diff options
author | Konstantin Vyshetsky <vkon@google.com> | 2024-03-05 13:42:14 -0800 |
---|---|---|
committer | Konstantin Vyshetsky <vkon@google.com> | 2024-03-20 01:46:46 +0000 |
commit | 3f5807c586a627d7d2da02bb3daff87564577172 (patch) | |
tree | dc89884e31066e39349a632e3ae82bddfbfeea54 | |
parent | fa6c89a93f6155e3feb5aac15cb2493ab071fec9 (diff) | |
download | common-android14-6.1-sp.tar.gz |
ANDROID: fips140: change linker script guardandroid14-6.1-sp
Currently, the linker script's support for merging module's section is
guarded by either CONFIG_LTO_CLANG or CONFIG_CRYPTO_FIPS140_MOD. This
functionally is also needed by additional fips140 modules built out of
tree. So, have an explicit config (CRYPTO_FIPS140_MERGE_MOD_SECTIONS)
that can be selected by the various fips140 modules without having to
depend on and enabling CONFIG_CRYPTO_FIPS140_MOD.
Bug: 281657135
Change-Id: I2af727813151ba839a95696bc847e2a841a7175a
Signed-off-by: Konstantin Vyshetsky <vkon@google.com>
-rw-r--r-- | crypto/Kconfig | 10 | ||||
-rw-r--r-- | scripts/module.lds.S | 2 |
2 files changed, 11 insertions, 1 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig index 532c454f57ee..a537398bc27b 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -58,6 +58,7 @@ config CRYPTO_FIPS140_MOD tristate "Enable FIPS 140 cryptographic module" depends on ARM64 && ARM64_MODULE_PLTS depends on m + select CRYPTO_FIPS140_MERGE_MOD_SECTIONS help This option enables building a loadable module fips140.ko, which contains various crypto algorithms that are also built into vmlinux. @@ -79,6 +80,15 @@ config CRYPTO_FIPS140_MOD_EVAL_TESTING errors and support for a userspace interface to some of the module's services. This option should not be enabled in production builds. +config CRYPTO_FIPS140_MERGE_MOD_SECTIONS + bool + help + This option causes the module linker script to place the delimeters + of the text and rodata sections at the appropriate places so that + the FIPS 140 integrity check can be performed. This option is required + by the Crypto FIPS 140 module, and can be enabled by other FIPS 140 + modules using the same logic to perform the self integrity check. + config CRYPTO_FIPS140_MOD_DEBUG_INTEGRITY_CHECK bool "Debug the integrity check in FIPS 140 module" depends on CRYPTO_FIPS140_MOD diff --git a/scripts/module.lds.S b/scripts/module.lds.S index 94bb2d6b3052..9e1afd5cc7b1 100644 --- a/scripts/module.lds.S +++ b/scripts/module.lds.S @@ -62,7 +62,7 @@ SECTIONS { } #endif -#if defined(CONFIG_LTO_CLANG) || IS_ENABLED(CONFIG_CRYPTO_FIPS140_MOD) +#if defined(CONFIG_LTO_CLANG) || defined(CONFIG_CRYPTO_FIPS140_MERGE_MOD_SECTIONS) /* * With CONFIG_LTO_CLANG, LLD always enables -fdata-sections and * -ffunction-sections, which increases the size of the final module. |