Add nat20sw kernel module to linux examples. (#102)

The nat20sw module is an implementation of a nat20device character
device class. It uses the functionality implemented in nat20lib and
nat20crypto to implement a fully fledged DICE service with embedded CA
(ECA).
The root secret is hard coded and thus not useful for production
applications. But it serves as inspirational reference implementation
and as a suitable environment to develop user space tools against.

Author: werwurm

.github/workflows/linux-kmod-build.yml

@@ -121,3 +121,20 @@ jobs:
           find ${{ runner.temp }}/buildroot.build -name 'nat20crypto.ko' | grep -q nat20crypto.ko
           echo "nat20crypto.ko built successfully:"
           find ${{ runner.temp }}/buildroot.build -name 'nat20crypto.ko' -exec ls -la {} \;
+
+      - name: Build nat20sw kernel module
+        env:
+          NAT20DEVICE_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20LIB_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20CRYPTO_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20SW_OVERRIDE_SRCDIR: ${{ github.workspace }}
+        run: |
+          cd ${{ runner.temp }}/buildroot.build/buildroot
+          make nat20sw-dirclean
+          make nat20sw -j $(( $(nproc) + 1 ))
+
+      - name: Verify nat20sw.ko was produced
+        run: |
+          find ${{ runner.temp }}/buildroot.build -name 'nat20sw.ko' | grep -q nat20sw.ko
+          echo "nat20sw.ko built successfully:"
+          find ${{ runner.temp }}/buildroot.build -name 'nat20sw.ko' -exec ls -la {} \;

examples/linux/br_external/Config.in

@@ -35,4 +35,5 @@
 
 source "$BR2_EXTERNAL_NAT20_PATH/package/nat20crypto/Config.in"
 source "$BR2_EXTERNAL_NAT20_PATH/package/nat20device/Config.in"
+source "$BR2_EXTERNAL_NAT20_PATH/package/nat20sw/Config.in"
 source "$BR2_EXTERNAL_NAT20_PATH/package/nat20lib/Config.in"

examples/linux/br_external/configs/qemu_br_defconfig

@@ -3978,4 +3978,5 @@ BR2_TARGET_UBOOT_CUSTOM_PATCH_DIR=""
 #
 BR2_PACKAGE_NAT20CRYPTO=y
 BR2_PACKAGE_NAT20DEVICE=y
+BR2_PACKAGE_NAT20SW=y
 BR2_PACKAGE_NAT20LIB=y

examples/linux/br_external/package/nat20sw/Config.in

@@ -0,0 +1,44 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+config BR2_PACKAGE_NAT20SW
+    bool "nat20sw"
+    depends on BR2_PACKAGE_NAT20LIB
+    depends on BR2_PACKAGE_NAT20CRYPTO
+    depends on BR2_PACKAGE_NAT20DEVICE
+    help
+        Add the software implementation of a nat20 service
+        as a module. This is a driver for the nat20-device
+        class.

examples/linux/br_external/package/nat20sw/nat20sw.mk

@@ -0,0 +1,56 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+# In CI NAT20SW_OVERRIDE_SRCDIR is set to the root of the repository,
+# so that the source under test is always the current branch.
+# Integrators who use this configuration should pin the version
+# to a specific commit or branch to avoid breakages when the main branch changes.
+NAT20SW_VERSION = origin/main
+NAT20SW_SITE = https://github.com/aurora-opensource/libnat20.git
+NAT20SW_SITE_METHOD = git
+NAT20SW_LICENSE = Apache-2.0 OR GPL-2.0
+NAT20SW_LICENSE_FILES = LICENSE-Apache-2.0.txt LICENSE-GPL-2.0.txt
+
+NAT20SW_DEPENDENCIES += nat20lib
+NAT20SW_DEPENDENCIES += nat20device
+NAT20SW_DEPENDENCIES += nat20crypto
+NAT20SW_MODULE_MAKE_OPTS += NAT20SW_NAT20LIB_DIR=$(NAT20LIB_DIR)/examples/linux/nat20lib
+NAT20SW_MODULE_MAKE_OPTS += NAT20SW_NAT20DEVICE_DIR=$(NAT20DEVICE_DIR)/examples/linux/nat20device
+NAT20SW_MODULE_MAKE_OPTS += NAT20SW_NAT20CRYPTO_DIR=$(NAT20CRYPTO_DIR)/examples/linux/nat20crypto
+
+NAT20SW_MODULE_SUBDIRS = examples/linux/nat20sw
+
+$(eval $(kernel-module))
+$(eval $(generic-package))

examples/linux/br_external/utils/envsetup.sh

@@ -47,6 +47,7 @@ fi
 source .env
 
 export NAT20CRYPTO_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
+export NAT20SW_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export NAT20DEVICE_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export NAT20LIB_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 
@@ -72,14 +73,15 @@ function brrebuild() {
         echo "  linux        - Rebuild the linux kernel"
         echo "  nat20crypto  - Rebuild the nat20crypto module"
         echo "  nat20device  - Rebuild the nat20device module"
+        echo "  nat20sw      - Rebuild the nat20sw module"
         echo "  nat20lib     - Rebuild the nat20lib library"
         popd
         return 1
     fi
 
     case "$1" in
         all)
-            ensure_popd make linux-rebuild nat20crypto-rebuild nat20device-rebuild nat20lib-rebuild all
+            ensure_popd make linux-rebuild nat20lib-rebuild nat20crypto-rebuild nat20device-rebuild nat20sw-rebuild all
             ;;
         *)
             ensure_popd make $1-rebuild all

examples/linux/nat20lib/mod.c

@@ -60,6 +60,7 @@ EXPORT_SYMBOL(n20_cbor_write_byte_string);
 EXPORT_SYMBOL(n20_cbor_write_int);
 EXPORT_SYMBOL(n20_cbor_write_map_header);
 EXPORT_SYMBOL(n20_cbor_write_null);
+EXPORT_SYMBOL(n20_cbor_write_tag);
 EXPORT_SYMBOL(n20_cbor_write_text_string);
 EXPORT_SYMBOL(n20_cbor_write_header);
 EXPORT_SYMBOL(n20_compress_input);
@@ -83,9 +84,11 @@ EXPORT_SYMBOL(n20_open_dice_cwt_write);
 EXPORT_SYMBOL(n20_rfc6979_k_generation);
 EXPORT_SYMBOL(n20_service_message_dispatch);
 EXPORT_SYMBOL(n20_stream_byte_count);
+EXPORT_SYMBOL(n20_stream_has_buffer_overflow);
 EXPORT_SYMBOL(n20_stream_has_write_position_overflow);
 EXPORT_SYMBOL(n20_stream_init);
 EXPORT_SYMBOL(n20_stream_prepend);
+EXPORT_SYMBOL(n20_stream_put);
 EXPORT_SYMBOL(n20_stream_skip);
 
 module_init(nat20lib_init);

examples/linux/nat20sw/Kbuild

@@ -0,0 +1,44 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+KBUILD_EXTRA_SYMBOLS := $(NAT20SW_NAT20LIB_DIR)/Module.symvers
+KBUILD_EXTRA_SYMBOLS += $(NAT20SW_NAT20DEVICE_DIR)/Module.symvers
+KBUILD_EXTRA_SYMBOLS += $(NAT20SW_NAT20CRYPTO_DIR)/Module.symvers
+
+obj-m := nat20sw.o
+
+ccflags-y := -I $(NAT20SW_NAT20LIB_DIR)/include
+ccflags-y += -I $(NAT20SW_NAT20DEVICE_DIR)/include
+ccflags-y += -I $(NAT20SW_NAT20CRYPTO_DIR)/include

examples/linux/nat20sw/Makefile

@@ -0,0 +1,54 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+KDIR ?= /lib/modules/`uname -r`/build
+INSTALL_MOD_DIR ?= extra
+
+NAT20SW_NAT20LIB_DIR ?= $(PWD)/../nat20lib
+NAT20SW_NAT20DEVICE_DIR ?= $(PWD)/../nat20device
+NAT20SW_NAT20CRYPTO_DIR ?= $(PWD)/../nat20crypto
+
+all: modules
+
+modules:
+	$(MAKE) -C $(KDIR) NAT20SW_NAT20LIB_DIR=$(NAT20SW_NAT20LIB_DIR) NAT20SW_NAT20DEVICE_DIR=$(NAT20SW_NAT20DEVICE_DIR) NAT20SW_NAT20CRYPTO_DIR=$(NAT20SW_NAT20CRYPTO_DIR) M=$$PWD modules
+
+modules_install:
+	$(MAKE) -C $(KDIR) INSTALL_MOD_DIR=$(INSTALL_MOD_DIR) M=$$PWD modules_install
+
+clean:
+	$(MAKE) -C $(KDIR) M=$$PWD clean
+
+.PHONY: all modules modules_install clean