109f31ac23
The FIPS lab is required to test the service indicators and version information services of the module, i.e. the fips140_is_approved_service() and fips140_module_version() functions. There are several ways we could support this: - Implement the tests in the module ourselves. However it's unclear that CMVP would allow this, and we would need the full list of tests, which could change over time depending on what the lab decides to do. - Support the lab writing, building, and loading a custom kernel module (or a custom kernel image) that tests these functions. - Provide a userspace interface to these services, restricted to builds with CONFIG_CRYPTO_FIPS140_MOD_EVAL_TESTING=y. This would allow writing the tests in userspace, which would be much easier. Implement the last solution, since it's the easier of the two solutions that are "guaranteed" to be allowed. Make the module register a char device which supports some ioctls, one per function that needs to be tested. Also provide some sample userspace code in samples/crypto/. Note: copy_to_user() would break the integrity check, so take some care to exclude it. This is allowed since this is non-production code. Bug: 188620248 Change-Id: Ic256d9c5bd4d0c57ede88a3e3e76e89554909b38 Signed-off-by: Eric Biggers <ebiggers@google.com>
130 lines
3.6 KiB
C
130 lines
3.6 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Copyright 2021 Google LLC
|
|
*
|
|
* This file can optionally be built into fips140.ko in order to support certain
|
|
* types of testing that the FIPS lab has to do to evaluate the module. It
|
|
* should not be included in production builds of the module.
|
|
*/
|
|
|
|
/*
|
|
* We have to redefine inline to mean always_inline, so that _copy_to_user()
|
|
* gets inlined. This is needed for it to be placed into the correct section.
|
|
* See fips140_copy_to_user().
|
|
*
|
|
* We also need to undefine BUILD_FIPS140_KO to allow the use of the code
|
|
* patching which copy_to_user() requires.
|
|
*/
|
|
#undef inline
|
|
#define inline inline __attribute__((__always_inline__)) __gnu_inline \
|
|
__inline_maybe_unused notrace
|
|
#undef BUILD_FIPS140_KO
|
|
|
|
#include <linux/cdev.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/module.h>
|
|
#include <linux/slab.h>
|
|
|
|
#include "fips140-module.h"
|
|
#include "fips140-eval-testing-uapi.h"
|
|
|
|
/*
|
|
* This option allows deliberately failing the self-tests for a particular
|
|
* algorithm.
|
|
*/
|
|
static char *fips140_fail_selftest;
|
|
module_param_named(fail_selftest, fips140_fail_selftest, charp, 0);
|
|
|
|
/* This option allows deliberately failing the integrity check. */
|
|
static bool fips140_fail_integrity_check;
|
|
module_param_named(fail_integrity_check, fips140_fail_integrity_check, bool, 0);
|
|
|
|
static dev_t fips140_devnum;
|
|
static struct cdev fips140_cdev;
|
|
|
|
/* Inject a self-test failure (via corrupting the result) if requested. */
|
|
void fips140_inject_selftest_failure(const char *impl, u8 *result)
|
|
{
|
|
if (fips140_fail_selftest && strcmp(impl, fips140_fail_selftest) == 0)
|
|
result[0] ^= 0xff;
|
|
}
|
|
|
|
/* Inject an integrity check failure (via corrupting the text) if requested. */
|
|
void fips140_inject_integrity_failure(u8 *textcopy)
|
|
{
|
|
if (fips140_fail_integrity_check)
|
|
textcopy[0] ^= 0xff;
|
|
}
|
|
|
|
static long fips140_ioctl_is_approved_service(unsigned long arg)
|
|
{
|
|
const char *service_name = strndup_user((const char __user *)arg, 256);
|
|
long ret;
|
|
|
|
if (IS_ERR(service_name))
|
|
return PTR_ERR(service_name);
|
|
|
|
ret = fips140_is_approved_service(service_name);
|
|
|
|
kfree(service_name);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Code in fips140.ko is covered by an integrity check by default, and this
|
|
* check breaks if copy_to_user() is called. This is because copy_to_user() is
|
|
* an inline function that relies on code patching. However, since this is
|
|
* "evaluation testing" code which isn't included in the production builds of
|
|
* fips140.ko, it's acceptable to just exclude it from the integrity check.
|
|
*/
|
|
static noinline unsigned long __section("text.._fips140_unchecked")
|
|
fips140_copy_to_user(void __user *to, const void *from, unsigned long n)
|
|
{
|
|
return copy_to_user(to, from, n);
|
|
}
|
|
|
|
static long fips140_ioctl_module_version(unsigned long arg)
|
|
{
|
|
const char *version = fips140_module_version();
|
|
size_t len = strlen(version) + 1;
|
|
|
|
if (len > 256)
|
|
return -EOVERFLOW;
|
|
|
|
if (fips140_copy_to_user((void __user *)arg, version, len))
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static long fips140_ioctl(struct file *file, unsigned int cmd,
|
|
unsigned long arg)
|
|
{
|
|
switch (cmd) {
|
|
case FIPS140_IOCTL_IS_APPROVED_SERVICE:
|
|
return fips140_ioctl_is_approved_service(arg);
|
|
case FIPS140_IOCTL_MODULE_VERSION:
|
|
return fips140_ioctl_module_version(arg);
|
|
default:
|
|
return -ENOTTY;
|
|
}
|
|
}
|
|
|
|
static const struct file_operations fips140_fops = {
|
|
.unlocked_ioctl = fips140_ioctl,
|
|
};
|
|
|
|
bool fips140_eval_testing_init(void)
|
|
{
|
|
if (alloc_chrdev_region(&fips140_devnum, 1, 1, "fips140") != 0) {
|
|
pr_err("failed to allocate device number\n");
|
|
return false;
|
|
}
|
|
cdev_init(&fips140_cdev, &fips140_fops);
|
|
if (cdev_add(&fips140_cdev, fips140_devnum, 1) != 0) {
|
|
pr_err("failed to add fips140 character device\n");
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|