From 960ebb2b565b4aba0428776de57ad767ce7fb5d3 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Wed, 4 Aug 2021 17:21:59 -0700 Subject: [PATCH] ANDROID: fips140: add jitterentropy to fips140 module Although jitterentropy doesn't necessarily need to be part of fips140.ko, it does need to have the SP800-90B health tests enabled, and that requires that it be compiled with the fips_enabled flag set. The easiest way to do this is just to include a copy of it in fips140.ko. Bug: 153614920 Bug: 188620248 Change-Id: I9dc0281e07e08e0650e3d340897c697722ad3b1a Signed-off-by: Eric Biggers (cherry picked from commit cae242110570eb204b1a332b717aaa35eb16647d) --- crypto/Makefile | 5 +++++ crypto/fips140-module.c | 1 + 2 files changed, 6 insertions(+) diff --git a/crypto/Makefile b/crypto/Makefile index 6651b9f1a685..f353273de018 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -202,12 +202,17 @@ ifneq ($(CONFIG_CRYPTO_FIPS140_MOD),) FIPS140_CFLAGS := -D__DISABLE_EXPORTS -DBUILD_FIPS140_KO +CFLAGS_jitterentropy-fips.o := -O0 +KASAN_SANITIZE_jitterentropy-fips.o = n +UBSAN_SANITIZE_jitterentropy-fips.o = n + # # Create a separate FIPS archive containing a duplicate of each builtin generic # module that is in scope for FIPS 140-2 certification # crypto-fips-objs := drbg.o ecb.o cbc.o ctr.o cts.o gcm.o xts.o hmac.o cmac.o \ memneq.o gf128mul.o aes_generic.o lib-crypto-aes.o \ + jitterentropy.o jitterentropy-kcapi.o \ sha1_generic.o sha256_generic.o sha512_generic.o \ lib-sha1.o lib-crypto-sha256.o crypto-fips-objs := $(foreach o,$(crypto-fips-objs),$(o:.o=-fips.o)) diff --git a/crypto/fips140-module.c b/crypto/fips140-module.c index 5b991163a971..10ab5658737d 100644 --- a/crypto/fips140-module.c +++ b/crypto/fips140-module.c @@ -93,6 +93,7 @@ static const char * const fips140_algorithms[] __initconst = { "sha512", "stdrng", + "jitterentropy_rng", }; static bool __init is_fips140_algo(struct crypto_alg *alg)