefer pulling the constant from a shared header that’s available in this build mode, or otherwise centralizing the definition so both wolfentropy.ko and the glue layer share the same value.
| * wc_Entropy_Get and MAX_ENTROPY_BITS are not declared via the normal header | |
| * chain. Provide the declarations here at file scope so the compiler sees | |
| * them before the call below. | |
| */ | |
| #ifndef HAVE_ENTROPY_MEMUSE | |
| #ifndef MAX_ENTROPY_BITS | |
| #define MAX_ENTROPY_BITS 256 | |
| #endif | |
| * pull MAX_ENTROPY_BITS from the shared wolfentropy header instead of | |
| * duplicating the value locally, so the glue layer stays in sync with | |
| * wolfentropy. Keep wc_Entropy_Get weak so we can report a missing | |
| * wolfentropy.ko at runtime. | |
| */ | |
| #ifndef HAVE_ENTROPY_MEMUSE | |
| #include <wolfssl/wolfcrypt/wolfentropy.h> |
| AM_CONDITIONAL([BUILD_LINUXKM],[test "$ENABLED_LINUXKM" = "yes"]) | ||
| AM_CONDITIONAL([BUILD_WOLFENTROPY_KO],[test "$ENABLED_LINUXKM" = "yes"]) | ||
| AM_CONDITIONAL([BUILD_KERNEL_MODE_DEFAULTS],[test "$KERNEL_MODE_DEFAULTS" != "no"]) |
There was a problem hiding this comment.
PR description says BUILD_WOLFENTROPY_KO is enabled when --enable-linuxkm + entropy memuse are both active, but the conditional currently enables it for any LinuxKM build. Either update the conditional to reflect the documented gating (e.g., require the entropy configuration that makes wolfentropy.ko buildable), or update the PR description/usage so users don’t get a wolfentropy target that can fail under default/non-entropy configurations.
| FIPS_OPTION='disabled --enable-wolfentropy=random_c --disable-shake128 | ||
| --disable-shake256' |
There was a problem hiding this comment.
This assigns a single-quoted string containing a literal newline (and indentation spaces). That’s easy to overlook and can be fragile depending on how FIPS_OPTION is later expanded/quoted. Consider keeping it on one line (or using an explicit, predictable line continuation outside of quotes) so the resulting argv is clearer.
| FIPS_OPTION='disabled --enable-wolfentropy=random_c --disable-shake128 | |
| --disable-shake256' | |
| FIPS_OPTION='disabled --enable-wolfentropy=random_c --disable-shake128 --disable-shake256' |
Summary
Adds build infrastructure and runtime glue for wolfentropy.ko, a minimal Linux kernel module that provides an SP 800-90B entropy source separate from the FIPS boundary.
New: wolfentropy.ko build target
flags that would cause _mcleanup: gmon.out: Permission denied from the get_thread_size host program.
sha256.o, sha3.o, wc_port.o, memory.o, logging.o, and linuxkm_memory.o. WOLFENTROPY_LINUXKM_USE_MUTEXES is set to bypass PIE redirect table mutex.
active).
remain unexported, preventing collisions with libwolfssl.ko.
Updated: libwolfssl.ko glue for external entropy
When libwolfssl.ko is built with -DWC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER:
Usage
Build entropy module
./configure --enable-linuxkm --enable-wolfentropy --with-linux-src=...
make wolfentropy # produces wolfentropy.ko
Build kernel module linked to external entropy
./configure --enable-linuxkm --with-linux-src=...
make
Runtime (order enforced by MODULE_SOFTDEP)
modprobe wolfentropy
modprobe libwolfssl
To replicate previous behavior, with libwolfssl.ko housing both the crypto and entropy
./configure --enable-linuxkm --enable-wolfentropy --with-linux-src=...
make
Testing
Tested on customers kernel module
Checklist