android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ANDROID: fips140: add support for injecting integrity error

Browse Source 
The lab is required to test injecting an integrity error, so add a
module parameter fail_integrity_check=1 which does this.  This parameter
is only supported when CONFIG_CRYPTO_FIPS140_MOD_EVAL_TESTING=y.

Bug: 188620248
Change-Id: I1f3683837706dc1df2755ca5b6e88f21f7956135
Signed-off-by: Eric Biggers <ebiggers@google.com>
This commit is contained in:
Eric Biggers 2021-11-18 16:09:10 -08:00
parent 903e97a0ca
commit 97fb2104fe
3 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
crypto/fips140-eval-testing.c
View File

@ -18,6 +18,10 @@
static char *fips140_fail_selftest;
module_param_named(fail_selftest, fips140_fail_selftest, charp, 0);
/* This option allows deliberately failing the integrity check. */
static bool fips140_fail_integrity_check;
module_param_named(fail_integrity_check, fips140_fail_integrity_check, bool, 0);
/* Inject a self-test failure (via corrupting the result) if requested. */
void fips140_inject_selftest_failure(const char *impl, u8 *result)
{
@ -25,6 +29,13 @@ void fips140_inject_selftest_failure(const char *impl, u8 *result)
result[0] ^= 0xff;
}
/* Inject an integrity check failure (via corrupting the text) if requested. */
void fips140_inject_integrity_failure(u8 *textcopy)
{
if (fips140_fail_integrity_check)
textcopy[0] ^= 0xff;
}
bool fips140_eval_testing_init(void)
{
return true;

2
crypto/fips140-module.c
View File

@ -388,6 +388,8 @@ static bool __init check_fips140_module_hmac(void)
offset_to_ptr(&fips140_rela_rodata.offset),
fips140_rela_rodata.count);
fips140_inject_integrity_failure(textcopy);
tfm = crypto_alloc_shash("hmac(sha256)", 0, 0);
if (IS_ERR(tfm)) {
pr_err("failed to allocate hmac tfm (%ld)\n", PTR_ERR(tfm));

4
crypto/fips140-module.h
View File

@ -23,11 +23,15 @@
/* fips140-eval-testing.c */
#ifdef CONFIG_CRYPTO_FIPS140_MOD_EVAL_TESTING
void fips140_inject_selftest_failure(const char *impl, u8 *result);
void fips140_inject_integrity_failure(u8 *textcopy);
bool fips140_eval_testing_init(void);
#else
static inline void fips140_inject_selftest_failure(const char *impl, u8 *result)
{
}
static inline void fips140_inject_integrity_failure(u8 *textcopy)
{
}
static inline bool fips140_eval_testing_init(void)
{
return true;