ANDROID: fips140: add name and version, and a function to retrieve them
This is needed to meet a FIPS 140-3 requirement that modules provide a
service that retrieves their name and versioning information.
Bug: 188620248
Change-Id: I36049c839c4217e3616daab52ec536b46479c12a
Signed-off-by: Eric Biggers <ebiggers@google.com>
(cherry picked from commit 2888f960d09f3af00d1e45f1facd311ccd5b778a)
diff --git a/crypto/fips140-module.c b/crypto/fips140-module.c
index 79b09b0..5e42891 100644
--- a/crypto/fips140-module.c
+++ b/crypto/fips140-module.c
@@ -171,6 +171,27 @@ bool fips140_is_approved_service(const char *name)
}
EXPORT_SYMBOL_GPL(fips140_is_approved_service);
+/*
+ * FIPS 140-3 requires that modules provide a "service" that outputs "the name
+ * or module identifier and the versioning information that can be correlated
+ * with a validation record". This function meets that requirement.
+ *
+ * Note: the module also prints this same information to the kernel log when it
+ * is loaded. That might meet the requirement by itself. However, given the
+ * vagueness of what counts as a "service", we provide this function too, just
+ * in case the certification lab or CMVP is happier with an explicit function.
+ *
+ * Note: /sys/modules/fips140/scmversion also provides versioning information
+ * about the module. However that file just shows the bare git commit ID, so it
+ * probably isn't sufficient to meet the FIPS requirement, which seems to want
+ * the "official" module name and version number used in the FIPS certificate.
+ */
+const char *fips140_module_version(void)
+{
+ return FIPS140_MODULE_NAME " " FIPS140_MODULE_VERSION;
+}
+EXPORT_SYMBOL_GPL(fips140_module_version);
+
static LIST_HEAD(existing_live_algos);
/*
@@ -478,7 +499,7 @@ fips140_init(void)
{
const u32 *initcall;
- pr_info("loading module\n");
+ pr_info("loading " FIPS140_MODULE_NAME " " FIPS140_MODULE_VERSION "\n");
fips140_init_thread = current;
unregister_existing_fips140_algos();
diff --git a/crypto/fips140-module.h b/crypto/fips140-module.h
index a01d6c5..ff99d5b 100644
--- a/crypto/fips140-module.h
+++ b/crypto/fips140-module.h
@@ -12,6 +12,14 @@
#undef pr_fmt
#define pr_fmt(fmt) "fips140: " fmt
+/*
+ * This is the name and version number of the module that are shown on the FIPS
+ * certificate. These don't necessarily have any relation to the filename of
+ * the .ko file, or to the git branch or commit ID.
+ */
+#define FIPS140_MODULE_NAME "Android Kernel Cryptographic Module"
+#define FIPS140_MODULE_VERSION "v1.0"
+
#ifdef CONFIG_CRYPTO_FIPS140_MOD_ERROR_INJECTION
extern char *fips140_broken_alg;
#endif
@@ -22,5 +30,6 @@ extern struct task_struct *fips140_init_thread;
bool __init __must_check fips140_run_selftests(void);
bool fips140_is_approved_service(const char *name);
+const char *fips140_module_version(void);
#endif /* _CRYPTO_FIPS140_MODULE_H */