Clean up unused ivgen support code and add support for notifiying
Trusted Execution Enviornment of FIPS tests failures in FIPS mode.
Gilad Ben-Yossef (4):
crypto: ccree: drop legacy ivgen support
crypto: ccree: account for TEE not ready to report
crypto: fips: add FIPS test failure notification chain
crypto: ccree: notify TEE on FIPS tests errors
crypto/fips.c | 11 +
crypto/testmgr.c | 4 +-
drivers/crypto/ccree/Makefile | 2 +-
drivers/crypto/ccree/cc_aead.c | 76 +------
drivers/crypto/ccree/cc_aead.h | 3 +-
drivers/crypto/ccree/cc_driver.c | 12 +-
drivers/crypto/ccree/cc_driver.h | 10 -
drivers/crypto/ccree/cc_fips.c | 31 ++-
drivers/crypto/ccree/cc_ivgen.c | 276 --------------------------
drivers/crypto/ccree/cc_ivgen.h | 55 -----
drivers/crypto/ccree/cc_pm.c | 2 -
drivers/crypto/ccree/cc_request_mgr.c | 47 +----
include/linux/fips.h | 7 +
13 files changed, 68 insertions(+), 468 deletions(-)
delete mode 100644 drivers/crypto/ccree/cc_ivgen.c
delete mode 100644 drivers/crypto/ccree/cc_ivgen.h
--
2.21.0
When ccree driver runs it checks the state of the Trusted Execution
Environment CryptoCell driver before proceeding. We did not account
for cases where the TEE side is not ready or not available at all.
Fix it by only considering TEE error state after sync with the TEE
side driver.
Signed-off-by: Gilad Ben-Yossef <[email protected]>
Fixes: ab8ec9658f5a ("crypto: ccree - add FIPS support")
CC: [email protected] # v4.17+
---
drivers/crypto/ccree/cc_fips.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/ccree/cc_fips.c b/drivers/crypto/ccree/cc_fips.c
index 5ad3ffb7acaa..040e09c0e1af 100644
--- a/drivers/crypto/ccree/cc_fips.c
+++ b/drivers/crypto/ccree/cc_fips.c
@@ -21,7 +21,13 @@ static bool cc_get_tee_fips_status(struct cc_drvdata *drvdata)
u32 reg;
reg = cc_ioread(drvdata, CC_REG(GPR_HOST));
- return (reg == (CC_FIPS_SYNC_TEE_STATUS | CC_FIPS_SYNC_MODULE_OK));
+ /* Did the TEE report status? */
+ if (reg & CC_FIPS_SYNC_TEE_STATUS)
+ /* Yes. Is it OK? */
+ return (reg & CC_FIPS_SYNC_MODULE_OK);
+
+ /* No. It's either not in use or will be reported later */
+ return true;
}
/*
--
2.21.0
Register a FIPS test failure notifier and use it to notify
TEE side of FIPS test failures on our side prior to panic.
Signed-off-by: Gilad Ben-Yossef <[email protected]>
---
drivers/crypto/ccree/cc_fips.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/drivers/crypto/ccree/cc_fips.c b/drivers/crypto/ccree/cc_fips.c
index 040e09c0e1af..4c8bce33abcf 100644
--- a/drivers/crypto/ccree/cc_fips.c
+++ b/drivers/crypto/ccree/cc_fips.c
@@ -3,6 +3,7 @@
#include <linux/kernel.h>
#include <linux/fips.h>
+#include <linux/notifier.h>
#include "cc_driver.h"
#include "cc_fips.h"
@@ -11,6 +12,8 @@ static void fips_dsr(unsigned long devarg);
struct cc_fips_handle {
struct tasklet_struct tasklet;
+ struct notifier_block nb;
+ struct cc_drvdata *drvdata;
};
/* The function called once at driver entry point to check
@@ -46,6 +49,21 @@ void cc_set_ree_fips_status(struct cc_drvdata *drvdata, bool status)
cc_iowrite(drvdata, CC_REG(HOST_GPR0), val);
}
+/* Push REE side FIPS test failure to TEE side */
+static int cc_ree_fips_failure(struct notifier_block *nb, unsigned long unused1,
+ void *unused2)
+{
+ struct cc_fips_handle *fips_h =
+ container_of(nb, struct cc_fips_handle, nb);
+ struct cc_drvdata *drvdata = fips_h->drvdata;
+ struct device *dev = drvdata_to_dev(drvdata);
+
+ cc_set_ree_fips_status(drvdata, false);
+ dev_info(dev, "Notifying TEE of FIPS test failure...\n");
+
+ return NOTIFY_OK;
+}
+
void cc_fips_fini(struct cc_drvdata *drvdata)
{
struct cc_fips_handle *fips_h = drvdata->fips_handle;
@@ -53,6 +71,8 @@ void cc_fips_fini(struct cc_drvdata *drvdata)
if (drvdata->hw_rev < CC_HW_REV_712 || !fips_h)
return;
+ atomic_notifier_chain_unregister(&fips_fail_notif_chain, &fips_h->nb);
+
/* Kill tasklet */
tasklet_kill(&fips_h->tasklet);
drvdata->fips_handle = NULL;
@@ -124,6 +144,9 @@ int cc_fips_init(struct cc_drvdata *p_drvdata)
dev_dbg(dev, "Initializing fips tasklet\n");
tasklet_init(&fips_h->tasklet, fips_dsr, (unsigned long)p_drvdata);
+ fips_h->drvdata = p_drvdata;
+ fips_h->nb.notifier_call = cc_ree_fips_failure;
+ atomic_notifier_chain_register(&fips_fail_notif_chain, &fips_h->nb);
cc_tee_handle_fips_error(p_drvdata);
--
2.21.0
Crypto test failures in FIPS mode cause an immediate panic, but
on some system the cryptographic boundary extends beyond just
the Linux controlled domain.
Add a simple atomic notification chain to allow interested parties
to register to receive notification prior to us kicking the bucket.
Signed-off-by: Gilad Ben-Yossef <[email protected]>
---
crypto/fips.c | 11 +++++++++++
crypto/testmgr.c | 4 +++-
include/linux/fips.h | 7 +++++++
3 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/crypto/fips.c b/crypto/fips.c
index 9dfed122d6da..b30a67b6c441 100644
--- a/crypto/fips.c
+++ b/crypto/fips.c
@@ -16,10 +16,14 @@
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/sysctl.h>
+#include <linux/notifier.h>
int fips_enabled;
EXPORT_SYMBOL_GPL(fips_enabled);
+ATOMIC_NOTIFIER_HEAD(fips_fail_notif_chain);
+EXPORT_SYMBOL_GPL(fips_fail_notif_chain);
+
/* Process kernel command-line parameter at boot time. fips=0 or fips=1 */
static int fips_enable(char *str)
{
@@ -63,6 +67,13 @@ static void crypto_proc_fips_exit(void)
unregister_sysctl_table(crypto_sysctls);
}
+void fips_fail_notify(void)
+{
+ if (fips_enabled)
+ atomic_notifier_call_chain(&fips_fail_notif_chain, 0, NULL);
+}
+EXPORT_SYMBOL_GPL(fips_fail_notify);
+
static int __init fips_init(void)
{
crypto_proc_fips_init();
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index d760f5cd35b2..fc2407d7a78f 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -5245,9 +5245,11 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
type, mask);
test_done:
- if (rc && (fips_enabled || panic_on_fail))
+ if (rc && (fips_enabled || panic_on_fail)) {
+ fips_fail_notify();
panic("alg: self-tests for %s (%s) failed in %s mode!\n",
driver, alg, fips_enabled ? "fips" : "panic_on_fail");
+ }
if (fips_enabled && !rc)
pr_info("alg: self-tests for %s (%s) passed\n", driver, alg);
diff --git a/include/linux/fips.h b/include/linux/fips.h
index afeeece92302..c6961e932fef 100644
--- a/include/linux/fips.h
+++ b/include/linux/fips.h
@@ -4,8 +4,15 @@
#ifdef CONFIG_CRYPTO_FIPS
extern int fips_enabled;
+extern struct atomic_notifier_head fips_fail_notif_chain;
+
+void fips_fail_notify(void);
+
#else
#define fips_enabled 0
+
+static inline void fips_fail_notify(void) {}
+
#endif
#endif
--
2.21.0
Gilad Ben-Yossef <[email protected]> wrote:
> Clean up unused ivgen support code and add support for notifiying
> Trusted Execution Enviornment of FIPS tests failures in FIPS mode.
>
> Gilad Ben-Yossef (4):
> crypto: ccree: drop legacy ivgen support
> crypto: ccree: account for TEE not ready to report
> crypto: fips: add FIPS test failure notification chain
> crypto: ccree: notify TEE on FIPS tests errors
>
> crypto/fips.c | 11 +
> crypto/testmgr.c | 4 +-
> drivers/crypto/ccree/Makefile | 2 +-
> drivers/crypto/ccree/cc_aead.c | 76 +------
> drivers/crypto/ccree/cc_aead.h | 3 +-
> drivers/crypto/ccree/cc_driver.c | 12 +-
> drivers/crypto/ccree/cc_driver.h | 10 -
> drivers/crypto/ccree/cc_fips.c | 31 ++-
> drivers/crypto/ccree/cc_ivgen.c | 276 --------------------------
> drivers/crypto/ccree/cc_ivgen.h | 55 -----
> drivers/crypto/ccree/cc_pm.c | 2 -
> drivers/crypto/ccree/cc_request_mgr.c | 47 +----
> include/linux/fips.h | 7 +
> 13 files changed, 68 insertions(+), 468 deletions(-)
> delete mode 100644 drivers/crypto/ccree/cc_ivgen.c
> delete mode 100644 drivers/crypto/ccree/cc_ivgen.h
All applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt