Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/crypto/fips140-module.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  * Copyright 2021 Google LLC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  * Author: Ard Biesheuvel <ardb@google.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  * This file is the core of fips140.ko, which contains various crypto algorithms
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)  * that are also built into vmlinux.  At load time, this module overrides the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8)  * built-in implementations of these algorithms with its implementations.  It
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9)  * also runs self-tests on these algorithms and verifies the integrity of its
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10)  * code and data.  If either of these steps fails, the kernel will panic.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12)  * This module is intended to be loaded at early boot time in order to meet
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13)  * FIPS 140 and NIAP FPT_TST_EXT.1 requirements.  It shouldn't be used if you
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14)  * don't need to meet these requirements.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) #undef __DISABLE_EXPORTS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) #include <linux/ctype.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) #include <linux/module.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) #include <crypto/aead.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) #include <crypto/aes.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) #include <crypto/hash.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) #include <crypto/sha.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) #include <crypto/skcipher.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) #include <crypto/rng.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) #include <trace/hooks/fips140.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) #include "fips140-module.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) #include "internal.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33)  * FIPS 140-2 prefers the use of HMAC with a public key over a plain hash.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) u8 __initdata fips140_integ_hmac_key[] = "The quick brown fox jumps over the lazy dog";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) /* this is populated by the build tool */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) u8 __initdata fips140_integ_hmac_digest[SHA256_DIGEST_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) const u32 __initcall_start_marker __section(".initcalls._start");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) const u32 __initcall_end_marker __section(".initcalls._end");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) const u8 __fips140_text_start __section(".text.._start");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) const u8 __fips140_text_end __section(".text.._end");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) const u8 __fips140_rodata_start __section(".rodata.._start");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) const u8 __fips140_rodata_end __section(".rodata.._end");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50)  * We need this little detour to prevent Clang from detecting out of bounds
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51)  * accesses to __fips140_text_start and __fips140_rodata_start, which only exist
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52)  * to delineate the section, and so their sizes are not relevant to us.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) const u32 *__initcall_start = &__initcall_start_marker;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) const u8 *__text_start = &__fips140_text_start;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) const u8 *__rodata_start = &__fips140_rodata_start;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60)  * The list of the crypto API algorithms (by cra_name) that will be unregistered
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61)  * by this module, in preparation for the module registering its own
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62)  * implementation(s) of them.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64)  * All algorithms that will be declared as FIPS-approved in the module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65)  * certification must be listed here, to ensure that the non-FIPS-approved
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66)  * implementations of these algorithms in the kernel image aren't used.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68)  * For every algorithm in this list, the module should contain all the "same"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69)  * implementations that the kernel image does, including the C implementation as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70)  * well as any architecture-specific implementations.  This is needed to avoid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71)  * performance regressions as well as the possibility of an algorithm being
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72)  * unavailable on some CPUs.  E.g., "xcbc(aes)" isn't in this list, as the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73)  * module doesn't have a C implementation of it (and it won't be FIPS-approved).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75)  * Due to a quirk in the FIPS requirements, "gcm(aes)" isn't actually able to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76)  * FIPS-approved.  However, we otherwise treat it the same as the algorithms
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77)  * that will be FIPS-approved, and therefore it's included in this list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79)  * When adding a new algorithm here, make sure to consider whether it needs a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80)  * self-test added to fips140_selftests[] as well.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) static const struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 	const char *name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 	bool approved;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) } fips140_algs_to_replace[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 	{"aes", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 	{"cmac(aes)", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 	{"ecb(aes)", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 	{"cbc(aes)", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 	{"cts(cbc(aes))", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 	{"ctr(aes)", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) 	{"xts(aes)", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 	{"gcm(aes)", false},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 	{"hmac(sha1)", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) 	{"hmac(sha224)", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) 	{"hmac(sha256)", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 	{"hmac(sha384)", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 	{"hmac(sha512)", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 	{"sha1", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) 	{"sha224", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 	{"sha256", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) 	{"sha384", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) 	{"sha512", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) 	{"stdrng", true},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) 	{"jitterentropy_rng", false},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) static bool __init fips140_should_unregister_alg(struct crypto_alg *alg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 	int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 	 * All software algorithms are synchronous, hardware algorithms must
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 	 * be covered by their own FIPS 140 certification.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) 	if (alg->cra_flags & CRYPTO_ALG_ASYNC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) 		return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) 	for (i = 0; i < ARRAY_SIZE(fips140_algs_to_replace); i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 		if (!strcmp(alg->cra_name, fips140_algs_to_replace[i].name))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) 			return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) 	return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131)  * FIPS 140-3 service indicators.  FIPS 140-3 requires that all services
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132)  * "provide an indicator when the service utilises an approved cryptographic
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133)  * algorithm, security function or process in an approved manner".  What this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134)  * means is very debatable, even with the help of the FIPS 140-3 Implementation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135)  * Guidance document.  However, it was decided that a function that takes in an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136)  * algorithm name and returns whether that algorithm is approved or not will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137)  * meet this requirement.  Note, this relies on some properties of the module:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139)  *   - The module doesn't distinguish between "services" and "algorithms"; its
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140)  *     services are simply its algorithms.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142)  *   - The status of an approved algorithm is never non-approved, since (a) the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)  *     module doesn't support operating in a non-approved mode, such as a mode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144)  *     where the self-tests are skipped; (b) there are no cases where the module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145)  *     supports non-approved settings for approved algorithms, e.g.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146)  *     non-approved key sizes; and (c) this function isn't available to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147)  *     called until the module_init function has completed, so it's guaranteed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148)  *     that the self-tests and integrity check have already passed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150)  *   - The module does support some non-approved algorithms, so a single static
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151)  *     indicator ("return true;") would not be acceptable.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) bool fips140_is_approved_service(const char *name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 	size_t i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) 	for (i = 0; i < ARRAY_SIZE(fips140_algs_to_replace); i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 		if (!strcmp(name, fips140_algs_to_replace[i].name))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) 			return fips140_algs_to_replace[i].approved;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) 	return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) EXPORT_SYMBOL_GPL(fips140_is_approved_service);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166)  * FIPS 140-3 requires that modules provide a "service" that outputs "the name
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167)  * or module identifier and the versioning information that can be correlated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168)  * with a validation record".  This function meets that requirement.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170)  * Note: the module also prints this same information to the kernel log when it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171)  * is loaded.  That might meet the requirement by itself.  However, given the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172)  * vagueness of what counts as a "service", we provide this function too, just
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173)  * in case the certification lab or CMVP is happier with an explicit function.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)  * Note: /sys/modules/fips140/scmversion also provides versioning information
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176)  * about the module.  However that file just shows the bare git commit ID, so it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177)  * probably isn't sufficient to meet the FIPS requirement, which seems to want
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178)  * the "official" module name and version number used in the FIPS certificate.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) const char *fips140_module_version(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) 	return FIPS140_MODULE_NAME " " FIPS140_MODULE_VERSION;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) EXPORT_SYMBOL_GPL(fips140_module_version);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) static LIST_HEAD(existing_live_algos);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189)  * Release a list of algorithms which have been removed from crypto_alg_list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191)  * Note that even though the list is a private list, we have to hold
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192)  * crypto_alg_sem while iterating through it because crypto_unregister_alg() may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)  * run concurrently (as we haven't taken a reference to the algorithms on the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)  * list), and crypto_unregister_alg() will remove the algorithm from whichever
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195)  * list it happens to be on, while holding crypto_alg_sem.  That's okay, since
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196)  * in that case crypto_unregister_alg() will handle the crypto_alg_put().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) static void fips140_remove_final(struct list_head *list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) 	struct crypto_alg *alg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) 	struct crypto_alg *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 	 * We need to take crypto_alg_sem to safely traverse the list (see
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 	 * comment above), but we have to drop it when doing each
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) 	 * crypto_alg_put() as that may take crypto_alg_sem again.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) 	down_write(&crypto_alg_sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) 	list_for_each_entry_safe(alg, n, list, cra_list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) 		list_del_init(&alg->cra_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) 		up_write(&crypto_alg_sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) 		crypto_alg_put(alg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) 		down_write(&crypto_alg_sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) 	up_write(&crypto_alg_sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) static void __init unregister_existing_fips140_algos(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) 	struct crypto_alg *alg, *tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) 	LIST_HEAD(remove_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) 	LIST_HEAD(spawns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) 	down_write(&crypto_alg_sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) 	 * Find all registered algorithms that we care about, and move them to a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) 	 * private list so that they are no longer exposed via the algo lookup
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) 	 * API. Subsequently, we will unregister them if they are not in active
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) 	 * use. If they are, we can't fully unregister them but we can ensure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) 	 * that new users won't use them.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) 	list_for_each_entry_safe(alg, tmp, &crypto_alg_list, cra_list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) 		if (!fips140_should_unregister_alg(alg))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) 			continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) 		if (refcount_read(&alg->cra_refcnt) == 1) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) 			/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 			 * This algorithm is not currently in use, but there may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) 			 * be template instances holding references to it via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) 			 * spawns. So let's tear it down like
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) 			 * crypto_unregister_alg() would, but without releasing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) 			 * the lock, to prevent races with concurrent TFM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) 			 * allocations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) 			 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) 			alg->cra_flags |= CRYPTO_ALG_DEAD;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) 			list_move(&alg->cra_list, &remove_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) 			crypto_remove_spawns(alg, &spawns, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) 		} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) 			/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) 			 * This algorithm is live, i.e. it has TFMs allocated,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) 			 * so we can't fully unregister it.  It's not necessary
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) 			 * to dynamically redirect existing users to the FIPS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) 			 * code, given that they can't be relying on FIPS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) 			 * certified crypto in the first place.  However, we do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) 			 * need to ensure that new users will get the FIPS code.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) 			 *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) 			 * In most cases, setting alg->cra_priority to 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) 			 * achieves this.  However, that isn't enough for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) 			 * algorithms like "hmac(sha256)" that need to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) 			 * instantiated from a template, since existing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) 			 * algorithms always take priority over a template being
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) 			 * instantiated.  Therefore, we move the algorithm to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) 			 * a private list so that algorithm lookups won't find
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) 			 * it anymore.  To further distinguish it from the FIPS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) 			 * algorithms, we also append "+orig" to its name.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) 			 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) 			pr_info("found already-live algorithm '%s' ('%s')\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) 				alg->cra_name, alg->cra_driver_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) 			alg->cra_priority = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) 			strlcat(alg->cra_name, "+orig", CRYPTO_MAX_ALG_NAME);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) 			strlcat(alg->cra_driver_name, "+orig",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) 				CRYPTO_MAX_ALG_NAME);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) 			list_move(&alg->cra_list, &existing_live_algos);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) 	up_write(&crypto_alg_sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) 	fips140_remove_final(&remove_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) 	fips140_remove_final(&spawns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) static void __init unapply_text_relocations(void *section, int section_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) 					    const Elf64_Rela *rela, int numrels)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) 	while (numrels--) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) 		u32 *place = (u32 *)(section + rela->r_offset);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) 		BUG_ON(rela->r_offset >= section_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) 		switch (ELF64_R_TYPE(rela->r_info)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) #ifdef CONFIG_ARM64
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) 		case R_AARCH64_JUMP26:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) 		case R_AARCH64_CALL26:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) 			*place &= ~GENMASK(25, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) 		case R_AARCH64_ADR_PREL_LO21:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) 		case R_AARCH64_ADR_PREL_PG_HI21:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) 		case R_AARCH64_ADR_PREL_PG_HI21_NC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) 			*place &= ~(GENMASK(30, 29) | GENMASK(23, 5));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) 		case R_AARCH64_ADD_ABS_LO12_NC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) 		case R_AARCH64_LDST8_ABS_LO12_NC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) 		case R_AARCH64_LDST16_ABS_LO12_NC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) 		case R_AARCH64_LDST32_ABS_LO12_NC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) 		case R_AARCH64_LDST64_ABS_LO12_NC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) 		case R_AARCH64_LDST128_ABS_LO12_NC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) 			*place &= ~GENMASK(21, 10);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) 		default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) 			pr_err("unhandled relocation type %llu\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) 			       ELF64_R_TYPE(rela->r_info));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) 			BUG();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) #error
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) 		rela++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) static void __init unapply_rodata_relocations(void *section, int section_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) 					      const Elf64_Rela *rela, int numrels)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) 	while (numrels--) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) 		void *place = section + rela->r_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) 		BUG_ON(rela->r_offset >= section_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) 		switch (ELF64_R_TYPE(rela->r_info)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) #ifdef CONFIG_ARM64
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) 		case R_AARCH64_ABS64:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) 			*(u64 *)place = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) 		default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) 			pr_err("unhandled relocation type %llu\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) 			       ELF64_R_TYPE(rela->r_info));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) 			BUG();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) #error
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) 		rela++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) extern struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) 	u32	offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) 	u32	count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) } fips140_rela_text, fips140_rela_rodata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) static bool __init check_fips140_module_hmac(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) 	struct crypto_shash *tfm = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) 	SHASH_DESC_ON_STACK(desc, dontcare);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) 	u8 digest[SHA256_DIGEST_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) 	void *textcopy, *rodatacopy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) 	int textsize, rodatasize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) 	bool ok = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) 	int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) 	textsize	= &__fips140_text_end - &__fips140_text_start;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) 	rodatasize	= &__fips140_rodata_end - &__fips140_rodata_start;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) 	pr_info("text size  : 0x%x\n", textsize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) 	pr_info("rodata size: 0x%x\n", rodatasize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) 	textcopy = kmalloc(textsize + rodatasize, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) 	if (!textcopy) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) 		pr_err("Failed to allocate memory for copy of .text\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) 	rodatacopy = textcopy + textsize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) 	memcpy(textcopy, __text_start, textsize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) 	memcpy(rodatacopy, __rodata_start, rodatasize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) 	// apply the relocations in reverse on the copies of .text  and .rodata
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) 	unapply_text_relocations(textcopy, textsize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) 				 offset_to_ptr(&fips140_rela_text.offset),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) 				 fips140_rela_text.count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) 	unapply_rodata_relocations(rodatacopy, rodatasize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) 				  offset_to_ptr(&fips140_rela_rodata.offset),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) 				  fips140_rela_rodata.count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) 	fips140_inject_integrity_failure(textcopy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) 	tfm = crypto_alloc_shash("hmac(sha256)", 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) 	if (IS_ERR(tfm)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) 		pr_err("failed to allocate hmac tfm (%ld)\n", PTR_ERR(tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) 		tfm = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) 	desc->tfm = tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) 	pr_info("using '%s' for integrity check\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) 		crypto_shash_driver_name(tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) 	err = crypto_shash_setkey(tfm, fips140_integ_hmac_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) 				  strlen(fips140_integ_hmac_key)) ?:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) 	      crypto_shash_init(desc) ?:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) 	      crypto_shash_update(desc, textcopy, textsize) ?:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) 	      crypto_shash_finup(desc, rodatacopy, rodatasize, digest);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) 	/* Zeroizing this is important; see the comment below. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) 	shash_desc_zero(desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) 	if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) 		pr_err("failed to calculate hmac shash (%d)\n", err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) 	if (memcmp(digest, fips140_integ_hmac_digest, sizeof(digest))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) 		pr_err("provided_digest  : %*phN\n", (int)sizeof(digest),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) 		       fips140_integ_hmac_digest);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) 		pr_err("calculated digest: %*phN\n", (int)sizeof(digest),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) 		       digest);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) 	ok = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) 	 * FIPS 140-3 requires that all "temporary value(s) generated during the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) 	 * integrity test" be zeroized (ref: FIPS 140-3 IG 9.7.B).  There is no
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) 	 * technical reason to do this given that these values are public
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) 	 * information, but this is the requirement so we follow it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) 	crypto_free_shash(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) 	memzero_explicit(digest, sizeof(digest));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) 	kfree_sensitive(textcopy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) 	return ok;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) static void fips140_sha256(void *p, const u8 *data, unsigned int len, u8 *out,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) 			   int *hook_inuse)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) 	sha256(data, len, out);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) 	*hook_inuse = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) static void fips140_aes_expandkey(void *p, struct crypto_aes_ctx *ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) 				  const u8 *in_key, unsigned int key_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) 				  int *err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) 	*err = aes_expandkey(ctx, in_key, key_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) static void fips140_aes_encrypt(void *priv, const struct crypto_aes_ctx *ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) 				u8 *out, const u8 *in, int *hook_inuse)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) 	aes_encrypt(ctx, out, in);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) 	*hook_inuse = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) static void fips140_aes_decrypt(void *priv, const struct crypto_aes_ctx *ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) 				u8 *out, const u8 *in, int *hook_inuse)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) 	aes_decrypt(ctx, out, in);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) 	*hook_inuse = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) static bool update_fips140_library_routines(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) 	int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) 	ret = register_trace_android_vh_sha256(fips140_sha256, NULL) ?:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) 	      register_trace_android_vh_aes_expandkey(fips140_aes_expandkey, NULL) ?:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) 	      register_trace_android_vh_aes_encrypt(fips140_aes_encrypt, NULL) ?:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) 	      register_trace_android_vh_aes_decrypt(fips140_aes_decrypt, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) 	return ret == 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481)  * Initialize the FIPS 140 module.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483)  * Note: this routine iterates over the contents of the initcall section, which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484)  * consists of an array of function pointers that was emitted by the linker
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485)  * rather than the compiler. This means that these function pointers lack the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486)  * usual CFI stubs that the compiler emits when CFI codegen is enabled. So
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487)  * let's disable CFI locally when handling the initcall array, to avoid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488)  * surpises.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) static int __init __attribute__((__no_sanitize__("cfi")))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) fips140_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) 	const u32 *initcall;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) 	pr_info("loading " FIPS140_MODULE_NAME " " FIPS140_MODULE_VERSION "\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) 	fips140_init_thread = current;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) 	unregister_existing_fips140_algos();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) 	/* iterate over all init routines present in this module and call them */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) 	for (initcall = __initcall_start + 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) 	     initcall < &__initcall_end_marker;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) 	     initcall++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) 		int (*init)(void) = offset_to_ptr(initcall);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) 		int err = init();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) 		/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) 		 * ENODEV is expected from initcalls that only register
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) 		 * algorithms that depend on non-present CPU features.  Besides
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) 		 * that, errors aren't expected here.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) 		 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) 		if (err && err != -ENODEV) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) 			pr_err("initcall %ps() failed: %d\n", init, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) 			goto panic;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) 	if (!fips140_run_selftests())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) 		goto panic;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) 	 * It may seem backward to perform the integrity check last, but this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) 	 * is intentional: the check itself uses hmac(sha256) which is one of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) 	 * the algorithms that are replaced with versions from this module, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) 	 * the integrity check must use the replacement version.  Also, to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) 	 * ready for FIPS 140-3, the integrity check algorithm must have already
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) 	 * been self-tested.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) 	if (!check_fips140_module_hmac()) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) 		pr_crit("integrity check failed -- giving up!\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) 		goto panic;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) 	pr_info("integrity check passed\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) 	complete_all(&fips140_tests_done);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) 	if (!update_fips140_library_routines())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) 		goto panic;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) 	if (!fips140_eval_testing_init())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) 		goto panic;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) 	pr_info("module successfully loaded\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) panic:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) 	panic("FIPS 140 module load failure");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) module_init(fips140_init);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) MODULE_IMPORT_NS(CRYPTO_INTERNAL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) MODULE_LICENSE("GPL v2");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557)  * Crypto-related helper functions, reproduced here so that they will be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558)  * covered by the FIPS 140 integrity check.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560)  * Non-cryptographic helper functions such as memcpy() can be excluded from the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561)  * FIPS module, but there is ambiguity about other helper functions like
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562)  * __crypto_xor() and crypto_inc() which aren't cryptographic by themselves,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563)  * but are more closely associated with cryptography than e.g. memcpy(). To
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564)  * err on the side of caution, we include copies of these in the FIPS module.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) void __crypto_xor(u8 *dst, const u8 *src1, const u8 *src2, unsigned int len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) 	while (len >= 8) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) 		*(u64 *)dst = *(u64 *)src1 ^  *(u64 *)src2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) 		dst += 8;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) 		src1 += 8;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) 		src2 += 8;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) 		len -= 8;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) 	while (len >= 4) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) 		*(u32 *)dst = *(u32 *)src1 ^ *(u32 *)src2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) 		dst += 4;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) 		src1 += 4;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) 		src2 += 4;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) 		len -= 4;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) 	while (len >= 2) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) 		*(u16 *)dst = *(u16 *)src1 ^ *(u16 *)src2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) 		dst += 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) 		src1 += 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) 		src2 += 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) 		len -= 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) 	while (len--)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) 		*dst++ = *src1++ ^ *src2++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) void crypto_inc(u8 *a, unsigned int size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) 	a += size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) 	while (size--)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) 		if (++*--a)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) }
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.