1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright 2021 Google LLC
*
* This file can optionally be built into fips140.ko in order to support certain
* types of testing that the FIPS lab has to do to evaluate the module. It
* should not be included in production builds of the module.
*/
/*
* We have to redefine inline to mean always_inline, so that _copy_to_user()
* gets inlined. This is needed for it to be placed into the correct section.
* See fips140_copy_to_user().
*
* We also need to undefine BUILD_FIPS140_KO to allow the use of the code
* patching which copy_to_user() requires.
*/
#undef inline
#define inline inline __attribute__((__always_inline__)) __gnu_inline \
__inline_maybe_unused notrace
#undef BUILD_FIPS140_KO
#include <linux/cdev.h>
#include <linux/fs.h>
#include <linux/module.h>
#include <linux/slab.h>
#include "fips140-module.h"
#include "fips140-eval-testing-uapi.h"
/*
* This option allows deliberately failing the self-tests for a particular
* algorithm.
*/
static char *fips140_fail_selftest;
module_param_named(fail_selftest, fips140_fail_selftest, charp, 0);
/* This option allows deliberately failing the integrity check. */
static bool fips140_fail_integrity_check;
module_param_named(fail_integrity_check, fips140_fail_integrity_check, bool, 0);
static dev_t fips140_devnum;
static struct cdev fips140_cdev;
/* Inject a self-test failure (via corrupting the result) if requested. */
void fips140_inject_selftest_failure(const char *impl, u8 *result)
{
if (fips140_fail_selftest && strcmp(impl, fips140_fail_selftest) == 0)
result[0] ^= 0xff;
}
/* Inject an integrity check failure (via corrupting the text) if requested. */
void fips140_inject_integrity_failure(u8 *textcopy)
{
if (fips140_fail_integrity_check)
textcopy[0] ^= 0xff;
}
static long fips140_ioctl_is_approved_service(unsigned long arg)
{
const char *service_name = strndup_user((const char __user *)arg, 256);
long ret;
if (IS_ERR(service_name))
return PTR_ERR(service_name);
ret = fips140_is_approved_service(service_name);
kfree(service_name);
return ret;
}
/*
* Code in fips140.ko is covered by an integrity check by default, and this
* check breaks if copy_to_user() is called. This is because copy_to_user() is
* an inline function that relies on code patching. However, since this is
* "evaluation testing" code which isn't included in the production builds of
* fips140.ko, it's acceptable to just exclude it from the integrity check.
*/
static noinline unsigned long __section("text.._fips140_unchecked")
fips140_copy_to_user(void __user *to, const void *from, unsigned long n)
{
return copy_to_user(to, from, n);
}
static long fips140_ioctl_module_version(unsigned long arg)
{
const char *version = fips140_module_version();
size_t len = strlen(version) + 1;
if (len > 256)
return -EOVERFLOW;
if (fips140_copy_to_user((void __user *)arg, version, len))
return -EFAULT;
return 0;
}
static long fips140_ioctl(struct file *file, unsigned int cmd,
unsigned long arg)
{
switch (cmd) {
case FIPS140_IOCTL_IS_APPROVED_SERVICE:
return fips140_ioctl_is_approved_service(arg);
case FIPS140_IOCTL_MODULE_VERSION:
return fips140_ioctl_module_version(arg);
default:
return -ENOTTY;
}
}
static const struct file_operations fips140_fops = {
.unlocked_ioctl = fips140_ioctl,
};
bool fips140_eval_testing_init(void)
{
if (alloc_chrdev_region(&fips140_devnum, 1, 1, "fips140") != 0) {
pr_err("failed to allocate device number\n");
return false;
}
cdev_init(&fips140_cdev, &fips140_fops);
if (cdev_add(&fips140_cdev, fips140_devnum, 1) != 0) {
pr_err("failed to add fips140 character device\n");
return false;
}
return true;
}
|
