From patchwork Tue Jul 2 11:39:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gilad Ben-Yossef X-Patchwork-Id: 168322 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp4138269ilk; Tue, 2 Jul 2019 04:39:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqziYQcWhLFMRAQYgQByORaF7OcKYjAAGfJ38J1QuqvRm9ngzw8gLvPpEdEW8PhJn/Z51sY8 X-Received: by 2002:a65:5202:: with SMTP id o2mr28043815pgp.199.1562067583643; Tue, 02 Jul 2019 04:39:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562067583; cv=none; d=google.com; s=arc-20160816; b=YgppH4OelF9C3Ncco4Aua24aP0jBKTf/LIJMiNqFKNfQEsFVCFKnUztegOl9FT5SRn jLJktwepwd3LIB5zyC0o/yzNaFLxyZniEsKC47R/rDh+wn4rX0Q1gXrSdOXqG8bA473m KfG8YV1c8kpSFvAwD0HR1WiS+ryUkpY/NGwZQa5lr66fskfm7QsjB8olwREu3l9HYVAe sUM9a2+jmuo4okaDRnZ1vggcc0mdPUfyKu27wPy8BdYy41J8P3sVNGBKObHjjvcqnTMc 6PNCLlEHbp2dLOYapXbck7uL43EJichUQ5RBE79dBwVCR4hnL00zBvnICF3je/wFctnB boXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=dAIeDoC3afl35YGIZRmnEj6LNdkJp+QF7FBfaG5ujeE=; b=Cltc9AaZywtRv8W5tjTzb25XlUnxdZWuHL0GY4fIb5LzILDK7OWeyY/l3vvH7a6i2K UmX1irMY3KzA9Qj/NDcWdN71ZivsITUWI3l7l+03kvAvX+M137rcymciGopwnqyoUSdL 6J6E/HAFPmaqg+6g7zBksi4sMuzOAUZgzgwLC3gicGysHdMMLsgQZ8knBKff/347tpB9 oEmQElCcFKXfuMk2t3fVB/6KeF8TUih17pSv4l+HilZMmwz8m34mEMnt15WoDNc0EfUA VpZT/d5F2dkqFWNJN3J6b+5sqXCSs3X8XUgIiF5iy6mx8jxt+s4nWJ00k37gprdRXgJ/ ueqw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s27si12449886pga.561.2019.07.02.04.39.43; Tue, 02 Jul 2019 04:39:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726732AbfGBLjm (ORCPT + 30 others); Tue, 2 Jul 2019 07:39:42 -0400 Received: from foss.arm.com ([217.140.110.172]:48118 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726917AbfGBLjk (ORCPT ); Tue, 2 Jul 2019 07:39:40 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7AD17344; Tue, 2 Jul 2019 04:39:39 -0700 (PDT) Received: from e110176-lin.kfn.arm.com (unknown [10.50.4.178]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 42F4D3F246; Tue, 2 Jul 2019 04:39:38 -0700 (PDT) From: Gilad Ben-Yossef To: Herbert Xu , "David S. Miller" Cc: Ofir Drang , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 3/4] crypto: fips: add FIPS test failure notification chain Date: Tue, 2 Jul 2019 14:39:20 +0300 Message-Id: <20190702113922.24911-4-gilad@benyossef.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190702113922.24911-1-gilad@benyossef.com> References: <20190702113922.24911-1-gilad@benyossef.com> MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Crypto test failures in FIPS mode cause an immediate panic, but on some system the cryptographic boundary extends beyond just the Linux controlled domain. Add a simple atomic notification chain to allow interested parties to register to receive notification prior to us kicking the bucket. Signed-off-by: Gilad Ben-Yossef --- crypto/fips.c | 11 +++++++++++ crypto/testmgr.c | 4 +++- include/linux/fips.h | 7 +++++++ 3 files changed, 21 insertions(+), 1 deletion(-) -- 2.21.0 diff --git a/crypto/fips.c b/crypto/fips.c index 9dfed122d6da..b30a67b6c441 100644 --- a/crypto/fips.c +++ b/crypto/fips.c @@ -16,10 +16,14 @@ #include #include #include +#include int fips_enabled; EXPORT_SYMBOL_GPL(fips_enabled); +ATOMIC_NOTIFIER_HEAD(fips_fail_notif_chain); +EXPORT_SYMBOL_GPL(fips_fail_notif_chain); + /* Process kernel command-line parameter at boot time. fips=0 or fips=1 */ static int fips_enable(char *str) { @@ -63,6 +67,13 @@ static void crypto_proc_fips_exit(void) unregister_sysctl_table(crypto_sysctls); } +void fips_fail_notify(void) +{ + if (fips_enabled) + atomic_notifier_call_chain(&fips_fail_notif_chain, 0, NULL); +} +EXPORT_SYMBOL_GPL(fips_fail_notify); + static int __init fips_init(void) { crypto_proc_fips_init(); diff --git a/crypto/testmgr.c b/crypto/testmgr.c index d760f5cd35b2..fc2407d7a78f 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -5245,9 +5245,11 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask) type, mask); test_done: - if (rc && (fips_enabled || panic_on_fail)) + if (rc && (fips_enabled || panic_on_fail)) { + fips_fail_notify(); panic("alg: self-tests for %s (%s) failed in %s mode!\n", driver, alg, fips_enabled ? "fips" : "panic_on_fail"); + } if (fips_enabled && !rc) pr_info("alg: self-tests for %s (%s) passed\n", driver, alg); diff --git a/include/linux/fips.h b/include/linux/fips.h index afeeece92302..c6961e932fef 100644 --- a/include/linux/fips.h +++ b/include/linux/fips.h @@ -4,8 +4,15 @@ #ifdef CONFIG_CRYPTO_FIPS extern int fips_enabled; +extern struct atomic_notifier_head fips_fail_notif_chain; + +void fips_fail_notify(void); + #else #define fips_enabled 0 + +static inline void fips_fail_notify(void) {} + #endif #endif