Wireguard with remote peer

Martin Stein martin.stein at genode-labs.com
Thu May 11 10:45:56 CEST 2023

Hello Stefan,

As far as I can tell, you are right. DDE Linux has no initial time and
this very likely should cause what you observe because of the replay

A quick trace back through the Linux code:

Wireguard uses ktime_get_real_ts64 [1] for its TAI64 which uses
xtime_sec as base which is set by tk_set_xtime [2] which leads to
do_settimeofday64 [3], and rtc_hctosys [4], and
__devm_rtc_register_device/devm_rtc_device_register [5] which should be
called by the local RTC driver [6].

A good way to solve your problem would be creating a new pseudo RTC
driver for Linux by using a preferably simple one from the list of the
existing drivers as blueprint. This driver would call the register
function on probe like in [7]. Apart from that, the driver would set
only the read function (the function needed in rtc_hctosys) in its
rtc_ops array [8] and implement this function via Genodes RTC service
provided by a Genode RTC driver.

The next step would be integrating this driver into your Linux. You can
do so by adding the RTC subsystem files as well and then simply
disguising as a driver that already exists. DDE Linux uses a
pre-generated list of init calls of components of a real Linux, and
therefore if your driver carries the right hooks
(module_platform_driver_probe macro, platform_driver struct) of an
existing driver [9] it should work without further ado. I would
recommend you disguise as a very unspecific driver like rtc-generic in
the example.





[4] https://elixir.bootlin.com/linux/latest/source/drivers/rtc/class.c#L83

[5] https://elixir.bootlin.com/linux/latest/source/drivers/rtc/class.c#L468

[6] https://elixir.bootlin.com/linux/latest/C/ident/devm_rtc_device_register




On 09.05.23 14:48, Stefan Thöni wrote:
> Dear Genodians
> We are looking into using wireguard to access sensor nodes connected by
> a genode-powered gateway through a wireguard server running on Linux. By
> trying this, we discovered that the wireguard connection works only
> once, and upon restart of the runscript yields "Invalid handshake
> initiation" in the servers log.
> We based on a post by wireguard developer Jason Donenfeld [1] (key
> phrase: "WireGuard relies on a timestamp counter always moving
> forward.") we concluded that this problem is caused by DDE restarting at
> time zero instead of using an RTC connection, thereby triggering
> wireguard's replay protection mechanism on the server peer.
> We're not sure how to best fix the problem. Do you have any suggestions?
> [1]
> https://inbox.vuxu.org/wireguard/7aa9fe5e-2ae2-cf8b-ae6d-d98de2031b44@posteo.de/t/
> Best Regards
> Stefan Thöni
> gapfruit AG
> Baarerstrasse 135
> 6300 Zug
> https://gapfruit.com
> _______________________________________________
> Genode users mailing list
> users at lists.genode.org
> https://lists.genode.org/listinfo/users

More information about the users mailing list