linuxkm/linuxkm_wc_port.h: disable CONFIG_FORTIFY_SOURCE module-wide on kernels <5.18 (shim conflicts), and add WC_FORCE_LINUXKM_FORTIFY_SOURCE for future use.

douzzer · douzzer · commit e4f0acdc1d09 · 2025-10-07T12:49:54.000-05:00
diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
@@ -602,6 +602,7 @@ WC_DILITHIUM_FIXED_ARRAY
 WC_DISABLE_RADIX_ZERO_PAD
 WC_ECC_NONBLOCK_ONLY
 WC_FLAG_DONT_USE_AESNI
+WC_FORCE_LINUXKM_FORTIFY_SOURCE
 WC_KDF_NIST_SP_800_56C
 WC_LMS_FULL_HASH
 WC_NO_RNG_SIMPLE
diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h
@@ -228,14 +228,25 @@
 
     #include <linux/kconfig.h>
 
-    #if defined(CONFIG_FORTIFY_SOURCE) && defined(HAVE_LINUXKM_PIE_SUPPORT)
+    #if defined(CONFIG_FORTIFY_SOURCE) && \
+        !defined(WC_FORCE_LINUXKM_FORTIFY_SOURCE) && \
+        (defined(HAVE_LINUXKM_PIE_SUPPORT) || \
+         (LINUX_VERSION_CODE < KERNEL_VERSION(5, 18, 0)))
         /* fortify-source causes all sorts of awkward problems for the PIE
          * build, up to and including stubborn external references and multiple
          * definitions of string functions.
+         *
+         * fortify-source before kernel 5.18 has similar issues regardless of
+         * PIE, around our macro-shimming of the string functions.
          */
         #undef CONFIG_FORTIFY_SOURCE
     #endif
 
+    #if defined(WC_FORCE_LINUXKM_FORTIFY_SOURCE) && \
+        !defined(CONFIG_FORTIFY_SOURCE)
+        #error WC_FORCE_LINUXKM_FORTIFY_SOURCE without CONFIG_FORTIFY_SOURCE.
+    #endif
+
     #if defined(__PIE__) && defined(CONFIG_ARM64)
         #define alt_cb_patch_nops my__alt_cb_patch_nops
         #define queued_spin_lock_slowpath my__queued_spin_lock_slowpath
