From 3f5807c586a627d7d2da02bb3daff87564577172 Mon Sep 17 00:00:00 2001 From: Konstantin Vyshetsky Date: Tue, 5 Mar 2024 13:42:14 -0800 Subject: [PATCH] ANDROID: fips140: change linker script guard Currently, the linker script's support for merging module's section is guarded by either CONFIG_LTO_CLANG or CONFIG_CRYPTO_FIPS140_MOD. This functionally is also needed by additional fips140 modules built out of tree. So, have an explicit config (CRYPTO_FIPS140_MERGE_MOD_SECTIONS) that can be selected by the various fips140 modules without having to depend on and enabling CONFIG_CRYPTO_FIPS140_MOD. Bug: 281657135 Change-Id: I2af727813151ba839a95696bc847e2a841a7175a Signed-off-by: Konstantin Vyshetsky --- crypto/Kconfig | 10 ++++++++++ scripts/module.lds.S | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/crypto/Kconfig b/crypto/Kconfig index 532c454f57ee..a537398bc27b 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -58,6 +58,7 @@ config CRYPTO_FIPS140_MOD tristate "Enable FIPS 140 cryptographic module" depends on ARM64 && ARM64_MODULE_PLTS depends on m + select CRYPTO_FIPS140_MERGE_MOD_SECTIONS help This option enables building a loadable module fips140.ko, which contains various crypto algorithms that are also built into vmlinux. @@ -79,6 +80,15 @@ config CRYPTO_FIPS140_MOD_EVAL_TESTING errors and support for a userspace interface to some of the module's services. This option should not be enabled in production builds. +config CRYPTO_FIPS140_MERGE_MOD_SECTIONS + bool + help + This option causes the module linker script to place the delimeters + of the text and rodata sections at the appropriate places so that + the FIPS 140 integrity check can be performed. This option is required + by the Crypto FIPS 140 module, and can be enabled by other FIPS 140 + modules using the same logic to perform the self integrity check. + config CRYPTO_FIPS140_MOD_DEBUG_INTEGRITY_CHECK bool "Debug the integrity check in FIPS 140 module" depends on CRYPTO_FIPS140_MOD diff --git a/scripts/module.lds.S b/scripts/module.lds.S index 94bb2d6b3052..9e1afd5cc7b1 100644 --- a/scripts/module.lds.S +++ b/scripts/module.lds.S @@ -62,7 +62,7 @@ SECTIONS { } #endif -#if defined(CONFIG_LTO_CLANG) || IS_ENABLED(CONFIG_CRYPTO_FIPS140_MOD) +#if defined(CONFIG_LTO_CLANG) || defined(CONFIG_CRYPTO_FIPS140_MERGE_MOD_SECTIONS) /* * With CONFIG_LTO_CLANG, LLD always enables -fdata-sections and * -ffunction-sections, which increases the size of the final module.