commit 6be141eb36feae286459c464fa94f125faa16230
author Ard Biesheuvel <ardb@kernel.org> Tue Mar 23 10:54:38 2021 +0100
committer Ard Biesheuvel <ardb@google.com> Fri Jun 11 07:49:58 2021 +0000
tree 91b240dbf0b84cc466993cbc16da59a2f4d8c774
parent 0672a69424e558395607278c24e378fcb8be8372

ANDROID: crypto: fips140 - perform load time integrity check

In order to comply with FIPS 140-2 requirements, implement a fips140
module that carries all AES, SHA-xxx and DRBG implementations with the
associated chaining mode templates, and perform an integrity selfcheck
at load time. The algorithms contained in the module will be registered
with the crypto API, and will supersede any existing copies of the same
algorithms that were already being provided by the core kernel.

Bug: 153614920
Bug: 188620248
Test: boot tested on Pixel hw both with and without a live algo ('hmac(sha1-ce)')
Change-Id: Ia893d9992fc12e2617d1ed2899c9794859c389d1
Signed-off-by: Ard Biesheuvel <ardb@google.com>

build.config.gki.aarch64.fips140

diff --git a/build.config.gki.aarch64.fips140 b/build.config.gki.aarch64.fips140
new file mode 100644
index 0000000..040d73a
--- /dev/null
+++ b/build.config.gki.aarch64.fips140
@@ -0,0 +1,17 @@
+. ${ROOT_DIR}/${KERNEL_DIR}/build.config.gki.aarch64
+
+FILES="${FILES}
+crypto/fips140.ko
+"
+
+if [ "${LTO}" = "none" ]; then
+	echo "The FIPS140 module needs LTO to be enabled."
+	exit 1
+fi
+
+MODULES_ORDER=android/gki_aarch64_fips140_modules
+KERNEL_DIR=common
+
+DEFCONFIG=fips140_gki_defconfig
+PRE_DEFCONFIG_CMDS="cat ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/gki_defconfig ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/fips140_gki.fragment > ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/${DEFCONFIG};"
+POST_DEFCONFIG_CMDS="rm ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/${DEFCONFIG}"