add wolfentropy.ko build — SP 800-90B entropy source kernel module

Makefile.am

@@ -248,6 +248,27 @@ install_module modules_install:
 
 endif
 
+if BUILD_WOLFENTROPY_KO
+
+    export build_triplet host_triplet CC AS LD \
+        KERNEL_ROOT KERNEL_ARCH KERNEL_EXTRA_CFLAGS \
+        EXTRA_CFLAGS EXTRA_CPPFLAGS EXTRA_CCASFLAGS EXTRA_LDFLAGS \
+	AM_CPPFLAGS CPPFLAGS AM_CFLAGS CFLAGS \
+        AM_CCASFLAGS CCASFLAGS \
+        src_libwolfssl_la_OBJECTS ENABLED_ASM \
+        CFLAGS_FPU_DISABLE CFLAGS_SIMD_DISABLE \
+        CFLAGS_AUTO_VECTORIZE_DISABLE \
+        ASFLAGS_FPU_DISABLE_SIMD_ENABLE \
+        ASFLAGS_FPUSIMD_DISABLE ASFLAGS_FPUSIMD_ENABLE
+
+wolfentropy:
+	+$(MAKE) -C linuxkm wolfentropy
+
+wolfentropy-clean:
+	+$(MAKE) -C linuxkm wolfentropy-clean
+
+endif
+
 if BUILD_BSDKM
     SUBDIRS_OPT += bsdkm
     DIST_SUBDIRS_OPT += bsdkm

configure.ac

@@ -6048,20 +6048,10 @@ AC_ARG_ENABLE([pwdbased],
 # MemUse Entropy
 # wolfEntropy Software Jitter SP800-90B certifiable entropy source
 
-if test "$KERNEL_MODE_DEFAULTS" = "yes" && \
-   test "$ENABLED_AMDRDSEED" != "yes" && \
-   test "$ENABLED_INTELRDRAND" != "yes" && \
-   test "$ENABLED_INTELRDSEED" != "yes"
-then
-    ENABLED_ENTROPY_MEMUSE_DEFAULT=yes
-else
-    ENABLED_ENTROPY_MEMUSE_DEFAULT=no
-fi
-
 AC_ARG_ENABLE([wolfEntropy],
     [AS_HELP_STRING([--enable-wolfEntropy],[Enable memuse entropy support (default: disabled)])],
     [ ENABLED_ENTROPY_MEMUSE=$enableval ],
-    [ ENABLED_ENTROPY_MEMUSE=$ENABLED_ENTROPY_MEMUSE_DEFAULT ]
+    [ ENABLED_ENTROPY_MEMUSE=no ]
     )
 AC_ARG_ENABLE([wolfentropy],
     [AS_HELP_STRING([--enable-wolfentropy],[Alias for --enable-wolfEntropy])],
@@ -6072,6 +6062,20 @@ AC_ARG_ENABLE([entropy-memuse],
     [ ENABLED_ENTROPY_MEMUSE=$enableval ]
     )
 
+# Default --enable-linuxkm to seed its FIPS DRBG from a separately-built
+# wolfentropy.ko module via WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER (resolved
+# at module load time via a weak extern on wc_Entropy_Get).  Skipped if
+# wolfEntropy is being compiled into libwolfssl.ko itself, or if Intel/AMD
+# RDSEED/RDRAND was explicitly requested as the entropy source.
+if test "$KERNEL_MODE_DEFAULTS" = "yes" && \
+   test "x$ENABLED_ENTROPY_MEMUSE" = "xno" && \
+   test "$ENABLED_AMDRDSEED" != "yes" && \
+   test "$ENABLED_INTELRDRAND" != "yes" && \
+   test "$ENABLED_INTELRDSEED" != "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER"
+fi
+
 # AES key wrap
 AC_ARG_ENABLE([aeskeywrap],
     [AS_HELP_STRING([--enable-aeskeywrap],[Enable AES key wrap support (default: disabled)])],
@@ -7194,6 +7198,7 @@ else
 fi
 
 # MemUse Entropy (AKA wolfEntropy)
+WOLFENTROPY_IN_RANDOM_C=no
 if test "x$ENABLED_ENTROPY_MEMUSE" != "xno"
 then
     AM_CFLAGS="$AM_CFLAGS -DHAVE_ENTROPY_MEMUSE"
@@ -7210,8 +7215,11 @@ then
       nofallback)
         AM_CFLAGS="$AM_CFLAGS -DENTROPY_MEMUSE_FORCE_FAILURE"
         ;;
+      random_c)
+        WOLFENTROPY_IN_RANDOM_C=yes
+        ;;
       *)
-        AC_MSG_ERROR([Invalid MemUse Entropy option. Valid are: thread, nofallback. Seen: $ENABLED_ENTROPY_MEMUSE.])
+        AC_MSG_ERROR([Invalid MemUse Entropy option. Valid are: thread, nofallback, random_c. Seen: $ENABLED_ENTROPY_MEMUSE.])
         break;;
       esac
     done
@@ -11519,6 +11527,7 @@ AM_CONDITIONAL([BUILD_ECCSI],[test "x$ENABLED_ECCSI" = "xyes" || test "x$ENABLED
 AM_CONDITIONAL([BUILD_SAKKE],[test "x$ENABLED_SAKKE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_MEMORY],[test "x$ENABLED_MEMORY" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_MEMUSE],[test "x$ENABLED_ENTROPY_MEMUSE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
+AM_CONDITIONAL([BUILD_WOLFENTROPY_C],[test "x$WOLFENTROPY_IN_RANDOM_C" != "xyes" && test "x$ENABLED_ENTROPY_MEMUSE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_RNG_BANK],[test "$ENABLED_RNG_BANK" = "yes" || test "$ENABLED_USERSETTINGS" = "yes"])
 AM_CONDITIONAL([BUILD_RSA],[test "x$ENABLED_RSA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_DH],[test "x$ENABLED_DH" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
@@ -11616,6 +11625,7 @@ AM_CONDITIONAL([BUILD_PKCS7],[test "x$ENABLED_PKCS7" = "xyes" || test "x$ENABLED
 AM_CONDITIONAL([BUILD_SMIME],[test "x$ENABLED_SMIME" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_HASHFLAGS],[test "x$ENABLED_HASHFLAGS" = "xyes"])
 AM_CONDITIONAL([BUILD_LINUXKM],[test "$ENABLED_LINUXKM" = "yes"])
+AM_CONDITIONAL([BUILD_WOLFENTROPY_KO],[test "$ENABLED_LINUXKM" = "yes"])
 AM_CONDITIONAL([BUILD_KERNEL_MODE_DEFAULTS],[test "$KERNEL_MODE_DEFAULTS" != "no"])
 AM_CONDITIONAL([BUILD_BSDKM],[test "$ENABLED_BSDKM" = "yes"])
 AM_CONDITIONAL([BUILD_KERNEL_MODULE],[test "$ENABLED_BSDKM" = "yes" || test "$ENABLED_LINUXKM" = "yes"])

fips-check.sh

@@ -368,89 +368,17 @@ wolfentropy)
   FIPS_REPO_TAG='WCv6.0.0-RC4'
   ASM_PICKUPS_TAG='WCv6.0.0-RC4'
   WOLF_ENTROPY_TAG='wolfEntropy2'
-  FIPS_OPTION='v6'
+  FIPS_OPTION='disabled --enable-wolfentropy=random_c --disable-shake128
+               --disable-shake256'
   FIPS_FILES=(
-    "wolfcrypt/src/fips.c:${FIPS_REPO_TAG}"
-    "wolfcrypt/src/fips_test.c:${FIPS_REPO_TAG}"
-    "wolfcrypt/src/wolfcrypt_first.c:${FIPS_REPO_TAG}"
-    "wolfcrypt/src/wolfcrypt_last.c:${FIPS_REPO_TAG}"
-    "wolfssl/wolfcrypt/fips.h:${FIPS_REPO_TAG}"
   )
   WOLFCRYPT_FILES=(
-    "wolfcrypt/src/aes_asm.asm:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/aes_asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/aes_gcm_asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/aes_gcm_x86_asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/aes_xts_asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/aes.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/armv8-32-aes-asm_c.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/port/arm/armv8-32-aes-asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/armv8-32-sha256-asm_c.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/port/arm/armv8-32-sha256-asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/armv8-32-sha3-asm_c.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/armv8-32-sha3-asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/armv8-32-sha512-asm_c.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/port/arm/armv8-32-sha512-asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/armv8-aes.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/port/arm/armv8-sha256.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/armv8-sha3-asm_c.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/port/arm/armv8-sha3-asm.S:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/port/arm/armv8-sha512-asm_c.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/port/arm/armv8-sha512-asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/armv8-sha512.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/cmac.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/dh.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/ecc.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/ed25519.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/ed448.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/hmac.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/kdf.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/pwdbased.c:${WOLF_REPO_TAG}"
     "wolfcrypt/src/random.c:${WOLF_ENTROPY_TAG}"
-    "wolfcrypt/src/rsa.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/sha.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/sha256_asm.S:${WOLF_REPO_TAG}"
     "wolfcrypt/src/sha256.c:${WOLF_REPO_TAG}"
     "wolfcrypt/src/sha3.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/sha3_asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/sha512_asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/sha512.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/sp_arm32.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/sp_arm64.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/sp_armthumb.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/sp_c32.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/sp_c64.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/sp_cortexm.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/sp_x86_64_asm.asm:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/sp_x86_64_asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/sp_x86_64.c:${ASM_PICKUPS_TAG}"
-    "wolfcrypt/src/port/arm/thumb2-aes-asm_c.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/thumb2-aes-asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/thumb2-sha256-asm_c.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/thumb2-sha256-asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/thumb2-sha3-asm_c.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/thumb2-sha3-asm.S:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/thumb2-sha512-asm_c.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/arm/thumb2-sha512-asm.S:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/aes.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/cmac.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/dh.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/ecc.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/ed25519.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/ed448.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/fips_test.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/hmac.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/kdf.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/pwdbased.h:${WOLF_REPO_TAG}"
     "wolfssl/wolfcrypt/random.h:${WOLF_ENTROPY_TAG}"
-    "wolfssl/wolfcrypt/rsa.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/sha.h:${WOLF_REPO_TAG}"
     "wolfssl/wolfcrypt/sha256.h:${WOLF_REPO_TAG}"
     "wolfssl/wolfcrypt/sha3.h:${WOLF_REPO_TAG}"
-    "wolfssl/wolfcrypt/sha512.h:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/riscv/riscv-64-sha256.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/riscv/riscv-64-sha3.c:${WOLF_REPO_TAG}"
-    "wolfcrypt/src/port/riscv/riscv-64-sha512.c:${WOLF_REPO_TAG}"
   )
   ;;
 
@@ -515,13 +443,15 @@ if [ ${#WOLFCRYPT_FILES[@]} -gt 0 ]; then
 fi
 
 declare -a FIPS_TAGS_NEEDED_UNSORTED FIPS_TAGS_NEEDED
-for file_entry in "${FIPS_FILES[@]}"; do
-    FIPS_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}")
-done
-while IFS= read -r tag; do FIPS_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${FIPS_TAGS_NEEDED_UNSORTED[*]}")
-if [ "${#FIPS_TAGS_NEEDED[@]}" = "0" ]; then
-    echo "Error -- missing FIPS tags." 1>&2
-    exit 1
+if [ ${#FIPS_FILES[@]} -gt 0 ]; then
+    for file_entry in "${FIPS_FILES[@]}"; do
+        FIPS_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}")
+    done
+    while IFS= read -r tag; do FIPS_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${FIPS_TAGS_NEEDED_UNSORTED[*]}")
+    if [ "${#FIPS_TAGS_NEEDED[@]}" = "0" ]; then
+        echo "Error -- missing FIPS tags." 1>&2
+        exit 1
+    fi
 fi
 
 if [ ${#WOLFCRYPT_TAGS_NEEDED[@]} -gt 0 ]; then

linuxkm/Kbuild

@@ -368,6 +368,7 @@ ifndef NO_EXPORTS
 	$(READELF) --symbols --wide $(filter %.o,$^) |
 		$(AWK) '/^ *[0-9]+: / {
 		  if ($$8 !~ /^(wc_|wolf|WOLF|TLSX_)/){next;}
+		  if ($$8 ~ /^wc_Entropy_(Get|GetRawEntropy|OnDemandTest)$$/){next;}
 		  if (($$4 == "FUNC") && ($$5 == "GLOBAL") && ($$6 == "DEFAULT")) {
 		    print "$(EXPORT_SYMBOL)(" $$8 ", '"$$ns"');";
 		  }

linuxkm/Makefile

@@ -463,10 +463,90 @@ endif
 install modules_install:
 	+$(MAKE) $(QFLAG) --no-silent -C $(KERNEL_ROOT) M=$(MODULE_TOP) src=$(SRC_TOP) INSTALL_MOD_DIR=wolfssl modules_install
 
+# wolfentropy.ko -- minimal SP 800-90B entropy source module.
+#
+# Built from a fixed, minimal set of wolfcrypt sources compiled with the same
+# WOLFSSL_CFLAGS as the main module (which already carries -DHAVE_ENTROPY_MEMUSE
+# when --enable-wolfentropy was passed to configure).  Only wc_Entropy_Get,
+# wc_Entropy_GetRawEntropy, and wc_Entropy_OnDemandTest are exported; all other
+# wolfcrypt symbols (SHA3, mutexes, wolfCrypt_Init, ...) remain unexported, so
+# loading wolfentropy.ko alongside libwolfssl.ko causes no symbol collisions.
+#
+# The build runs in a separate subdirectory ($(MODULE_TOP)/wolfentropy/) that
+# mirrors the layout used by the main module build.
+
+WOLFENTROPY_MODULE_TOP := $(MODULE_TOP)/wolfentropy
+
+# Minimal set of wolfcrypt objects needed for Entropy_Init / wc_Entropy_Get.
+# random.c uses SHA256 internally for the DRBG counter-mode update, so
+# sha256.o must be included.
+# Add wolfcrypt/src/sha3_asm.o here for platforms with SHA3 ASM acceleration.
+WOLFENTROPY_OBJ_FILES := \
+    wolfcrypt/src/random.o \
+    wolfcrypt/src/sha256.o \
+    wolfcrypt/src/sha3.o \
+    wolfcrypt/src/wc_port.o \
+    wolfcrypt/src/memory.o \
+    wolfcrypt/src/logging.o \
+    linuxkm/linuxkm_memory.o
+
+# Inherit the same compiler flags as the main module; configure already added
+# -DHAVE_ENTROPY_MEMUSE (and -DWOLFSSL_SHA3) when --enable-wolfentropy was set.
+# WOLFSSL_LINUXKM_USE_MUTEXES: use kernel mutexes directly; wolfentropy.ko
+# does not have the PIE redirect table that wc_lkm_LockMutex requires.
+WOLFENTROPY_CFLAGS := $(WOLFSSL_CFLAGS) -DWOLFSSL_LINUXKM_USE_MUTEXES
+
+export WOLFENTROPY_OBJ_FILES WOLFENTROPY_CFLAGS
+
+.PHONY: wolfentropy wolfentropy.ko
+wolfentropy: wolfentropy.ko
+
+wolfentropy.ko:
+	@set -e
+	@if test -z '$(KERNEL_ROOT)'; then echo '$$KERNEL_ROOT is unset' >&2; exit 1; fi
+	@if test -z '$(AM_CFLAGS)$(CFLAGS)'; then echo '$$AM_CFLAGS and $$CFLAGS are both unset.' >&2; exit 1; fi
+	@mkdir -p '$(WOLFENTROPY_MODULE_TOP)/linuxkm'
+	@# Symlink Kbuild.entropy as the Kbuild file for this build directory.
+	@ln -sf '$(MODULE_TOP)/Kbuild.entropy' '$(WOLFENTROPY_MODULE_TOP)/Kbuild'
+	@# Symlink all linuxkm .c/.h sources (includes module_hooks_entropy.c,
+	@# module_exports_entropy.c, linuxkm_memory.c, get_thread_size.c, ...).
+	@function resolved_link_is_equal() { [[ -L "$$1" && "$$(readlink -f "$$1")" == "$$(readlink -f "$$2")" ]]; }
+	@resolved_link_is_equal \
+		'$(WOLFENTROPY_MODULE_TOP)/linuxkm/module_hooks_entropy.c' \
+		'$(MODULE_TOP)/module_hooks_entropy.c' || \
+		cp $(vflag) --no-dereference --symbolic-link --no-clobber \
+			'$(MODULE_TOP)'/*.[ch] '$(WOLFENTROPY_MODULE_TOP)/linuxkm/'
+	@# Symlink wolfcrypt source tree.
+	@resolved_link_is_equal \
+		'$(WOLFENTROPY_MODULE_TOP)/wolfcrypt/src/random.c' \
+		'$(SRC_TOP)/wolfcrypt/src/random.c' || \
+		cp $(vflag) --no-dereference --symbolic-link --no-clobber \
+			--recursive '$(SRC_TOP)/wolfcrypt' '$(WOLFENTROPY_MODULE_TOP)/'
+	+$(MAKE) $(QFLAG) --no-print-directory --no-silent \
+		ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) \
+		-C '$(KERNEL_ROOT)' M='$(WOLFENTROPY_MODULE_TOP)' \
+		WOLFENTROPY_OBJ_FILES='$(WOLFENTROPY_OBJ_FILES)' \
+		WOLFENTROPY_CFLAGS='$(WOLFENTROPY_CFLAGS)' \
+		WOLFSSL_ASFLAGS='$(WOLFSSL_ASFLAGS)' \
+		KERNEL_ARCH='$(KERNEL_ARCH)' \
+		CFLAGS_SIMD_DISABLE='$(CFLAGS_SIMD_DISABLE)' \
+		CFLAGS_FPU_DISABLE='$(CFLAGS_FPU_DISABLE)' \
+		ASFLAGS_FPUSIMD_DISABLE='$(ASFLAGS_FPUSIMD_DISABLE)' \
+		$(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
+	@cp '$(WOLFENTROPY_MODULE_TOP)/wolfentropy.ko' . 2>/dev/null || true
+
+.PHONY: wolfentropy-clean
+wolfentropy-clean:
+	+$(MAKE) $(QFLAG) --no-silent -C $(KERNEL_ROOT) \
+		M='$(WOLFENTROPY_MODULE_TOP)' src='$(WOLFENTROPY_MODULE_TOP)' clean \
+		2>/dev/null || true
+	$(RM) -rf '$(WOLFENTROPY_MODULE_TOP)'
+	$(RM) -f wolfentropy.ko
+
 .PHONY: clean
 # note, must supply $(MODULE_TOP) as the src value for clean so that Kbuild is included, else
 # the top Makefile (which is not for the kernel build) would be included here.
-clean:
+clean: wolfentropy-clean
 	+$(MAKE) $(QFLAG) --no-silent -C $(KERNEL_ROOT) M=$(MODULE_TOP) src=$(MODULE_TOP) clean
 	$(RM) -rf '$(MODULE_TOP)/linuxkm'
 	$(RM) -rf '$(MODULE_TOP)/wolfcrypt'

linuxkm/include.am

@@ -4,13 +4,16 @@
 
 EXTRA_DIST += m4/ax_linuxkm.m4 \
 	      linuxkm/Kbuild \
+	      linuxkm/Kbuild.entropy \
 	      linuxkm/Makefile \
 	      linuxkm/README.md \
 	      linuxkm/get_thread_size.c \
 	      linuxkm/linuxkm-fips-hash.c \
 	      linuxkm/linuxkm-fips-hash-wrapper.sh \
 	      linuxkm/module_hooks.c \
+	      linuxkm/module_hooks_entropy.c \
 	      linuxkm/module_exports.c.template \
+	      linuxkm/module_exports_entropy.c \
 	      linuxkm/pie_redirect_table.c \
 	      linuxkm/linuxkm_memory.c \
 	      linuxkm/linuxkm_memory.h \

linuxkm/module_hooks.c

@@ -397,9 +397,27 @@ void wc_linuxkm_relax_long_loop(void) {
 
 #if defined(WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER)
 
+/* When building without the wolfentropy source (HAVE_ENTROPY_MEMUSE not set),
+ * wc_Entropy_Get and MAX_ENTROPY_BITS are not declared via the normal header
+ * chain.  Provide the declarations here at file scope so the compiler sees
+ * them before the call below.
+ */
+#ifndef HAVE_ENTROPY_MEMUSE
+    #ifndef MAX_ENTROPY_BITS
+        #define MAX_ENTROPY_BITS 256
+    #endif
+    extern int wc_Entropy_Get(int bits, unsigned char *entropy, word32 len) __attribute__((weak));
+#endif /* !HAVE_ENTROPY_MEMUSE */
+
 int wc_linuxkm_GenerateSeed_wolfEntropy(OS_Seed* os, byte* output, word32 sz)
 {
     (void)os;
+#ifndef HAVE_ENTROPY_MEMUSE
+    if (!wc_Entropy_Get) {
+        pr_err("wolfentropy: wc_Entropy_Get unavailable -- is wolfentropy.ko loaded?\n");
+        return -ENODEV;
+    }
+#endif
     return wc_Entropy_Get(MAX_ENTROPY_BITS, output, sz);
 }
 
@@ -1113,6 +1131,15 @@ MODULE_AUTHOR("https://www.wolfssl.com/");
 MODULE_DESCRIPTION("libwolfssl cryptographic and protocol facilities");
 MODULE_VERSION(LIBWOLFSSL_VERSION_STRING);
 
+#ifdef WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER
+MODULE_SOFTDEP("pre: wolfentropy");
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 13, 0)
+MODULE_IMPORT_NS("WOLFSSL");
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 0)
+MODULE_IMPORT_NS(WOLFSSL);
+#endif
+#endif /* WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER */
+
 #ifdef WC_SYM_RELOC_TABLES
 
 extern const struct wc_reloc_table_ent wc_linuxkm_pie_reloc_tab[];