android_kernel_xiaomi_sm8450

xiaomi-sm8450/android_kernel_xiaomi_sm8450

Fork 0

Commit Graph

Author	SHA1	Message	Date
Eric Biggers	109f31ac23	ANDROID: fips140: add userspace interface for evaluation testing The FIPS lab is required to test the service indicators and version information services of the module, i.e. the fips140_is_approved_service() and fips140_module_version() functions. There are several ways we could support this: - Implement the tests in the module ourselves. However it's unclear that CMVP would allow this, and we would need the full list of tests, which could change over time depending on what the lab decides to do. - Support the lab writing, building, and loading a custom kernel module (or a custom kernel image) that tests these functions. - Provide a userspace interface to these services, restricted to builds with CONFIG_CRYPTO_FIPS140_MOD_EVAL_TESTING=y. This would allow writing the tests in userspace, which would be much easier. Implement the last solution, since it's the easier of the two solutions that are "guaranteed" to be allowed. Make the module register a char device which supports some ioctls, one per function that needs to be tested. Also provide some sample userspace code in samples/crypto/. Note: copy_to_user() would break the integrity check, so take some care to exclude it. This is allowed since this is non-production code. Bug: 188620248 Change-Id: Ic256d9c5bd4d0c57ede88a3e3e76e89554909b38 Signed-off-by: Eric Biggers <ebiggers@google.com>	2021-11-23 18:02:43 +00:00
Eric Biggers	97fb2104fe	ANDROID: fips140: add support for injecting integrity error The lab is required to test injecting an integrity error, so add a module parameter fail_integrity_check=1 which does this. This parameter is only supported when CONFIG_CRYPTO_FIPS140_MOD_EVAL_TESTING=y. Bug: 188620248 Change-Id: I1f3683837706dc1df2755ca5b6e88f21f7956135 Signed-off-by: Eric Biggers <ebiggers@google.com>	2021-11-23 18:02:33 +00:00
Eric Biggers	903e97a0ca	ANDROID: fips140: refactor evaluation testing support It turns out that we have to add more code to the module to support lab evaluation testing, beyond the error injection support we currently have. Therefore, rename CONFIG_CRYPTO_FIPS140_MOD_ERROR_INJECTION to CONFIG_CRYPTO_FIPS140_MOD_EVAL_TESTING, and move the relevant code into a new file fips140-eval-testing.c which is conditionally compiled. Also rename the "broken_alg" module parameter to "fail_selftest" so that it is similar to "fail_integrity_check" which we'll be adding. Bug: 188620248 Change-Id: I01bcbf7525690e277854ba4ed8dd89e7cd08d98e Signed-off-by: Eric Biggers <ebiggers@google.com>	2021-11-23 18:02:24 +00:00

Author

SHA1

Message

Date

Eric Biggers

109f31ac23

ANDROID: fips140: add userspace interface for evaluation testing

The FIPS lab is required to test the service indicators and version
information services of the module, i.e. the
fips140_is_approved_service() and fips140_module_version() functions.
There are several ways we could support this:

- Implement the tests in the module ourselves.  However it's unclear
  that CMVP would allow this, and we would need the full list of tests,
  which could change over time depending on what the lab decides to do.

- Support the lab writing, building, and loading a custom kernel module
  (or a custom kernel image) that tests these functions.

- Provide a userspace interface to these services, restricted to builds
  with CONFIG_CRYPTO_FIPS140_MOD_EVAL_TESTING=y.  This would allow
  writing the tests in userspace, which would be much easier.

Implement the last solution, since it's the easier of the two solutions
that are "guaranteed" to be allowed.  Make the module register a char
device which supports some ioctls, one per function that needs to be
tested.  Also provide some sample userspace code in samples/crypto/.

Note: copy_to_user() would break the integrity check, so take some care
to exclude it.  This is allowed since this is non-production code.

Bug: 188620248
Change-Id: Ic256d9c5bd4d0c57ede88a3e3e76e89554909b38
Signed-off-by: Eric Biggers <ebiggers@google.com>

2021-11-23 18:02:43 +00:00

Eric Biggers

97fb2104fe

ANDROID: fips140: add support for injecting integrity error

The lab is required to test injecting an integrity error, so add a
module parameter fail_integrity_check=1 which does this.  This parameter
is only supported when CONFIG_CRYPTO_FIPS140_MOD_EVAL_TESTING=y.

Bug: 188620248
Change-Id: I1f3683837706dc1df2755ca5b6e88f21f7956135
Signed-off-by: Eric Biggers <ebiggers@google.com>

2021-11-23 18:02:33 +00:00

Eric Biggers

903e97a0ca

ANDROID: fips140: refactor evaluation testing support

It turns out that we have to add more code to the module to support lab
evaluation testing, beyond the error injection support we currently
have.  Therefore, rename CONFIG_CRYPTO_FIPS140_MOD_ERROR_INJECTION to
CONFIG_CRYPTO_FIPS140_MOD_EVAL_TESTING, and move the relevant code into
a new file fips140-eval-testing.c which is conditionally compiled.

Also rename the "broken_alg" module parameter to "fail_selftest" so that
it is similar to "fail_integrity_check" which we'll be adding.

Bug: 188620248
Change-Id: I01bcbf7525690e277854ba4ed8dd89e7cd08d98e
Signed-off-by: Eric Biggers <ebiggers@google.com>

2021-11-23 18:02:24 +00:00

3 Commits