mirror of
https://github.com/torvalds/linux.git
synced 2026-06-07 05:55:44 +02:00
6be141eb36
In order to comply with FIPS 140-2 requirements, implement a fips140
module that carries all AES, SHA-xxx and DRBG implementations with the
associated chaining mode templates, and perform an integrity selfcheck
at load time. The algorithms contained in the module will be registered
with the crypto API, and will supersede any existing copies of the same
algorithms that were already being provided by the core kernel.
Bug: 153614920
Bug: 188620248
Test: boot tested on Pixel hw both with and without a live algo ('hmac(sha1-ce)')
Change-Id: Ia893d9992fc12e2617d1ed2899c9794859c389d1
Signed-off-by: Ard Biesheuvel <ardb@google.com>
37 lines
1.1 KiB
C
37 lines
1.1 KiB
C
#ifdef CONFIG_ARM64_MODULE_PLTS
|
|
SECTIONS {
|
|
.plt 0 (NOLOAD) : { BYTE(0) }
|
|
.init.plt 0 (NOLOAD) : { BYTE(0) }
|
|
.text.ftrace_trampoline 0 (NOLOAD) : { BYTE(0) }
|
|
|
|
#ifdef CONFIG_CRYPTO_FIPS140
|
|
/*
|
|
* The FIPS140 module incorporates copies of builtin code, which gets
|
|
* integrity checked at module load time, and registered in a way that
|
|
* ensures that the integrity checked versions supersede the builtin
|
|
* ones. These objects are compiled as builtin code, and so their init
|
|
* hooks will be exported from the binary in the same way as builtin
|
|
* initcalls are, i.e., annotated with a level that defines the order
|
|
* in which the hooks are expected to be invoked.
|
|
*/
|
|
#define INIT_CALLS_LEVEL(level) \
|
|
KEEP(*(.initcall##level##.init*)) \
|
|
KEEP(*(.initcall##level##s.init*))
|
|
|
|
.initcalls : {
|
|
*(.initcalls._start)
|
|
INIT_CALLS_LEVEL(0)
|
|
INIT_CALLS_LEVEL(1)
|
|
INIT_CALLS_LEVEL(2)
|
|
INIT_CALLS_LEVEL(3)
|
|
INIT_CALLS_LEVEL(4)
|
|
INIT_CALLS_LEVEL(5)
|
|
INIT_CALLS_LEVEL(rootfs)
|
|
INIT_CALLS_LEVEL(6)
|
|
INIT_CALLS_LEVEL(7)
|
|
*(.initcalls._end)
|
|
}
|
|
#endif
|
|
}
|
|
#endif
|