mirror of
https://github.com/nxp-imx/linux-imx.git
synced 2025-07-06 17:35:20 +02:00
ANDROID: fips140: add name and version, and a function to retrieve them
This is needed to meet a FIPS 140-3 requirement that modules provide a service that retrieves their name and versioning information. Bug: 188620248 Change-Id: I36049c839c4217e3616daab52ec536b46479c12a Signed-off-by: Eric Biggers <ebiggers@google.com> (cherry picked from commit 2888f960d09f3af00d1e45f1facd311ccd5b778a)
This commit is contained in:
Eric Biggers
parent
64d769e53f
commit
8d7f609cda
|
|
@ -171,6 +171,27 @@ bool fips140_is_approved_service(const char *name)
|
|||
}
|
||||
EXPORT_SYMBOL_GPL(fips140_is_approved_service);
|
||||
|
||||
/*
|
||||
* FIPS 140-3 requires that modules provide a "service" that outputs "the name
|
||||
* or module identifier and the versioning information that can be correlated
|
||||
* with a validation record". This function meets that requirement.
|
||||
*
|
||||
* Note: the module also prints this same information to the kernel log when it
|
||||
* is loaded. That might meet the requirement by itself. However, given the
|
||||
* vagueness of what counts as a "service", we provide this function too, just
|
||||
* in case the certification lab or CMVP is happier with an explicit function.
|
||||
*
|
||||
* Note: /sys/modules/fips140/scmversion also provides versioning information
|
||||
* about the module. However that file just shows the bare git commit ID, so it
|
||||
* probably isn't sufficient to meet the FIPS requirement, which seems to want
|
||||
* the "official" module name and version number used in the FIPS certificate.
|
||||
*/
|
||||
const char *fips140_module_version(void)
|
||||
{
|
||||
return FIPS140_MODULE_NAME " " FIPS140_MODULE_VERSION;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(fips140_module_version);
|
||||
|
||||
static LIST_HEAD(existing_live_algos);
|
||||
|
||||
/*
|
||||
|
|
@ -478,7 +499,7 @@ fips140_init(void)
|
|||
{
|
||||
const u32 *initcall;
|
||||
|
||||
pr_info("loading module\n");
|
||||
pr_info("loading " FIPS140_MODULE_NAME " " FIPS140_MODULE_VERSION "\n");
|
||||
fips140_init_thread = current;
|
||||
|
||||
unregister_existing_fips140_algos();
|
||||
|
|
|
|||
|
|
@ -12,6 +12,14 @@
|
|||
#undef pr_fmt
|
||||
#define pr_fmt(fmt) "fips140: " fmt
|
||||
|
||||
/*
|
||||
* This is the name and version number of the module that are shown on the FIPS
|
||||
* certificate. These don't necessarily have any relation to the filename of
|
||||
* the .ko file, or to the git branch or commit ID.
|
||||
*/
|
||||
#define FIPS140_MODULE_NAME "Android Kernel Cryptographic Module"
|
||||
#define FIPS140_MODULE_VERSION "v1.0"
|
||||
|
||||
#ifdef CONFIG_CRYPTO_FIPS140_MOD_ERROR_INJECTION
|
||||
extern char *fips140_broken_alg;
|
||||
#endif
|
||||
|
|
@ -22,5 +30,6 @@ extern struct task_struct *fips140_init_thread;
|
|||
bool __init __must_check fips140_run_selftests(void);
|
||||
|
||||
bool fips140_is_approved_service(const char *name);
|
||||
const char *fips140_module_version(void);
|
||||
|
||||
#endif /* _CRYPTO_FIPS140_MODULE_H */
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user