From a701d4b8414db2e1fafa676fad232cc9a0bfeaab Mon Sep 17 00:00:00 2001 From: Ilya Lipnitskiy Date: Fri, 19 Feb 2021 08:22:08 -0800 Subject: [PATCH] kernel: migrate wireguard into the kernel tree On Linux 5.4, build WireGuard from backports. Linux 5.10 contains wireguard in-tree. Add in-kernel crypto libraries required by WireGuard along with arch-specific optimizations. Signed-off-by: Ilya Lipnitskiy (cherry picked from commit 06351f1bd0455abacb700db5098bb798f66948fc) (cherry picked from commit 464451d9ab824c2ed62f7da33f0a965f562714c8) --- package/kernel/linux/modules/crypto.mk | 155 +++++++++++++++++++- package/kernel/linux/modules/netsupport.mk | 30 ++++ package/network/services/wireguard/Makefile | 88 ----------- 3 files changed, 184 insertions(+), 89 deletions(-) delete mode 100644 package/network/services/wireguard/Makefile diff --git a/package/kernel/linux/modules/crypto.mk b/package/kernel/linux/modules/crypto.mk index e9e78e7967daa..19b0d4696b4a4 100644 --- a/package/kernel/linux/modules/crypto.mk +++ b/package/kernel/linux/modules/crypto.mk @@ -11,6 +11,8 @@ CRYPTO_MODULES = \ ALGAPI2=crypto_algapi \ BLKCIPHER2=crypto_blkcipher +CRYPTO_TARGET = $(BOARD)/$(if $(SUBTARGET),$(SUBTARGET),generic) + crypto_confvar=CONFIG_CRYPTO_$(word 1,$(subst =,$(space),$(1))) crypto_file=$(LINUX_DIR)/crypto/$(word 2,$(subst =,$(space),$(1))).ko crypto_name=$(if $(findstring y,$($(call crypto_confvar,$(1)))),,$(word 2,$(subst =,$(space),$(1)))) @@ -422,7 +424,6 @@ $(eval $(call KernelPackage,crypto-hw-talitos)) define KernelPackage/crypto-kpp TITLE:=Key-agreement Protocol Primitives KCONFIG:=CONFIG_CRYPTO_KPP - HIDDEN:=1 FILES:=$(LINUX_DIR)/crypto/kpp.ko AUTOLOAD:=$(call AutoLoad,09,kpp) $(call AddDepends/crypto) @@ -431,6 +432,158 @@ endef $(eval $(call KernelPackage,crypto-kpp)) +define KernelPackage/crypto-lib-blake2s + TITLE:=BLAKE2s hash function library + KCONFIG:=CONFIG_CRYPTO_LIB_BLAKE2S + HIDDEN:=1 + FILES:= \ + $(LINUX_DIR)/lib/crypto/libblake2s.ko \ + $(LINUX_DIR)/lib/crypto/libblake2s-generic.ko + $(call AddDepends/crypto,+PACKAGE_kmod-crypto-hash:kmod-crypto-hash) +endef + +define KernelPackage/crypto-lib-blake2s/config + imply PACKAGE_kmod-crypto-hash +endef + +define KernelPackage/crypto-lib-blake2s/x86/64 + KCONFIG+=CONFIG_CRYPTO_BLAKE2S_X86 + FILES+=$(LINUX_DIR)/arch/x86/crypto/blake2s-x86_64.ko +endef + +$(eval $(call KernelPackage,crypto-lib-blake2s)) + + +define KernelPackage/crypto-lib-chacha20 + TITLE:=ChaCha library interface + KCONFIG:=CONFIG_CRYPTO_LIB_CHACHA + HIDDEN:=1 + FILES:=$(LINUX_DIR)/lib/crypto/libchacha.ko + $(call AddDepends/crypto) +endef + +define KernelPackage/crypto-lib-chacha20/x86_64 + KCONFIG+=CONFIG_CRYPTO_CHACHA20_X86_64 + FILES+=$(LINUX_DIR)/arch/x86/crypto/chacha-x86_64.ko +endef + +# Note that a non-neon fallback implementation is available on arm32 when +# NEON is not supported, hence all arm targets can utilize lib-chacha20/arm +define KernelPackage/crypto-lib-chacha20/arm + KCONFIG+=CONFIG_CRYPTO_CHACHA20_NEON + FILES:=$(LINUX_DIR)/arch/arm/crypto/chacha-neon.ko +endef + +define KernelPackage/crypto-lib-chacha20/aarch64 + KCONFIG+=CONFIG_CRYPTO_CHACHA20_NEON + FILES+=$(LINUX_DIR)/arch/arm64/crypto/chacha-neon.ko +endef + +define KernelPackage/crypto-lib-chacha20/mips32r2 + KCONFIG+=CONFIG_CRYPTO_CHACHA_MIPS + FILES:=$(LINUX_DIR)/arch/mips/crypto/chacha-mips.ko +endef + +ifeq ($(CONFIG_CPU_MIPS32_R2),y) + KernelPackage/crypto-lib-chacha20/$(ARCH)=\ + $(KernelPackage/crypto-lib-chacha20/mips32r2) +endif + +ifdef KernelPackage/crypto-lib-chacha20/$(ARCH) + KernelPackage/crypto-lib-chacha20/$(CRYPTO_TARGET)=\ + $(KernelPackage/crypto-lib-chacha20/$(ARCH)) +endif + +$(eval $(call KernelPackage,crypto-lib-chacha20)) + + +define KernelPackage/crypto-lib-chacha20poly1305 + TITLE:=ChaCha20-Poly1305 AEAD support (8-byte nonce library version) + KCONFIG:=CONFIG_CRYPTO_LIB_CHACHA20POLY1305 + HIDDEN:=1 + FILES:=$(LINUX_DIR)/lib/crypto/libchacha20poly1305.ko + $(call AddDepends/crypto, +kmod-crypto-lib-chacha20 +kmod-crypto-lib-poly1305) +endef + +$(eval $(call KernelPackage,crypto-lib-chacha20poly1305)) + + +define KernelPackage/crypto-lib-curve25519 + TITLE:=Curve25519 scalar multiplication library + KCONFIG:=CONFIG_CRYPTO_LIB_CURVE25519 + HIDDEN:=1 + FILES:= \ + $(LINUX_DIR)/lib/crypto/libcurve25519.ko \ + $(LINUX_DIR)/lib/crypto/libcurve25519-generic.ko + $(call AddDepends/crypto,+PACKAGE_kmod-crypto-kpp:kmod-crypto-kpp) +endef + +define KernelPackage/crypto-lib-curve25519/config + imply PACKAGE_kmod-crypto-kpp +endef + +define KernelPackage/crypto-lib-curve25519/x86/64 + KCONFIG+=CONFIG_CRYPTO_CURVE25519_X86 + FILES+=$(LINUX_DIR)/arch/x86/crypto/curve25519-x86_64.ko +endef + +define KernelPackage/crypto-lib-curve25519/arm-neon + KCONFIG+=CONFIG_CRYPTO_CURVE25519_NEON + FILES+=$(LINUX_DIR)/arch/arm/crypto/curve25519-neon.ko +endef + +ifeq ($(ARCH)-$(CONFIG_KERNEL_MODE_NEON),arm-y) + KernelPackage/crypto-lib-curve25519/$(CRYPTO_TARGET)=\ + $(KernelPackage/crypto-lib-curve25519/arm-neon) +endif + +$(eval $(call KernelPackage,crypto-lib-curve25519)) + + +define KernelPackage/crypto-lib-poly1305 + TITLE:=Poly1305 library interface + KCONFIG:=CONFIG_CRYPTO_LIB_POLY1305 + HIDDEN:=1 + FILES:=$(LINUX_DIR)/lib/crypto/libpoly1305.ko + $(call AddDepends/crypto,+PACKAGE_kmod-crypto-hash:kmod-crypto-hash) +endef + +define KernelPackage/crypto-lib-poly1305/config + imply PACKAGE_kmod-crypto-hash +endef + +define KernelPackage/crypto-lib-poly1305/x86_64 + KCONFIG+=CONFIG_CRYPTO_POLY1305_X86_64 + FILES+=$(LINUX_DIR)/arch/x86/crypto/poly1305-x86_64.ko +endef + +define KernelPackage/crypto-lib-poly1305/arm + KCONFIG+=CONFIG_CRYPTO_POLY1305_ARM + FILES:=$(LINUX_DIR)/arch/arm/crypto/poly1305-arm.ko +endef + +define KernelPackage/crypto-lib-poly1305/aarch64 + KCONFIG+=CONFIG_CRYPTO_POLY1305_NEON + FILES:=$(LINUX_DIR)/arch/arm64/crypto/poly1305-neon.ko +endef + +define KernelPackage/crypto-lib-poly1305/mips + KCONFIG+=CONFIG_CRYPTO_POLY1305_MIPS + FILES:=$(LINUX_DIR)/arch/mips/crypto/poly1305-mips.ko +endef + +KernelPackage/crypto-lib-poly1305/mipsel=$(KernelPackage/crypto-lib-poly1305/mips) +KernelPackage/crypto-lib-poly1305/mips64=$(KernelPackage/crypto-lib-poly1305/mips) +KernelPackage/crypto-lib-poly1305/mips64el=$(KernelPackage/crypto-lib-poly1305/mips) + +ifdef KernelPackage/crypto-lib-poly1305/$(ARCH) + KernelPackage/crypto-lib-poly1305/$(CRYPTO_TARGET)=\ + $(KernelPackage/crypto-lib-poly1305/$(ARCH)) +endif + +$(eval $(call KernelPackage,crypto-lib-poly1305)) + + define KernelPackage/crypto-manager TITLE:=CryptoAPI algorithm manager DEPENDS:=+kmod-crypto-aead +kmod-crypto-hash +kmod-crypto-pcompress diff --git a/package/kernel/linux/modules/netsupport.mk b/package/kernel/linux/modules/netsupport.mk index 2c2fe82fa09ee..13f2283944535 100644 --- a/package/kernel/linux/modules/netsupport.mk +++ b/package/kernel/linux/modules/netsupport.mk @@ -1250,3 +1250,33 @@ define KernelPackage/netlink-diag/description endef $(eval $(call KernelPackage,netlink-diag)) + + +define KernelPackage/wireguard + SECTION:=kernel + CATEGORY:=Kernel modules + SUBMENU:=Network Support + TITLE:=WireGuard kernel module + DEPENDS:= \ + +kmod-crypto-lib-blake2s \ + +kmod-crypto-lib-chacha20poly1305 \ + +kmod-crypto-lib-curve25519 \ + +kmod-udptunnel4 \ + +IPV6:kmod-udptunnel6 + KCONFIG:= \ + CONFIG_WIREGUARD \ + CONFIG_WIREGUARD_DEBUG=n + FILES:=$(LINUX_DIR)/drivers/net/wireguard/wireguard.ko + AUTOLOAD:=$(call AutoProbe,wireguard) +endef + +define KernelPackage/wireguard/description + WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes + state-of-the-art cryptography. It aims to be faster, simpler, leaner, and + more useful than IPSec, while avoiding the massive headache. It intends to + be considerably more performant than OpenVPN. WireGuard is designed as a + general purpose VPN for running on embedded interfaces and super computers + alike, fit for many different circumstances. It uses UDP. +endef + +$(eval $(call KernelPackage,wireguard)) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile deleted file mode 100644 index 91bdb0d7a7799..0000000000000 --- a/package/network/services/wireguard/Makefile +++ /dev/null @@ -1,88 +0,0 @@ -# -# Copyright (C) 2016-2019 Jason A. Donenfeld -# Copyright (C) 2016 Baptiste Jonglez -# Copyright (C) 2016-2017 Dan Luedtke -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. - -include $(TOPDIR)/rules.mk -include $(INCLUDE_DIR)/kernel.mk - -PKG_NAME:=wireguard - -PKG_VERSION:=1.0.20201112 -PKG_RELEASE:=1 - -PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=89eae7f0c0bd6c8df3ba2e090984974ff68741a9f26aa0922890f8ca727897e1 - -PKG_LICENSE:=GPL-2.0 -PKG_LICENSE_FILES:=COPYING - -PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/wireguard-linux-compat-$(PKG_VERSION) -PKG_BUILD_PARALLEL:=1 -PKG_USE_MIPS16:=0 - -# WireGuard's makefile needs this to know where to build the kernel module -export KERNELDIR:=$(LINUX_DIR) - -include $(INCLUDE_DIR)/package.mk - -define Package/wireguard/Default - SECTION:=net - CATEGORY:=Network - SUBMENU:=VPN - URL:=https://www.wireguard.com - MAINTAINER:=Jason A. Donenfeld -endef - -define Package/wireguard/Default/description - WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes - state-of-the-art cryptography. It aims to be faster, simpler, leaner, and - more useful than IPSec, while avoiding the massive headache. It intends to - be considerably more performant than OpenVPN. WireGuard is designed as a - general purpose VPN for running on embedded interfaces and super computers - alike, fit for many different circumstances. It uses UDP. -endef - -define Package/wireguard - $(call Package/wireguard/Default) - TITLE:=WireGuard meta-package - DEPENDS:=+wireguard-tools +kmod-wireguard -endef - -include $(INCLUDE_DIR)/kernel-defaults.mk -include $(INCLUDE_DIR)/package-defaults.mk - -define Build/Compile - $(MAKE) $(KERNEL_MAKEOPTS) M="$(PKG_BUILD_DIR)/src" modules -endef - -define Package/wireguard/install - true -endef - -define Package/wireguard/description - $(call Package/wireguard/Default/description) -endef - -define KernelPackage/wireguard - SECTION:=kernel - CATEGORY:=Kernel modules - SUBMENU:=Network Support - TITLE:=WireGuard kernel module - DEPENDS:=+IPV6:kmod-udptunnel6 +kmod-udptunnel4 - FILES:= $(PKG_BUILD_DIR)/src/wireguard.$(LINUX_KMOD_SUFFIX) - AUTOLOAD:=$(call AutoProbe,wireguard) -endef - -define KernelPackage/wireguard/description - $(call Package/wireguard/Default/description) - - This package provides the kernel module for WireGuard. -endef - -$(eval $(call BuildPackage,wireguard)) -$(eval $(call KernelPackage,wireguard))