In the updated HW-wrapped key code in the android14 kernels, HW-wrapped
keys are only allowed on a multi-block-device filesystem if they have a
compatible HW-wrapped keys implementation. While in principle this is a
good thing to check, my implementation of it, which simply checks
whether the block devices have the same crypto profiles, doesn't work
when device-mapper is being used.
To actually do that check correctly, I think we'd need to add a
HW-wrapped keys implementation name or ID to the crypto capabilities.
That being said, in Android the HW-wrapped keys implementation is a
global thing anyway. So in the interest of not overcomplicating things,
for now let's just drop these extra checks that are causing problems.
Bug: 160883801
Bug: 265180564
Fixes: 2fd53f8098 ("ANDROID: fscrypt: add support for hardware-wrapped keys")
Fixes: 139dbaa221 ("ANDROID: update "block: add basic hardware-wrapped key support" to v7")
Change-Id: Ia49d62cc2c56447fb898f19bf67df1a38af379f8
Signed-off-by: Eric Biggers <ebiggers@google.com>
Add a function to remap memory in the logical mapping as uncached.
This is intended to be called before calling remove_memory() in
instances where clean evictions cannot be tolerated after logical
mapping removed.
Bug: 256898253
Change-Id: I10090c7423c5dcf43d4e706ea62f86eab7b997b7
Signed-off-by: Chris Goldsworthy <quic_cgoldswo@quicinc.com>
Note that this just stops the crash, it does not correctly set the
buffer. However, since no current use case in Android requires the
buffer, this is tolerable for now.
Bug: 265206112
Test: atest android.scopedstorage.cts.host.ScopedStorageHostTest
crashes without this, passes with it
Change-Id: I25efac2b1d38fa54b9f26a3f297196fa79e5e7c3
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Note that this is specific for the non-upstreamed version
Bug: 202785178
Bug: 265206112
Test: cat /sys/fs/fuse/fuse_bpf_major_version
Change-Id: I68f9ca56778874975428839dfc1fd8f48b11bd75
Signed-off-by: Paul Lawrence <paullawrence@google.com>
This is a squash of these changes cherry-picked from common-android13-5.10
ANDROID: fuse-bpf: Make compile and pass test
ANDROID: fuse-bpf: set error_in to ENOENT in negative lookup
ANDROID: fuse-bpf: Add ability to run ranges of tests to fuse_test
ANDROID: fuse-bpf: Add test for lookup postfilter
ANDROID: fuse-bpf: readddir postfilter fixes
ANDROID: fix kernelci error in fs/fuse/dir.c
ANDROID: fuse-bpf: Fix RCU/reference issue
ANDROID: fuse-bpf: Always call revalidate for backing
ANDROID: fuse-bpf: Adjust backing handle funcs
ANDROID: fuse-bpf: Fix revalidate error path and backing handling
ANDROID: fuse-bpf: Fix use of get_fuse_inode
ANDROID: fuse: Don't use readdirplus w/ nodeid 0
ANDROID: fuse-bpf: Introduce readdirplus test case for fuse bpf
ANDROID: fuse-bpf: Make sure force_again flag is false by default
ANDROID: fuse-bpf: Make inodes with backing_fd reachable for regular FUSE fuse_iget
Revert "ANDROID: fuse-bpf: use target instead of parent inode to execute backing revalidate"
ANDROID: fuse-bpf: use target instead of parent inode to execute backing revalidate
ANDROID: fuse-bpf: Fix misuse of args.out_args
ANDROID: fuse-bpf: Fix non-fusebpf build
ANDROID: fuse-bpf: Use fuse_bpf_args in uapi
ANDROID: fuse-bpf: Fix read_iter
ANDROID: fuse-bpf: Use cache and refcount
ANDROID: fuse-bpf: Rename iocb_fuse to iocb_orig
ANDROID: fuse-bpf: Fix fixattr in rename
ANDROID: fuse-bpf: Fix readdir
ANDROID: fuse-bpf: Fix lseek return value for offset 0
ANDROID: fuse-bpf: fix read_iter and write_iter
ANDROID: fuse-bpf: fix special devices
ANDROID: fuse-bpf: support FUSE_LSEEK
ANDROID: fuse-bpf: Add support for FUSE_COPY_FILE_RANGE
ANDROID: fuse-bpf: Report errors to finalize
ANDROID: fuse-bpf: Avoid reusing uint64_t for file
ANDROID: fuse-bpf: Fix CONFIG_FUSE_BPF typo in FUSE_FSYNCDIR
ANDROID: fuse-bpf: Move fd operations to be synchronous
ANDROID: fuse-bpf: Invalidate if lower is unhashed
ANDROID: fuse-bpf: Move bpf earlier in fuse_permission
ANDROID: fuse-bpf: Update attributes on file write
ANDROID: fuse: allow mounting with no userspace daemon
ANDROID: fuse-bpf: Support FUSE_STATFS
ANDROID: fuse-bpf: Fix filldir
ANDROID: fuse-bpf: fix fuse_create_open_finalize
ANDROID: fuse: add bpf support for removexattr
ANDROID: fuse-bpf: Fix truncate
ANDROID: fuse-bpf: Support inotify
ANDROID: fuse-bpf: Make compile with CONFIG_FUSE but no CONFIG_FUSE_BPF
ANDROID: fuse-bpf: Fix perms on readdir
ANDROID: fuse: Fix umasking in backing
ANDROID: fs/fuse: Backing move returns EXDEV if TO not backed
ANDROID: bpf-fuse: Fix Setattr
ANDROID: fuse-bpf: Check if mkdir dentry setup
ANDROID: fuse-bpf: Close backing fds in fuse_dentry_revalidate
ANDROID: fuse-bpf: Close backing-fd on both paths
ANDROID: fuse-bpf: Partial fix for mmap'd files
ANDROID: fuse-bpf: Restore a missing const
ANDROID: Add fuse-bpf self tests
ANDROID: Add FUSE_BPF to gki_defconfig
ANDROID: fuse-bpf v1
ANDROID: fuse: Move functions in preparation for fuse-bpf
Bug: 202785178
Bug: 265206112
Test: test_fuse passes on linux.
On cuttlefish,
atest android.scopedstorage.cts.host.ScopedStorageHostTest
passes with fuse-bpf enabled and disabled
Change-Id: Idb099c281f9b39ff2c46fa3ebc63e508758416ee
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Signed-off-by: Daniel Rosenberg <drosen@google.com>
pKVM modules can't rely on the usual hyp function kern_hyp_va() to
convert addr from the kernel space to the hyp's. Instead, provide
pkvm_el2_mod_va() that will do the conversion using the token provided
by pkvm_load_el2_module().
Bug: 244543039
Bug: 244373730
Change-Id: I7423b40f1107bb92cd732843c5cdbf1d45662f00
Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmOjONUACgkQONu9yGCS
aT5F1A/9E4PZt92roZ7SPLJXue+eQCQGyU/+0zIDVz88a0ss/CDM3c4nSWu2pQzA
YdhIPhaRGHMShIX/6hSyR5rG4Y0K8l1axowMQB3iaAo6Wgj+rjEJ5PhJXL7CdegC
V+iFgQX9bT+oBO1YDD17DNBxJBFIKvwoLvOHkJjMsYNc3eFAlxS1OFRWcOX3kkN6
AmDcPXGfSQjOvWpZKn2yfj7Sz1yE2HAl/UD3vH+L52mcbFVs7Su7E7kDKXUpkyya
JJ3ppVPQpgQPfY0JwpzVmNwxAHqOc4JGmA6REOudtuQ5jI8RWGo/VzT5BfN3Bz4T
pte5nCYYv0Psft3TfScAxz/f6n92+8JD6Gazusrk0yicVzoOsqWZmJs69LwvqW6S
OLIFdxJG4wXjj2E1rruU96+peImn3IhFOOEQ1lGwaY5G8IRnjyfpg9NQ8bDvouNP
JEHyCmI/0iAzFBiK2tW7H/+j9I4zx5PZpbb9jbujUjjh76Fm/4VMAHXSbcCyTcu8
Uc+Ir77uV9V4Eg4GPu//4Lq15oQBk6sYEhG1IKiBmYCbTSCZ5YJuox01OWGuG2aF
T/ivdFJsJ/y289TeRmd40/OqM2730OQTLZutRe7yMtqiRSISYDniYQbdalBRtD/P
/bvpHlQWhGz74EtiqazPzPfzyop/njzotaIQNLiCYZDnC1NEYSE=
=uunz
-----END PGP SIGNATURE-----
Merge 6.1.1 into android14-6.1
Changes in 6.1.1
x86/vdso: Conditionally export __vdso_sgx_enter_enclave()
libbpf: Fix uninitialized warning in btf_dump_dump_type_data
PCI: mt7621: Add sentinel to quirks table
mips: ralink: mt7621: define MT7621_SYSC_BASE with __iomem
mips: ralink: mt7621: soc queries and tests as functions
mips: ralink: mt7621: do not use kzalloc too early
irqchip/ls-extirq: Fix endianness detection
udf: Discard preallocation before extending file with a hole
udf: Fix preallocation discarding at indirect extent boundary
udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size
udf: Fix extending file within last block
usb: gadget: uvc: Prevent buffer overflow in setup handler
USB: serial: option: add Quectel EM05-G modem
USB: serial: cp210x: add Kamstrup RF sniffer PIDs
USB: serial: f81232: fix division by zero on line-speed change
USB: serial: f81534: fix division by zero on line-speed change
ALSA: hda/realtek: fix mute/micmute LEDs for a HP ProBook
xhci: Apply XHCI_RESET_TO_DEFAULT quirk to ADL-N
staging: r8188eu: fix led register settings
igb: Initialize mailbox message for VF reset
usb: typec: ucsi: Resume in separate work
usb: dwc3: pci: Update PCIe device ID for USB3 controller on CPU sub-system for Raptor Lake
cifs: fix oops during encryption
KEYS: encrypted: fix key instantiation with user-provided data
Linux 6.1.1
Change-Id: I1a5f3cb051882695d6a33dc6a852415cd7a81b9a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
timer wheel calculates the index for any timer based on the expiry
value and level granularity of the timer. Due to the level granularity
timer will not fire at the exact time instead expire at a time value
expires + granularity. This is done in the timer code when the index for
each timer is calculated based on the expiry and granularity at each
level:
expires = (expires >> LVL_SHIFT(lvl)) + 1;
For devfreq drivers the requirement is to fire the timer at the exact
time. If the timer does not expire at the exact time then it'll take
much longer to react and increase the device frequency. Devfreq driver
registers timer for 10ms expiry and due to slack in timer code the
expirty happens at 20 ms. For eg: Frame rendering time is 16ms.
If devfreq driver reacts after 20ms instead of 10ms, that's
way past a frame rendering time.
Timers with 10ms to 630ms expiry fall under level 0, to overcome the
granularity issue for level 0 with low expirty values do not add the
granularity by introducing a new calc_index vendor hook.
Bug: 178758017
Change-Id: I13cdf541e4c1bd426ce28b7a8a17cb8381eb2a92
Signed-off-by: Huang Yiwei <quic_hyiwei@quicinc.com>
(cherry picked from commit 1855071010)
[quic_satyap@quicinc.com: fix minor merge conflict]
Signed-off-by: Satya Durga Srinivasu Prabhala <quic_satyap@quicinc.com>
Fix the calculation to determine the number of module relocs present in
the '.hyp.reloc' section to divide by the size of 'kvm_nvhe_reloc_t' (4)
instead of the size of a pointer (8).
Fixes: 3dc729d157a7 ("ANDROID: KVM: arm64: Resolve hyp module addresses using ELF sections")
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 261855285
Change-Id: Ia7afc508039d549ae061793afa39fde9d844c069
Modules with an empty '.hyp.text' section do not contain any EL2 code
and should therefore be ignored for the purposes of hypervisor module
loading. Failing to ignore such modules will likely result in a later
loading failure due to the absence of '.hyp.reloc', which is not present
for non-hypervisor modules.
Don't bother parsing the other '.hyp.*' sections for modules with an
empty '.hyp.text' section and return early success to allow the module
to load as a normal kernel module.
Fixes: 3dc729d157a7 ("ANDROID: KVM: arm64: Resolve hyp module addresses using ELF sections")
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 261855285
Change-Id: Idc24f95881c520b40038f77cd5af5ccc1d23624f
This reverts commit f347aa8c3d.
The '__hyprel_{start,end}' symbols are no longer used, so don't bother
generating them.
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 261855285
Change-Id: I8e8dc5c94a9e67400e73e362e4377032328d86d4
Resolving the addresses of the hypervisor sections within a loadable
module using symbol assignment is fragile, particularly in the face of
mergeable sections (i.e. those emitted with SHF_MERGE by the compiler).
Instead, parse the ELF .hyp.* sections directly and remove the need for
global symbols in the hypervisor module linker script.
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 261855285
Change-Id: I91d88e1a341b91ffe52ffc770dddc9b46ccb3aa4
Add vendorhook to allow mmaping more memory than a DMA-BUF holds. The
implementor of the vmap callback for the DMA-BUF is responsible for
ensuring that all pages are backed by memory. The hook takes as input
a DMA-BUF to allow the VMA bounds check to be done on a case-by-case
basis for DMA-BUFs.
Note that if the override is allowed to go through for a given
DMA-BUF, then it can be the case that the size of this mmaped DMA-BUF
is reported incorrectly when looking at /proc/pid/maps for the owning
process.
Bug: 234753494
Change-Id: Iba8cc8adfd2290e4dc7ef04fce5d6a80ac92e0b3
Signed-off-by: Chris Goldsworthy <quic_cgoldswo@quicinc.com>
Signed-off-by: Sukadev Bhattiprolu <quic_sukadev@quicinc.com>
Add a sample program that supports various tests that the FIPS
certification lab is required to do on fips140.ko. To do its work it
uses AF_ALG, as well as the /dev/fips140 device node provided by a build
of fips140.ko with CONFIG_CRYPTO_FIPS140_MOD_EVAL_TESTING enabled.
Original commits:
android12-5.10:
109f31ac23f5 ("ANDROID: fips140: add userspace interface for evaluation testing")
a481d4352121 ("ANDROID: fips140: refactor and rename fips140_lab_test")
3a624c9ccdd7 ("ANDROID: fips140: add show_invalid_inputs command to fips140_lab_util")
fe60669d0308 ("ANDROID: fips140: add dump_jitterentropy command to fips140_lab_util")
Bug: 153614920
Bug: 188620248
Change-Id: Ide1875f39d439c3955d03a5f41160382544d47bd
Signed-off-by: Eric Biggers <ebiggers@google.com>
To meet FIPS 140 requirements, add support for building a kernel module
"fips140.ko" that contains various cryptographic algorithms built from
existing kernel source files. At load time, the module checks its own
integrity and self-tests its algorithms, then registers the algorithms
with the crypto API to supersede the original algorithms provided by the
kernel itself.
[ebiggers: this commit originated from "ANDROID: crypto: fips140 -
perform load time integrity check", but I've folded many later commits
into it to make forward porting easier. See below]
Original commits:
android12-5.10:
6be141eb36fe ("ANDROID: crypto: fips140 - perform load time integrity check")
868be244bbed ("ANDROID: inject correct HMAC digest into fips140.ko at build time")
091338cb398e ("ANDROID: fips140: add missing static keyword to fips140_init()")
c799c6644b52 ("ANDROID: fips140: adjust some log messages")
92de53472e68 ("ANDROID: fips140: log already-live algorithms")
0af06624eadc ("ANDROID: fips140: check for errors from initcalls")
634445a640a4 ("ANDROID: fips140: fix deadlock in unregister_existing_fips140_algos()")
e886dd4c339e ("ANDROID: fips140: unregister existing DRBG algorithms")
b7397e89db29 ("ANDROID: fips140: add power-up cryptographic self-tests")
50661975be74 ("ANDROID: fips140: add/update module help text")
b397a0387cb2 ("ANDROID: fips140: test all implementations")
17ccefe14021 ("ANDROID: fips140: use full 16-byte IV")
1be58af0776a ("ANDROID: fips140: remove non-prediction-resistant DRBG test")
2b5843ae2d90 ("ANDROID: fips140: add AES-CBC-CTS")
2ee56aad318c ("ANDROID: fips140: add AES-CMAC")
960ebb2b565b ("ANDROID: fips140: add jitterentropy to fips140 module")
e5b14396f9d2 ("ANDROID: fips140: take into account AES-GCM not being approvable")
52b70d491bd4 ("ANDROID: fips140: use FIPS140_CFLAGS when compiling fips140-selftests.c")
6b995f5a5403 ("ANDROID: fips140: preserve RELA sections without relying on the module loader")
e45108ecff64 ("ANDROID: fips140: block crypto operations until tests complete")
ecf9341134d1 ("ANDROID: fips140: remove in-place updating of live algorithms")
482b0323cf29 ("ANDROID: fips140: zeroize temporary values from integrity check")
64d769e53f20 ("ANDROID: fips140: add service indicators")
8d7f609cdaa4 ("ANDROID: fips140: add name and version, and a function to retrieve them")
6b7c37f6c449 ("ANDROID: fips140: use UTS_RELEASE as FIPS version")
903e97a0ca6d ("ANDROID: fips140: refactor evaluation testing support")
97fb2104fe22 ("ANDROID: fips140: add support for injecting integrity error")
109f31ac23f5 ("ANDROID: fips140: add userspace interface for evaluation testing")
android14-5.15:
84572a0c7981 ("ANDROID: fips140: split dump-section+add-section into 2 ops")
b0f8873811d4 ("ANDROID: kleaf: convert fips140 to kleaf")
2535deae8069 ("ANDROID: GKI: Source GKI_BUILD_CONFIG_FRAGMENT after setting all variables")
685a2ade28bb ("ANDROID: fips140: add crypto_memneq() back to the module")
320dfca58a3d ("ANDROID: fips140: fix in-tree builds")
d4966a820397 ("ANDROID: fips140: remove CONFIG_CRYPTO_FIPS140 option")
6da26b8750f5 ("ANDROID: fips140: require 'm' to enable CRYPTO_FIPS140_MOD")
bfcfcce3803b ("ANDROID: fips140: unapply ABS32 relocations generated by KCFI")
63f46b45dda2 ("ANDROID: fips140: eliminate crypto-fips.a build step")
ae4ca7a09bb6 ("ANDROID: fips140: allow building without LTO")
Bug: 153614920
Bug: 188620248
Test: tested that the module builds and can be loaded on raven.
Change-Id: I3fde49dbc3d16b149b072a27ba5b4c6219015c94
Signed-off-by: Ard Biesheuvel <ardb@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
may_use_simd() should only be called by code that may use FP/SIMD when
it is available, and so checking whether the system supports FP/SIMD in
the first place should be redundant - the caller in question (e.g., a
SIMD crypto algorithm) should never be initialized in the first place.
Checking the system capability involves jump labels and therefore code
patching, which interferes with our ability to perform an integrity
check on some of the crypto code. So let's get rid of the capability
check altogether.
Bug: 153614920
Bug: 188620248
Change-Id: Ia8df624f4648cc980a12a44eeb82e8f186d5f961
Signed-off-by: Ard Biesheuvel <ardb@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
The arm64 LSE atomics implementation uses both alternatives patching and
jump label patching, both of which need to be selectively disabled when
building the FIPS140 module, or the hashing of the .text section no
longer works.
We already disable jump labels in generic code, but this uncovers a
rather nasty circular include dependency, as the jump label fallback
code uses atomics, which are provided by the LSE code if enabled.
So let's disable LSE as well when building the FIPS140 module: this does
not have any impact on the code, as no code patching goes on in this
module anyway, but it avoids #include hell.
Bug: 153614920
Bug: 188620248
Change-Id: Ia3d823fa3a309777f0c955d619ae8b139dc74061
Signed-off-by: Ard Biesheuvel <ardb@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
The FIPS140 crypto module takes a HMAC digest of its own .text and
.rodata section in its module_init() hook. This digest is compared to a
digest taken at build time, which means that we need to take some extra
care to ensure that the build time and runtime versions line up.
One thing we cannot tolerate in this case is alternatives patching. In
the general case, we cannot simply ignore alternatives, but fortunately,
there is only a small subset that actually gets instantiated in the
FIPS140 module, and all of these can be ignored if we are willing to
accept that the FIPS140 module does not support VHE hardware, and does
not work when running with pseudo-NMI support enabled. None of this is
important for the use case targeted by the FIPS140 module, so this is
something we should be able to live with.
Bug: 153614920
Bug: 188620248
Change-Id: Ie6666e01d5524a3c33aa451609bab2f29b612f8c
Signed-off-by: Ard Biesheuvel <ardb@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
The fips140 module doesn't support jump labels, as they would invalidate
the hash of the .text section. So when building the module, switch to
the generic implementation that does not rely on arch-specific code
patching support.
This fixes a failure in check_fips140_module_hmac() caused by the module
containing a call to crypto_alg_put(), which is an inline function that
calls refcount_dec_and_test(), which on arm64 uses a jump label.
Note that the optimized definition of struct static_key is retained, to
ensure ABI compatibility across the FIPS140 module boundary. To ensure
that static keys and their associated jump labels remain in a consistent
state, the fips140 module will not be able to manipulate static keys,
but only to check their state.
Bug: 153614920
Bug: 188620248
Change-Id: Ie834bbf2eed5d09bfae7f387b711a934bedf390d
Signed-off-by: Eric Biggers <ebiggers@google.com>
[ardb: disable jump labels in generic code not in arm64 arch code]
Signed-off-by: Ard Biesheuvel <ardb@google.com>
In fips140.ko, enable the behavior that the upstream fips_enabled flag
controls, such as the XTS weak key check which apparently is required.
Note that some of this behavior, such as the DRBG continuity check, is
allegedly not required. But to ensure we don't miss anything that was
already handled upstream, it seems best to define fips_enabled to 1. We
can still disable anything that turns out to be problematic.
Bug: 153614920
Bug: 188620248
Change-Id: Idcded9e69e7d7cdf7f2937009af209857b0c08e2
Signed-off-by: Eric Biggers <ebiggers@google.com>
Add vendor hooks that will allow the FIPS140 kernel module to override
the implementations of the AES library routines. The FIPS 140 versions
are identical to the normal ones, but their code and rodata will have
been integrity checked at module load time.
Original commits:
android12-5.10:
9c556792b713 ("ANDROID: crypto: lib/aes - add vendor hooks for AES library routines")
android14-5.15:
d4966a820397 ("ANDROID: fips140: remove CONFIG_CRYPTO_FIPS140 option")
Bug: 153614920
Bug: 188620248
Change-Id: I5711fc42eced903565fd3c8d41ca7cdd82641148
Signed-off-by: Ard Biesheuvel <ardb@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Add a vendor hook that will allow the FIPS140 kernel module to override
the implementation of the sha256() library routine. The FIPS 140 version
is identical to the normal one, but its code and rodata will have been
integrity checked at module load time.
Original commits:
android12-5.10:
1e351b98e7c7 ("ANDROID: crypto: lib/sha256 - add vendor hook for sha256() routine")
android14-5.15:
0ef21e1c1ae5 ("ANDROID: vendor_hooks: Reduce pointless modversions CRC churn")
d4966a820397 ("ANDROID: fips140: remove CONFIG_CRYPTO_FIPS140 option")
Bug: 153614920
Bug: 188620248
Change-Id: I8ccc4f0cc8206af39fa922134b438dacac2a614a
Signed-off-by: Ard Biesheuvel <ardb@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
To meet FIPS requirements, fips140.ko must check its own integrity at
load time. This requires that it know where its .text and .rodata
sections are. To allow this, make the module linker script support
defining symbols that enclose these sections.
In addition, support creating an .initcalls section, so that fips140.ko
can include code from what would normally be multiple modules by
compiling it as "built-in" code.
[ebiggers: Separated this out from the original commit
"ANDROID: crypto: fips140 - perform load time integrity check" and
folded in later changes to the script. See below.]
Original commits:
android12-5.10:
6be141eb36fe ("ANDROID: crypto: fips140 - perform load time integrity check")
e8d56bd78b6e ("ANDROID: module: apply special LTO treatment to .text even if CFI is disabled")
109f31ac23f5 ("ANDROID: fips140: add userspace interface for evaluation testing")
android14-5.15:
57be8919bf33 ("ANDROID: fips140: consolidate linker script changes into module.lds.S")
d4966a820397 ("ANDROID: fips140: remove CONFIG_CRYPTO_FIPS140 option")
6da26b8750f5 ("ANDROID: fips140: require 'm' to enable CRYPTO_FIPS140_MOD")
ae4ca7a09bb6 ("ANDROID: fips140: allow building without LTO")
Bug: 153614920
Bug: 188620248
Change-Id: I22209ff4e6444f9115eca6909bcb653fd5d14aec
Signed-off-by: Ard Biesheuvel <ardb@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
On older kernel branches, the inclusion of kernel headers in the
vendor hooks source file (drivers/android/vendor_hooks.c) was
guarded with `#ifndef __GENKSYMS__` since the headers were
added to the source file after those branches were KMI frozen.
If the header inclusions were not guarded by `#ifndef __GENKSYMS__`
then the existing CRC values of the symbols in the KMI would have
been impacted, resulting in a KMI break.
Given that this problem does not exist on android14-6.1, remove
the usage of `#ifndef __GENKSYMS__` in drivers/android/vendor_hooks.c.
Bug: 264895944
Change-Id: Iaf051ec4ab00a8239b8e1bc74034717e8bbdc588
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Add a vendor hook that allows overriding the default alloc_iova()
algorithm.
The vendor hook can use the iovad->android_vendor_data1 field, initialized
in the previous patch, to determine whether to use the best-fit algorithm
to allocate iova for this device. If an IOVA was successfully allocated,
the vendor hook returns 0. Otherwise it returns non-zero and we fallback
to the default, first-fit algorithm.
On some 32-bit devices, using a best-fit algorithm reduces chances of the
allocation failure due to fragmentation.
We submitted patches (listed in Links below) with two different approaches
to the community but they were not accepted in part, because we are not
able to reproduce the problem with upstream-only code.
Links:
[1] Use a DT property:
https://lore.kernel.org/lkml/20221213163506.GA2011062-robh@kernel.org/
[2] Add an API function to be called by user drivers:
https://lore.kernel.org/lkml/20200217080339.GC10342@infradead.org/
Bug: 263499813
Bug: 190519428
Bug: 149544392
Change-Id: I8e948a08e79089d3fb7356eeb7f85b58784688f2
Signed-off-by: Sukadev Bhattiprolu <quic_sukadev@quicinc.com>
Add a vendor hook that allows initializing the iovad->android_vendor_data1
field to indicate whether to use the first-fit or best-fit algorithm for
this device when allocating IOVAs.
Bug: 263499813
Bug: 190519428
Bug: 149544392
Change-Id: I0c894b32416a459d7a58aa076770daedcce67cc3
Signed-off-by: Sukadev Bhattiprolu <quic_sukadev@quicinc.com>
The alloc_iova() implementation uses a first-fit algorithm when allocating
an IOVA. On some devices, specially with 32-bit IOVA space, this can lead
to fragmentation and result in larger IOVA allocations failing. For such
devices, the best-fit algorithm works better.
Add a vendor field to iova_domain that can be used to indicate that the
best-fit algorithm should be used when allocating IOVAs for this device
(iova_domain).
Bug: 263499813
Bug: 190519428
Bug: 149544392
Change-Id: Ie7dec70ee158075804209f83ae68e5ae0cc20775
Signed-off-by: Sukadev Bhattiprolu <quic_sukadev@quicinc.com>
Currently, only HS descriptors will be updated with endpoint address
during binding process. According to current max_speed in configfs,
this patch will also update SS/SSP descriptors with endpoint address.
Bug: 162562782
Signed-off-by: Ray Chi <raychi@google.com>
Change-Id: I67983ef47df7ac567ec1d3af80921c39c98a545d
(cherry picked from commit 41fe558317e9ffdc07326e8ef9ca6ea596d9a518)
(cherry picked from commit ba3ec687b701c60f3b9336e6549b94ed84d8fe77)
When running the clean target, kbuild is supposed to remove dtbs and
dtbos. However, kbuild only searches for those devicetree build
artifacts in the directory that the kernel binaries or kernel modules
are output to. This is not sufficient in cases where an external
devicetree is used, so include the external devicetree path when
searching for dtb and dtbo build artifacts.
Bug: 264602319
Fixes: 3d42cc9e75a3 ("ANDROID: kbuild: add support for compiling external device trees")
Change-Id: I45fdfdef09c3d57401d98e5db731273147d7d265
[isaacmanjarres: resolved trivial merge conflict]
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
This reverts commit 1af7ed3212.
Bug: 264333547
Test: /data/local/tmp/sebastianene/tests/test_host_app
Change-Id: Id88b705dd725cc8720913fd2909030c2f2fb597f
Signed-off-by: Sebastian Ene <sebastianene@google.com>
The hypervisor memory pool is sized to allow mapping up to 1GiB of data
in the 'private' range of the hypervisor. However, this is currently
not enforced in any way, which might become a problem as private range
mappings are used more and more (e.g. from pKVM modules).
Enforce the 1GiB limit at allocation time, and while at it, rename
__io_map_base to __private_range_base for consistency.
Bug: 244543039
Change-Id: I32c9145ba331309b49428ff461a41c94ea0c1512
Signed-off-by: Quentin Perret <qperret@google.com>
Parse the devicetree during pKVM init to find nodes with the
"pkvm,protected-region" compatible string. These nodes specify a
physical address range in reg that must alway be mapped as invalid in
the host stage-2 page table when running under pKVM.
Example DT:
pkvm_prot_reg: pkvm_prot_reg@80000000 {
compatible = "pkvm,protected-region";
reg = <0x00 0x80000000 0x00 0x200000>;
};
Bug: 244543039
Bug: 244373730
Change-Id: I102cd16c91d96e5283cdd1a4fa58836cc4834eac
Signed-off-by: Quentin Perret <qperret@google.com>
The pKVM memory pool is currently sized to allow page-granularity
mapping in the host stage-2 page-table of all the memory as well as up
to 1GiB of MMIO range. Indeed, pKVM currently assumes that MMIO regions
are completely and solely owned by the host for the entire lifetime of
the system. As such, the pages used to map MMIO regions can always be
recycled to allow forward progress if the memory pool ran out of
pages -- pKVM can unmap MMIO ranges at stage-2 without fearing to loose
important information about the state of the underlying page, and those
mappings can always be reconstructed later.
In order to allow transitioning the ownership of non-memory regions,
introduce a concept of pkvm 'moveable' regions, which represents regions
of the physical address space which can be 'moved' from an ownership
perspective. These moveable regions are used to size the hyp memory
pool. In a first step, the list of moveable regions is equal to the
memblock list, but it will be extended in subsequent changes.
No functional changes intended.
Bug: 244543039
Bug: 244373730
Change-Id: I7f451924b1eed9579868e6ff8c7adc7b4a5a0ae1
Signed-off-by: Quentin Perret <qperret@google.com>
The host_get_page_state() logic has currently a baked in assumption that
it will only be used on memory, and checks against the default memory
permssions to flag pages as having a RESTRICTED_PROT state.
Add support for correctly flagging non-memory pages to prepare the
ground for future patches.
Bug: 244543039
Bug: 244373730
Change-Id: Idaaef96cb98c147c8b793059438064cf770af525
Signed-off-by: Quentin Perret <qperret@google.com>
pKVM uses different default permissions for memory and non-memory
regions of the PA space. To avoid scattering this logic around,
introduce a default_host_prot() helper function.
Non functional changes intended.
Bug: 244543039
Bug: 244373730
Change-Id: I36cdbb26a2cb0d54b5641f945f6ede4ffe371045
Signed-off-by: Quentin Perret <qperret@google.com>
pKVM modules may need to be notified in case of unexpected same-level
EL2 exceptions, which result in a hyp panic. To do so, introduce a new
notifier on the hyp_panic path.
Bug: 244373730
Change-Id: I144609a933d648ddf2aebcd950e64d6035bf8be3
Signed-off-by: Quentin Perret <qperret@google.com>
pKVM modules may need to temporarily map large-ish physically contiguous
regions of memory when bootstrapping themselves. In order to support
this use-case, introduce two new APIs in the module_ops struct allowing
to map and unmap pages in pKVM's linear map range. Since pKVM's page
ownership infrastructure relies on linear map PTEs, this needs to be
done with special care. To avoid any problem, let's count the number of
pages mapped by modules and unsure they have been unmapped before
reaching the point of deprivilege.
Bug: 244373730
Change-Id: I4aecb93f5c9ba08d9f830d1f0976704688b98509
Signed-off-by: Quentin Perret <qperret@google.com>
It comes with the commit efbb82d3b0db ("ANDROID: Add a vendor hook
that allow a module to modify the wake flag"). A vendor who want to
hook sock_def_readable can set this vendor-specific wake flag.
sock_def_readable ->
(vendor hook will call __wake_up_sync_key with a custom mode) ->
__wake_up_sync_key ->
(vendor hook changes wake_flags per the custom mode) ->
__wake_up_common -> default_wake_function
It is an Android-specific since it works with a vendor hook.
Bug: 189858948
Bug: 226256614
Bug: 263838089
Signed-off-by: Namkyu Kim <namkyu78.kim@samsung.com>
Change-Id: Idc23c1c47f7d83b298c0b2560859f1ce2761fd85
(cherry picked from commit 4c1097df5d9bca84a1922adc752794db9b615a3e)
(cherry picked from commit 87b89ce83b2c0228b5a8300dbf5a63027eabc036)
Signed-off-by: Dongseok Yi <dseok.yi@samsung.com>
android_vh_do_wake_up_sync:
To modify the mode value of __wake_up_sync_key
android_vh_set_wake_flags:
To modify the wake flag from a module
Bug: 181743516
Bug: 263838089
Signed-off-by: Namkyu Kim <namkyu78.kim@samsung.com>
Change-Id: I972e2469c3f139373d21f1e8c85974763388a693
(cherry picked from commit 97368fc2dcc29777e8d3d637d0afdef90e611763)
(cherry picked from commit 0d0f0c5020)
[Dongseok Yi: Moved into kernel/sched/vendor_hooks.c per commit
5f657b04f4 ("ANDROID: subsystem-specific vendor_hooks.c for
sched")]
Signed-off-by: Dongseok Yi <dseok.yi@samsung.com>
Add the hook for the waiter list of futex to allow
vendor perform wait queue enhancement
Bug: 264007752
Signed-off-by: JianMin Liu <jian-min.liu@mediatek.com>
Signed-off-by: Guanwun Chen <guan-wun.chen@mediatek.com>
Change-Id: I68218b89c35b23aa5529099bb0bbbd031bdeafef
Add the hook to apply vendor's performance tune for owner
of rwsem.
Add the hook for the waiter list of rwsem to allow
vendor perform waiting queue enhancement
ANDROID_VENDOR_DATA added to rw_semaphore
Bug: 264007752
Signed-off-by: JianMin Liu <jian-min.liu@mediatek.com>
Signed-off-by: Guanwun Chen <guan-wun.chen@mediatek.com>
Change-Id: I007a5e26f3db2adaeaf4e5ccea414ce7abfa83b8
The new sysctl sched_pelt_multiplier allows a user to set a clock
multiplier to x2 or x4 (x1 being the default). This clock multiplier
artificially speeds up PELT ramp up/down similarly to use a faster
half-life than the default 32ms.
- x1: 32ms half-life
- x2: 16ms half-life
- x4: 8ms half-life
Internally, a new clock is created: rq->clock_task_mult. It sits in the
clock hierarchy between rq->clock_task and rq->clock_pelt.
Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Bug: 263742061
Link: https://lore.kernel.org/lkml/20220829055450.1703092-2-dietmar.eggemann@arm.com
Change-Id: Id379ff3cf07733ae63a854bc1e5af64426576788
Signed-off-by: Jing-Ting Wu <Jing-Ting.Wu@mediatek.com>
* aosp/upstream-f2fs-stable-linux-6.1.y:
f2fs: let's avoid panic if extent_tree is not created
f2fs: should use a temp extent_info for lookup
f2fs: don't mix to use union values in extent_info
f2fs: initialize extent_cache parameter
f2fs: fix to avoid NULL pointer dereference in f2fs_issue_flush()
fscrypt: add additional documentation for SM4 support
fscrypt: remove unused Speck definitions
fscrypt: Add SM4 XTS/CTS symmetric algorithm support
blk-crypto: Add support for SM4-XTS blk crypto mode
blk-crypto: pass a gendisk to blk_crypto_sysfs_{,un}register
fscrypt: add comment for fscrypt_valid_enc_modes_v1()
blk-crypto: Add a missing include directive
blk-crypto: move internal only declarations to blk-crypto-internal.h
blk-crypto: add a blk_crypto_config_supported_natively helper
blk-crypto: don't use struct request_queue for public interfaces
fscrypt: pass super_block to fscrypt_put_master_key_activeref()
Bug: 256243893
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I367525066c097ee6ebeb4cf59d7a1c4b23b65c8a
Export clocksource_mmio_init and clocksource_mmio_readl_up
to support building clocksource driver as module,
such as timer-mediatek.c.
Bug: 161675989
Signed-off-by: Chun-Hung Wu <chun-hung.wu@mediatek.com>
Change-Id: I7df2f2ac62f2322c1d32686907cb0bd87639f6fc
(cherry picked from commit bd213d9a67050fdd380a1c1d94a5388f8041f28a)
The hardware-wrapped key support in this branch is based on my patch
"[RFC PATCH v3 3/3] fscrypt: add support for hardware-wrapped keys"
(https://lore.kernel.org/r/20211021181608.54127-4-ebiggers@kernel.org)
I've since made several updates to that patch and it is now at v7.
This commit brings in the updates from v3 to v7, to the extent possible
while retaining compatibility with the UAPI and on-disk format used for
this feature in Android. This mainly includes some improved log
messages, and compatibility with the blk-crypto updates.
Bug: 160883801
Link: https://lore.kernel.org/all/20221216203636.81491-5-ebiggers@kernel.org
Change-Id: I1c43ca55ec7e95dd06f8f7944100ffd14771d3a7
Signed-off-by: Eric Biggers <ebiggers@google.com>
Update this code to be compatible with the updated version of
"block: add basic hardware-wrapped key support".
Bug: 160883801
Change-Id: Ic6991ad163035870ace3cd468f53b21a824c5359
Signed-off-by: Eric Biggers <ebiggers@google.com>
The hardware-wrapped key support in this branch is based on my patch
"[RFC PATCH v3 1/3] block: add basic hardware-wrapped key support"
(https://lore.kernel.org/all/20211021181608.54127-2-ebiggers@kernel.org).
I've since made several updates to that patch and it is now at v7.
This commit brings in the updates from v3 to v7. The main change is
making blk_crypto_derive_sw_secret() operate on a struct block_device,
and adding blk_crypto_hw_wrapped_keys_compatible(). This aligns with
changes upstream in v6.1 and v6.2 that removed block-layer internal
structures from the API that blk-crypto exposes to upper layers.
There's also a slight change in prototype for ->derive_sw_secret, so a
couple out-of-tree drivers will need to be updated, but people
maintaining out-of-tree drivers know what they are dealing with anyway.
Bug: 160883801
Link: https://lore.kernel.org/r/20221216203636.81491-2-ebiggers@kernel.org
Change-Id: I0f285c11c2764064cd4a9d6eac0089099a9601ed
Signed-off-by: Eric Biggers <ebiggers@google.com>
