>>>>> Though in FIPS 2.0 there is new option that might work in this case. >>>>> Besides switching to another compiler that is. Introduced to rectify >>>>> situation with rodata segments not being position-independent on Win64, >>>>> defining __fips_constseg might prove useful even in this situation. See >>>>> if defining it in fips/fipssyms.h to __attribute__((section(".rodata"))) >>>>> makes it work. Keep in mind that me suggesting this doesn't make it >>>>> validated. If it works, it still has to be separately validated by >>>>> authorities. >>>>> >>>> Ok, so I did this and added it to appropriate locations in >>>> fips_canister.c >> Right, you need the __attribute__ in question even for >> FIPS_rodata_[start|end]. I failed to mention this. Good catch. >> > > Well, this idea at first looked like it would do the trick, however, > when the __attribute__((section(".rodata"))) call makes a ".rodata" > section, it isn't *the* .rodata section, it is just *a* .rodata > section and in fact is made writeable,
Well, then it's tough break, switch to another compiler. Of course one can name section something else, e.g. ".rofips", and write a script that would set the read-only flag in fipscanister.o after it's linked. Or! It would be possible to modify incore to set the flag. I mean fipscanister.o can have .rofips that is not read-only, but it can become read-only in applications and shared lib in the process of embedding the signature. Well, whatever you do requires code change, so you have to validate it separately (change letter through opensslfoundation.com might be alternative)... > The assembler code looks correct for FIPS_text_startX returning its > memory location. The question was if FIPS_text_start returns FIPS_text_startX's address [of its first instruction], *not* what does FIPS_text_startX return! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org