1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright 2021 Google LLC
4 * Author: Ard Biesheuvel <ardb@google.com>
5 *
6 * This file is the core of fips140.ko, which contains various crypto algorithms
7 * that are also built into vmlinux. At load time, this module overrides the
8 * built-in implementations of these algorithms with its implementations. It
9 * also runs self-tests on these algorithms and verifies the integrity of its
10 * code and data. If either of these steps fails, the kernel will panic.
11 *
12 * This module is intended to be loaded at early boot time in order to meet
13 * FIPS 140 and NIAP FPT_TST_EXT.1 requirements. It shouldn't be used if you
14 * don't need to meet these requirements.
15 */
16
17 /*
18 * Since this .c file is the real entry point of fips140.ko, it needs to be
19 * compiled normally, so undo the hacks that were done in fips140-defs.h.
20 */
21 #define MODULE
22 #undef KBUILD_MODFILE
23 #undef __DISABLE_EXPORTS
24
25 #include <linux/ctype.h>
26 #include <linux/debugfs.h>
27 #include <linux/module.h>
28 #include <crypto/aead.h>
29 #include <crypto/aes.h>
30 #include <crypto/hash.h>
31 #include <crypto/sha2.h>
32 #include <crypto/skcipher.h>
33 #include <crypto/rng.h>
34 #include <trace/hooks/fips140.h>
35
36 #include "fips140-module.h"
37 #include "internal.h"
38
39 /*
40 * FIPS 140-2 prefers the use of HMAC with a public key over a plain hash.
41 */
42 u8 __initdata fips140_integ_hmac_key[] = "The quick brown fox jumps over the lazy dog";
43
44 /* this is populated by the build tool */
45 u8 __initdata fips140_integ_hmac_digest[SHA256_DIGEST_SIZE];
46
47 const u32 __initcall_start_marker __section(".initcalls._start");
48 const u32 __initcall_end_marker __section(".initcalls._end");
49
50 const u8 __fips140_text_start __section(".text.._start");
51 const u8 __fips140_text_end __section(".text.._end");
52
53 const u8 __fips140_rodata_start __section(".rodata.._start");
54 const u8 __fips140_rodata_end __section(".rodata.._end");
55
56 /*
57 * We need this little detour to prevent Clang from detecting out of bounds
58 * accesses to __fips140_text_start and __fips140_rodata_start, which only exist
59 * to delineate the section, and so their sizes are not relevant to us.
60 */
61 const u32 *__initcall_start = &__initcall_start_marker;
62
63 const u8 *__text_start = &__fips140_text_start;
64 const u8 *__rodata_start = &__fips140_rodata_start;
65
66 /*
67 * The list of the crypto API algorithms (by cra_name) that will be unregistered
68 * by this module, in preparation for the module registering its own
69 * implementation(s) of them.
70 *
71 * All algorithms that will be declared as FIPS-approved in the module
72 * certification must be listed here, to ensure that the non-FIPS-approved
73 * implementations of these algorithms in the kernel image aren't used.
74 *
75 * For every algorithm in this list, the module should contain all the "same"
76 * implementations that the kernel image does, including the C implementation as
77 * well as any architecture-specific implementations. This is needed to avoid
78 * performance regressions as well as the possibility of an algorithm being
79 * unavailable on some CPUs. E.g., "xcbc(aes)" isn't in this list, as the
80 * module doesn't have a C implementation of it (and it won't be FIPS-approved).
81 *
82 * Due to a quirk in the FIPS requirements, "gcm(aes)" isn't actually able to be
83 * FIPS-approved. However, we otherwise treat it the same as the algorithms
84 * that will be FIPS-approved, and therefore it's included in this list.
85 *
86 * When adding a new algorithm here, make sure to consider whether it needs a
87 * self-test added to fips140_selftests[] as well.
88 */
89 static const struct {
90 const char *name;
91 bool approved;
92 } fips140_algs_to_replace[] = {
93 {"aes", true},
94
95 {"cmac(aes)", true},
96 {"ecb(aes)", true},
97
98 {"cbc(aes)", true},
99 {"cts(cbc(aes))", true},
100 {"ctr(aes)", true},
101 {"xts(aes)", true},
102 {"gcm(aes)", false},
103
104 {"hmac(sha1)", true},
105 {"hmac(sha224)", true},
106 {"hmac(sha256)", true},
107 {"hmac(sha384)", true},
108 {"hmac(sha512)", true},
109 {"sha1", true},
110 {"sha224", true},
111 {"sha256", true},
112 {"sha384", true},
113 {"sha512", true},
114
115 {"stdrng", true},
116 {"jitterentropy_rng", false},
117 };
118
fips140_should_unregister_alg(struct crypto_alg * alg)119 static bool __init fips140_should_unregister_alg(struct crypto_alg *alg)
120 {
121 int i;
122
123 /*
124 * All software algorithms are synchronous, hardware algorithms must
125 * be covered by their own FIPS 140 certification.
126 */
127 if (alg->cra_flags & CRYPTO_ALG_ASYNC)
128 return false;
129
130 for (i = 0; i < ARRAY_SIZE(fips140_algs_to_replace); i++) {
131 if (!strcmp(alg->cra_name, fips140_algs_to_replace[i].name))
132 return true;
133 }
134 return false;
135 }
136
137 /*
138 * FIPS 140-3 service indicators. FIPS 140-3 requires that all services
139 * "provide an indicator when the service utilises an approved cryptographic
140 * algorithm, security function or process in an approved manner". What this
141 * means is very debatable, even with the help of the FIPS 140-3 Implementation
142 * Guidance document. However, it was decided that a function that takes in an
143 * algorithm name and returns whether that algorithm is approved or not will
144 * meet this requirement. Note, this relies on some properties of the module:
145 *
146 * - The module doesn't distinguish between "services" and "algorithms"; its
147 * services are simply its algorithms.
148 *
149 * - The status of an approved algorithm is never non-approved, since (a) the
150 * module doesn't support operating in a non-approved mode, such as a mode
151 * where the self-tests are skipped; (b) there are no cases where the module
152 * supports non-approved settings for approved algorithms, e.g.
153 * non-approved key sizes; and (c) this function isn't available to be
154 * called until the module_init function has completed, so it's guaranteed
155 * that the self-tests and integrity check have already passed.
156 *
157 * - The module does support some non-approved algorithms, so a single static
158 * indicator ("return true;") would not be acceptable.
159 */
fips140_is_approved_service(const char * name)160 bool fips140_is_approved_service(const char *name)
161 {
162 size_t i;
163
164 for (i = 0; i < ARRAY_SIZE(fips140_algs_to_replace); i++) {
165 if (!strcmp(name, fips140_algs_to_replace[i].name))
166 return fips140_algs_to_replace[i].approved;
167 }
168 return false;
169 }
170 EXPORT_SYMBOL_GPL(fips140_is_approved_service);
171
172 /*
173 * FIPS 140-3 requires that modules provide a "service" that outputs "the name
174 * or module identifier and the versioning information that can be correlated
175 * with a validation record". This function meets that requirement.
176 *
177 * Note: the module also prints this same information to the kernel log when it
178 * is loaded. That might meet the requirement by itself. However, given the
179 * vagueness of what counts as a "service", we provide this function too, just
180 * in case the certification lab or CMVP is happier with an explicit function.
181 *
182 * Note: /sys/modules/fips140/scmversion also provides versioning information
183 * about the module. However that file just shows the bare git commit ID, so it
184 * probably isn't sufficient to meet the FIPS requirement, which seems to want
185 * the "official" module name and version number used in the FIPS certificate.
186 */
fips140_module_version(void)187 const char *fips140_module_version(void)
188 {
189 return FIPS140_MODULE_NAME " " FIPS140_MODULE_VERSION;
190 }
191 EXPORT_SYMBOL_GPL(fips140_module_version);
192
193 static LIST_HEAD(existing_live_algos);
194
195 /*
196 * Release a list of algorithms which have been removed from crypto_alg_list.
197 *
198 * Note that even though the list is a private list, we have to hold
199 * crypto_alg_sem while iterating through it because crypto_unregister_alg() may
200 * run concurrently (as we haven't taken a reference to the algorithms on the
201 * list), and crypto_unregister_alg() will remove the algorithm from whichever
202 * list it happens to be on, while holding crypto_alg_sem. That's okay, since
203 * in that case crypto_unregister_alg() will handle the crypto_alg_put().
204 */
fips140_remove_final(struct list_head * list)205 static void fips140_remove_final(struct list_head *list)
206 {
207 struct crypto_alg *alg;
208 struct crypto_alg *n;
209
210 /*
211 * We need to take crypto_alg_sem to safely traverse the list (see
212 * comment above), but we have to drop it when doing each
213 * crypto_alg_put() as that may take crypto_alg_sem again.
214 */
215 down_write(&crypto_alg_sem);
216 list_for_each_entry_safe(alg, n, list, cra_list) {
217 list_del_init(&alg->cra_list);
218 up_write(&crypto_alg_sem);
219
220 crypto_alg_put(alg);
221
222 down_write(&crypto_alg_sem);
223 }
224 up_write(&crypto_alg_sem);
225 }
226
unregister_existing_fips140_algos(void)227 static void __init unregister_existing_fips140_algos(void)
228 {
229 struct crypto_alg *alg, *tmp;
230 LIST_HEAD(remove_list);
231 LIST_HEAD(spawns);
232
233 down_write(&crypto_alg_sem);
234
235 /*
236 * Find all registered algorithms that we care about, and move them to a
237 * private list so that they are no longer exposed via the algo lookup
238 * API. Subsequently, we will unregister them if they are not in active
239 * use. If they are, we can't fully unregister them but we can ensure
240 * that new users won't use them.
241 */
242 list_for_each_entry_safe(alg, tmp, &crypto_alg_list, cra_list) {
243 if (!fips140_should_unregister_alg(alg))
244 continue;
245 if (refcount_read(&alg->cra_refcnt) == 1) {
246 /*
247 * This algorithm is not currently in use, but there may
248 * be template instances holding references to it via
249 * spawns. So let's tear it down like
250 * crypto_unregister_alg() would, but without releasing
251 * the lock, to prevent races with concurrent TFM
252 * allocations.
253 */
254 alg->cra_flags |= CRYPTO_ALG_DEAD;
255 list_move(&alg->cra_list, &remove_list);
256 crypto_remove_spawns(alg, &spawns, NULL);
257 } else {
258 /*
259 * This algorithm is live, i.e. it has TFMs allocated,
260 * so we can't fully unregister it. It's not necessary
261 * to dynamically redirect existing users to the FIPS
262 * code, given that they can't be relying on FIPS
263 * certified crypto in the first place. However, we do
264 * need to ensure that new users will get the FIPS code.
265 *
266 * In most cases, setting alg->cra_priority to 0
267 * achieves this. However, that isn't enough for
268 * algorithms like "hmac(sha256)" that need to be
269 * instantiated from a template, since existing
270 * algorithms always take priority over a template being
271 * instantiated. Therefore, we move the algorithm to
272 * a private list so that algorithm lookups won't find
273 * it anymore. To further distinguish it from the FIPS
274 * algorithms, we also append "+orig" to its name.
275 */
276 pr_info("found already-live algorithm '%s' ('%s')\n",
277 alg->cra_name, alg->cra_driver_name);
278 alg->cra_priority = 0;
279 strlcat(alg->cra_name, "+orig", CRYPTO_MAX_ALG_NAME);
280 strlcat(alg->cra_driver_name, "+orig",
281 CRYPTO_MAX_ALG_NAME);
282 list_move(&alg->cra_list, &existing_live_algos);
283 }
284 }
285 up_write(&crypto_alg_sem);
286
287 fips140_remove_final(&remove_list);
288 fips140_remove_final(&spawns);
289 }
290
unapply_text_relocations(void * section,int section_size,const Elf64_Rela * rela,int numrels)291 static void __init unapply_text_relocations(void *section, int section_size,
292 const Elf64_Rela *rela, int numrels)
293 {
294 while (numrels--) {
295 u32 *place = (u32 *)(section + rela->r_offset);
296
297 BUG_ON(rela->r_offset >= section_size);
298
299 switch (ELF64_R_TYPE(rela->r_info)) {
300 #ifdef CONFIG_ARM64
301 case R_AARCH64_ABS32: /* for KCFI */
302 *place = 0;
303 break;
304
305 case R_AARCH64_JUMP26:
306 case R_AARCH64_CALL26:
307 *place &= ~GENMASK(25, 0);
308 break;
309
310 case R_AARCH64_ADR_PREL_LO21:
311 case R_AARCH64_ADR_PREL_PG_HI21:
312 case R_AARCH64_ADR_PREL_PG_HI21_NC:
313 *place &= ~(GENMASK(30, 29) | GENMASK(23, 5));
314 break;
315
316 case R_AARCH64_ADD_ABS_LO12_NC:
317 case R_AARCH64_LDST8_ABS_LO12_NC:
318 case R_AARCH64_LDST16_ABS_LO12_NC:
319 case R_AARCH64_LDST32_ABS_LO12_NC:
320 case R_AARCH64_LDST64_ABS_LO12_NC:
321 case R_AARCH64_LDST128_ABS_LO12_NC:
322 *place &= ~GENMASK(21, 10);
323 break;
324 default:
325 pr_err("unhandled relocation type %llu\n",
326 ELF64_R_TYPE(rela->r_info));
327 BUG();
328 #else
329 #error
330 #endif
331 }
332 rela++;
333 }
334 }
335
unapply_rodata_relocations(void * section,int section_size,const Elf64_Rela * rela,int numrels)336 static void __init unapply_rodata_relocations(void *section, int section_size,
337 const Elf64_Rela *rela, int numrels)
338 {
339 while (numrels--) {
340 void *place = section + rela->r_offset;
341
342 BUG_ON(rela->r_offset >= section_size);
343
344 switch (ELF64_R_TYPE(rela->r_info)) {
345 #ifdef CONFIG_ARM64
346 case R_AARCH64_ABS64:
347 *(u64 *)place = 0;
348 break;
349 default:
350 pr_err("unhandled relocation type %llu\n",
351 ELF64_R_TYPE(rela->r_info));
352 BUG();
353 #else
354 #error
355 #endif
356 }
357 rela++;
358 }
359 }
360
361 enum {
362 PACIASP = 0xd503233f,
363 AUTIASP = 0xd50323bf,
364 SCS_PUSH = 0xf800865e,
365 SCS_POP = 0xf85f8e5e,
366 };
367
368 /*
369 * To make the integrity check work with dynamic Shadow Call Stack (SCS),
370 * replace all instructions that push or pop from the SCS with the Pointer
371 * Authentication Code (PAC) instructions that were present originally.
372 */
unapply_scs_patch(void * section,int section_size)373 static void __init unapply_scs_patch(void *section, int section_size)
374 {
375 #if defined(CONFIG_ARM64) && defined(CONFIG_UNWIND_PATCH_PAC_INTO_SCS)
376 u32 *insns = section;
377 int i;
378
379 for (i = 0; i < section_size / sizeof(insns[0]); i++) {
380 if (insns[i] == SCS_PUSH)
381 insns[i] = PACIASP;
382 else if (insns[i] == SCS_POP)
383 insns[i] = AUTIASP;
384 }
385 #endif
386 }
387
388 #ifdef CONFIG_CRYPTO_FIPS140_MOD_DEBUG_INTEGRITY_CHECK
389 static struct {
390 const void *text;
391 int textsize;
392 const void *rodata;
393 int rodatasize;
394 } saved_integrity_check_info;
395
fips140_text_read(struct file * file,char __user * to,size_t count,loff_t * ppos)396 static ssize_t fips140_text_read(struct file *file, char __user *to,
397 size_t count, loff_t *ppos)
398 {
399 return simple_read_from_buffer(to, count, ppos,
400 saved_integrity_check_info.text,
401 saved_integrity_check_info.textsize);
402 }
403
fips140_rodata_read(struct file * file,char __user * to,size_t count,loff_t * ppos)404 static ssize_t fips140_rodata_read(struct file *file, char __user *to,
405 size_t count, loff_t *ppos)
406 {
407 return simple_read_from_buffer(to, count, ppos,
408 saved_integrity_check_info.rodata,
409 saved_integrity_check_info.rodatasize);
410 }
411
412 static const struct file_operations fips140_text_fops = {
413 .read = fips140_text_read,
414 };
415
416 static const struct file_operations fips140_rodata_fops = {
417 .read = fips140_rodata_read,
418 };
419
fips140_init_integrity_debug_files(const void * text,int textsize,const void * rodata,int rodatasize)420 static void fips140_init_integrity_debug_files(const void *text, int textsize,
421 const void *rodata,
422 int rodatasize)
423 {
424 struct dentry *dir;
425
426 dir = debugfs_create_dir("fips140", NULL);
427
428 saved_integrity_check_info.text = kmemdup(text, textsize, GFP_KERNEL);
429 saved_integrity_check_info.textsize = textsize;
430 if (saved_integrity_check_info.text)
431 debugfs_create_file("text", 0400, dir, NULL,
432 &fips140_text_fops);
433
434 saved_integrity_check_info.rodata = kmemdup(rodata, rodatasize,
435 GFP_KERNEL);
436 saved_integrity_check_info.rodatasize = rodatasize;
437 if (saved_integrity_check_info.rodata)
438 debugfs_create_file("rodata", 0400, dir, NULL,
439 &fips140_rodata_fops);
440 }
441 #else /* CONFIG_CRYPTO_FIPS140_MOD_DEBUG_INTEGRITY_CHECK */
fips140_init_integrity_debug_files(const void * text,int textsize,const void * rodata,int rodatasize)442 static void fips140_init_integrity_debug_files(const void *text, int textsize,
443 const void *rodata,
444 int rodatasize)
445 {
446 }
447 #endif /* !CONFIG_CRYPTO_FIPS140_MOD_DEBUG_INTEGRITY_CHECK */
448
449 extern struct {
450 u32 offset;
451 u32 count;
452 } fips140_rela_text, fips140_rela_rodata;
453
check_fips140_module_hmac(void)454 static bool __init check_fips140_module_hmac(void)
455 {
456 struct crypto_shash *tfm = NULL;
457 SHASH_DESC_ON_STACK(desc, dontcare);
458 u8 digest[SHA256_DIGEST_SIZE];
459 void *textcopy, *rodatacopy;
460 int textsize, rodatasize;
461 bool ok = false;
462 int err;
463
464 textsize = &__fips140_text_end - &__fips140_text_start;
465 rodatasize = &__fips140_rodata_end - &__fips140_rodata_start;
466
467 pr_info("text size : 0x%x\n", textsize);
468 pr_info("rodata size: 0x%x\n", rodatasize);
469
470 textcopy = kmalloc(textsize + rodatasize, GFP_KERNEL);
471 if (!textcopy) {
472 pr_err("Failed to allocate memory for copy of .text\n");
473 goto out;
474 }
475
476 rodatacopy = textcopy + textsize;
477
478 memcpy(textcopy, __text_start, textsize);
479 memcpy(rodatacopy, __rodata_start, rodatasize);
480
481 // apply the relocations in reverse on the copies of .text and .rodata
482 unapply_text_relocations(textcopy, textsize,
483 offset_to_ptr(&fips140_rela_text.offset),
484 fips140_rela_text.count);
485
486 unapply_rodata_relocations(rodatacopy, rodatasize,
487 offset_to_ptr(&fips140_rela_rodata.offset),
488 fips140_rela_rodata.count);
489
490 unapply_scs_patch(textcopy, textsize);
491
492 fips140_init_integrity_debug_files(textcopy, textsize,
493 rodatacopy, rodatasize);
494
495 fips140_inject_integrity_failure(textcopy);
496
497 tfm = crypto_alloc_shash("hmac(sha256)", 0, 0);
498 if (IS_ERR(tfm)) {
499 pr_err("failed to allocate hmac tfm (%ld)\n", PTR_ERR(tfm));
500 tfm = NULL;
501 goto out;
502 }
503 desc->tfm = tfm;
504
505 pr_info("using '%s' for integrity check\n",
506 crypto_shash_driver_name(tfm));
507
508 err = crypto_shash_setkey(tfm, fips140_integ_hmac_key,
509 strlen(fips140_integ_hmac_key)) ?:
510 crypto_shash_init(desc) ?:
511 crypto_shash_update(desc, textcopy, textsize) ?:
512 crypto_shash_finup(desc, rodatacopy, rodatasize, digest);
513
514 /* Zeroizing this is important; see the comment below. */
515 shash_desc_zero(desc);
516
517 if (err) {
518 pr_err("failed to calculate hmac shash (%d)\n", err);
519 goto out;
520 }
521
522 if (memcmp(digest, fips140_integ_hmac_digest, sizeof(digest))) {
523 pr_err("provided_digest : %*phN\n", (int)sizeof(digest),
524 fips140_integ_hmac_digest);
525
526 pr_err("calculated digest: %*phN\n", (int)sizeof(digest),
527 digest);
528 goto out;
529 }
530 ok = true;
531 out:
532 /*
533 * FIPS 140-3 requires that all "temporary value(s) generated during the
534 * integrity test" be zeroized (ref: FIPS 140-3 IG 9.7.B). There is no
535 * technical reason to do this given that these values are public
536 * information, but this is the requirement so we follow it.
537 */
538 crypto_free_shash(tfm);
539 memzero_explicit(digest, sizeof(digest));
540 kfree_sensitive(textcopy);
541 return ok;
542 }
543
fips140_sha256(void * p,const u8 * data,unsigned int len,u8 * out,int * hook_inuse)544 static void fips140_sha256(void *p, const u8 *data, unsigned int len, u8 *out,
545 int *hook_inuse)
546 {
547 sha256(data, len, out);
548 *hook_inuse = 1;
549 }
550
fips140_aes_expandkey(void * p,struct crypto_aes_ctx * ctx,const u8 * in_key,unsigned int key_len,int * err)551 static void fips140_aes_expandkey(void *p, struct crypto_aes_ctx *ctx,
552 const u8 *in_key, unsigned int key_len,
553 int *err)
554 {
555 *err = aes_expandkey(ctx, in_key, key_len);
556 }
557
fips140_aes_encrypt(void * priv,const struct crypto_aes_ctx * ctx,u8 * out,const u8 * in,int * hook_inuse)558 static void fips140_aes_encrypt(void *priv, const struct crypto_aes_ctx *ctx,
559 u8 *out, const u8 *in, int *hook_inuse)
560 {
561 aes_encrypt(ctx, out, in);
562 *hook_inuse = 1;
563 }
564
fips140_aes_decrypt(void * priv,const struct crypto_aes_ctx * ctx,u8 * out,const u8 * in,int * hook_inuse)565 static void fips140_aes_decrypt(void *priv, const struct crypto_aes_ctx *ctx,
566 u8 *out, const u8 *in, int *hook_inuse)
567 {
568 aes_decrypt(ctx, out, in);
569 *hook_inuse = 1;
570 }
571
update_fips140_library_routines(void)572 static bool update_fips140_library_routines(void)
573 {
574 int ret;
575
576 ret = register_trace_android_vh_sha256(fips140_sha256, NULL) ?:
577 register_trace_android_vh_aes_expandkey(fips140_aes_expandkey, NULL) ?:
578 register_trace_android_vh_aes_encrypt(fips140_aes_encrypt, NULL) ?:
579 register_trace_android_vh_aes_decrypt(fips140_aes_decrypt, NULL);
580
581 return ret == 0;
582 }
583
584 /*
585 * Initialize the FIPS 140 module.
586 *
587 * Note: this routine iterates over the contents of the initcall section, which
588 * consists of an array of function pointers that was emitted by the linker
589 * rather than the compiler. This means that these function pointers lack the
590 * usual CFI stubs that the compiler emits when CFI codegen is enabled. So
591 * let's disable CFI locally when handling the initcall array, to avoid
592 * surpises.
593 */
594 static int __init __attribute__((__no_sanitize__("cfi")))
fips140_init(void)595 fips140_init(void)
596 {
597 const u32 *initcall;
598
599 pr_info("loading " FIPS140_MODULE_NAME " " FIPS140_MODULE_VERSION "\n");
600 fips140_init_thread = current;
601
602 unregister_existing_fips140_algos();
603
604 /* iterate over all init routines present in this module and call them */
605 for (initcall = __initcall_start + 1;
606 initcall < &__initcall_end_marker;
607 initcall++) {
608 int (*init)(void) = offset_to_ptr(initcall);
609 int err = init();
610
611 /*
612 * ENODEV is expected from initcalls that only register
613 * algorithms that depend on non-present CPU features. Besides
614 * that, errors aren't expected here.
615 */
616 if (err && err != -ENODEV) {
617 pr_err("initcall %ps() failed: %d\n", init, err);
618 goto panic;
619 }
620 }
621
622 if (!fips140_run_selftests())
623 goto panic;
624
625 /*
626 * It may seem backward to perform the integrity check last, but this
627 * is intentional: the check itself uses hmac(sha256) which is one of
628 * the algorithms that are replaced with versions from this module, and
629 * the integrity check must use the replacement version. Also, to be
630 * ready for FIPS 140-3, the integrity check algorithm must have already
631 * been self-tested.
632 */
633
634 if (!check_fips140_module_hmac()) {
635 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS140_MOD_DEBUG_INTEGRITY_CHECK)) {
636 pr_crit("integrity check failed -- giving up!\n");
637 goto panic;
638 }
639 pr_crit("ignoring integrity check failure due to debug mode\n");
640 } else {
641 pr_info("integrity check passed\n");
642 }
643
644 complete_all(&fips140_tests_done);
645
646 if (!update_fips140_library_routines())
647 goto panic;
648
649 if (!fips140_eval_testing_init())
650 goto panic;
651
652 pr_info("module successfully loaded\n");
653 return 0;
654
655 panic:
656 panic("FIPS 140 module load failure");
657 }
658
659 module_init(fips140_init);
660
661 MODULE_IMPORT_NS(CRYPTO_INTERNAL);
662 MODULE_LICENSE("GPL v2");
663
664 /*
665 * Crypto-related helper functions, reproduced here so that they will be
666 * covered by the FIPS 140 integrity check.
667 *
668 * Non-cryptographic helper functions such as memcpy() can be excluded from the
669 * FIPS module, but there is ambiguity about other helper functions like
670 * __crypto_xor() and crypto_inc() which aren't cryptographic by themselves,
671 * but are more closely associated with cryptography than e.g. memcpy(). To
672 * err on the side of caution, we include copies of these in the FIPS module.
673 */
__crypto_xor(u8 * dst,const u8 * src1,const u8 * src2,unsigned int len)674 void __crypto_xor(u8 *dst, const u8 *src1, const u8 *src2, unsigned int len)
675 {
676 while (len >= 8) {
677 *(u64 *)dst = *(u64 *)src1 ^ *(u64 *)src2;
678 dst += 8;
679 src1 += 8;
680 src2 += 8;
681 len -= 8;
682 }
683
684 while (len >= 4) {
685 *(u32 *)dst = *(u32 *)src1 ^ *(u32 *)src2;
686 dst += 4;
687 src1 += 4;
688 src2 += 4;
689 len -= 4;
690 }
691
692 while (len >= 2) {
693 *(u16 *)dst = *(u16 *)src1 ^ *(u16 *)src2;
694 dst += 2;
695 src1 += 2;
696 src2 += 2;
697 len -= 2;
698 }
699
700 while (len--)
701 *dst++ = *src1++ ^ *src2++;
702 }
703
crypto_inc(u8 * a,unsigned int size)704 void crypto_inc(u8 *a, unsigned int size)
705 {
706 a += size;
707
708 while (size--)
709 if (++*--a)
710 break;
711 }
712