From 8d7f609cdaa460ca266af45ae132bec6ffbe9558 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 2 Nov 2021 14:50:18 -0700 Subject: [PATCH] ANDROID: fips140: add name and version, and a function to retrieve them This is needed to meet a FIPS 140-3 requirement that modules provide a service that retrieves their name and versioning information. Bug: 188620248 Change-Id: I36049c839c4217e3616daab52ec536b46479c12a Signed-off-by: Eric Biggers (cherry picked from commit 2888f960d09f3af00d1e45f1facd311ccd5b778a) --- crypto/fips140-module.c | 23 ++++++++++++++++++++++- crypto/fips140-module.h | 9 +++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/crypto/fips140-module.c b/crypto/fips140-module.c index 79b09b070463..5e42891fbd0d 100644 --- a/crypto/fips140-module.c +++ b/crypto/fips140-module.c @@ -171,6 +171,27 @@ bool fips140_is_approved_service(const char *name) } EXPORT_SYMBOL_GPL(fips140_is_approved_service); +/* + * FIPS 140-3 requires that modules provide a "service" that outputs "the name + * or module identifier and the versioning information that can be correlated + * with a validation record". This function meets that requirement. + * + * Note: the module also prints this same information to the kernel log when it + * is loaded. That might meet the requirement by itself. However, given the + * vagueness of what counts as a "service", we provide this function too, just + * in case the certification lab or CMVP is happier with an explicit function. + * + * Note: /sys/modules/fips140/scmversion also provides versioning information + * about the module. However that file just shows the bare git commit ID, so it + * probably isn't sufficient to meet the FIPS requirement, which seems to want + * the "official" module name and version number used in the FIPS certificate. + */ +const char *fips140_module_version(void) +{ + return FIPS140_MODULE_NAME " " FIPS140_MODULE_VERSION; +} +EXPORT_SYMBOL_GPL(fips140_module_version); + static LIST_HEAD(existing_live_algos); /* @@ -478,7 +499,7 @@ fips140_init(void) { const u32 *initcall; - pr_info("loading module\n"); + pr_info("loading " FIPS140_MODULE_NAME " " FIPS140_MODULE_VERSION "\n"); fips140_init_thread = current; unregister_existing_fips140_algos(); diff --git a/crypto/fips140-module.h b/crypto/fips140-module.h index a01d6c5c1049..ff99d5b2ab4a 100644 --- a/crypto/fips140-module.h +++ b/crypto/fips140-module.h @@ -12,6 +12,14 @@ #undef pr_fmt #define pr_fmt(fmt) "fips140: " fmt +/* + * This is the name and version number of the module that are shown on the FIPS + * certificate. These don't necessarily have any relation to the filename of + * the .ko file, or to the git branch or commit ID. + */ +#define FIPS140_MODULE_NAME "Android Kernel Cryptographic Module" +#define FIPS140_MODULE_VERSION "v1.0" + #ifdef CONFIG_CRYPTO_FIPS140_MOD_ERROR_INJECTION extern char *fips140_broken_alg; #endif @@ -22,5 +30,6 @@ extern struct task_struct *fips140_init_thread; bool __init __must_check fips140_run_selftests(void); bool fips140_is_approved_service(const char *name); +const char *fips140_module_version(void); #endif /* _CRYPTO_FIPS140_MODULE_H */