ANDROID: arm64: only permit certain alternatives in the FIPS140 module
The FIPS140 crypto module takes a HMAC digest of its own .text and .rodata section in its module_init() hook. This digest is compared to a digest taken at build time, which means that we need to take some extra care to ensure that the build time and runtime versions line up. One thing we cannot tolerate in this case is alternatives patching. In the general case, we cannot simply ignore alternatives, but fortunately, there is only a small subset that actually gets instantiated in the FIPS140 module, and all of these can be ignored if we are willing to accept that the FIPS140 module does not support VHE hardware, and does not work when running with pseudo-NMI support enabled. None of this is important for the use case targeted by the FIPS140 module, so this is something we should be able to live with. Bug: 153614920 Bug: 188620248 Change-Id: Ie6666e01d5524a3c33aa451609bab2f29b612f8c Signed-off-by:Ard Biesheuvel <ardb@google.com> Signed-off-by:
Eric Biggers <ebiggers@google.com>
Loading
Please sign in to comment