ANDROID: jump_label: disable jump labels in fips140.ko

The fips140 module doesn't support jump labels, as they would invalidate the hash of the .text section. So when building the module, switch to the generic implementation that does not rely on arch-specific code patching support. This fixes a failure in check_fips140_module_hmac() caused by the module containing a call to crypto_alg_put(), which is an inline function that calls refcount_dec_and_test(), which on arm64 uses a jump label. Note that the optimized definition of struct static_key is retained, to ensure ABI compatibility across the FIPS140 module boundary. To ensure that static keys and their associated jump labels remain in a consistent state, the fips140 module will not be able to manipulate static keys, but only to check their state. Bug: 153614920 Bug: 188620248 Change-Id: Ie834bbf2eed5d09bfae7f387b711a934bedf390d Signed-off-by: Eric Biggers <ebiggers@google.com> [ardb: disable jump labels in generic code not in arm64 arch code] Signed-off-by: Ard Biesheuvel <ardb@google.com>
2021-07-08 14:46:44 -07:00 · 2021-07-08 14:46:44 -07:00 · ff4aa33724
commit ff4aa33724
parent 9871f4d6af
1 changed files with 26 additions and 3 deletions
--- a/include/linux/jump_label.h
+++ b/include/linux/jump_label.h
@ -108,7 +108,7 @@ struct static_key {

 #endif /* __ASSEMBLY__ */

-#ifdef CONFIG_JUMP_LABEL
+#if defined(CONFIG_JUMP_LABEL) && !defined(BUILD_FIPS140_KO)
 #include <asm/jump_label.h>

 #ifndef __ASSEMBLY__
@ -195,7 +195,30 @@ enum jump_label_type {

 struct module;

-#ifdef CONFIG_JUMP_LABEL
+#ifdef BUILD_FIPS140_KO
+
+#include <linux/atomic.h>
+
+static inline int static_key_count(struct static_key *key)
+{
+	return arch_atomic_read(&key->enabled);
+}
+
+static __always_inline bool static_key_false(struct static_key *key)
+{
+	if (unlikely(static_key_count(key) > 0))
+		return true;
+	return false;
+}
+
+static __always_inline bool static_key_true(struct static_key *key)
+{
+	if (likely(static_key_count(key) > 0))
+		return true;
+	return false;
+}
+
+#elif defined(CONFIG_JUMP_LABEL)

 #define JUMP_TYPE_FALSE		0UL
 #define JUMP_TYPE_TRUE		1UL
@ -408,7 +431,7 @@ extern bool ____wrong_branch_error(void);
 	static_key_count((struct static_key *)x) > 0;				\
 })

-#ifdef CONFIG_JUMP_LABEL
+#if defined(CONFIG_JUMP_LABEL) && !defined(BUILD_FIPS140_KO)

 /*
 * Combine the right initial value (type) with the right branch order