Skip to content

20260120-linuxkm-RHEL9v6-and-RDSEED-sanity-check #9691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
douzzer wants to merge 3 commits into
base: master
Choose a base branch
from
Open

20260120-linuxkm-RHEL9v6-and-RDSEED-sanity-check #9691

douzzer wants to merge 3 commits into from
+514 −3

Conversation

@douzzer
Copy link
Contributor

@douzzer douzzer commented Jan 20, 2026

add linuxkm/patches/5.14.0-570.58.1.el9_6/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v14-570v58v1-el9_6.patch

wolfcrypt/src/random.c: add sanity check in wc_GenerateSeed_IntelRD() to work around buggy RDSEED by disabling it if it generates three identical 64 bit words consecutively;

wolfssl/wolfcrypt/settings.h: if DEBUG_WOLFSSL && !WC_NO_VERBOSE_RNG, set WC_VERBOSE_RNG, and add WOLFSSL_NO_DEBUG_CERTS to allow inhibition of WOLFSSL_DEBUG_CERTS.

tested with

LIBWOLFSSL_CONFIGURE_ARGS_OVERRIDE=--enable-amdrdseed wolfssl-multi-test.sh ...
linuxkm-fips-dev-dist-insmod-cust-kernel-2-amdrdseed
check-source-text
clang-tidy-all-sp-all
sanitizer-all-intelasm-c-fallback-fuzzer

also, the new patch file tested good by customer.

@douzzer
add linuxkm/patches/5.14.0-570.58.1.el9_6/WOLFSSL_LINUXKM_HAVE_GET_RA…
ba53051 
…NDOM_CALLBACKS-5v14-570v58v1-el9_6.patch
@douzzer
wolfcrypt/src/random.c: add sanity check in wc_GenerateSeed_IntelRD()…
b91272c 
… to work around buggy RDSEED by disabling it if it generates three identical 64 bit words consecutively;

wolfssl/wolfcrypt/settings.h: if DEBUG_WOLFSSL && !WC_NO_VERBOSE_RNG, set WC_VERBOSE_RNG, and add WOLFSSL_NO_DEBUG_CERTS to allow inhibition of WOLFSSL_DEBUG_CERTS.
@douzzer
Copy link
Contributor Author

douzzer commented Jan 20, 2026

Note, see ZD#19574

@douzzer douzzer requested a review from embhorn January 20, 2026 21:34
SparkiDev
SparkiDev requested changes Jan 20, 2026
View reviewed changes
wolfcrypt/src/random.c Outdated
return -1;

if (rdseed_sanity_status == 0) {
static word64 sanity_words[2] = {0, 0};
Copy link
Contributor

@SparkiDev SparkiDev Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it need to be static?

Copy link
Contributor Author

@douzzer douzzer Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed as discussed.

@douzzer
wolfcrypt/src/random.c and wolfssl/wolfcrypt/settings.h: fixes from C…
7048fa8 
…I and peer review:

* in wc_GenerateSeed_IntelRD(), use stack/register allocation for sanity_word{1,2}, and
* don't set WC_VERBOSE_RNG if WOLFSSL_DEBUG_PRINTF is missing.
@douzzer douzzer requested a review from SparkiDev January 20, 2026 22:49
@douzzer
Copy link
Contributor Author

douzzer commented Jan 20, 2026

retest this please
(typical Jenkins tooling hiccups)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wolfSSL-Bot wolfSSL-Bot Awaiting requested review from wolfSSL-Bot

@embhorn embhorn Awaiting requested review from embhorn

@SparkiDev SparkiDev Awaiting requested review from SparkiDev

Requested changes must be addressed to merge this pull request.

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@douzzer @SparkiDev @wolfSSL-Bot