From 3c65e45d809ab7d58fd87dfbaef307992ae7d403 Mon Sep 17 00:00:00 2001

From: Nicolai Stange <nstange@suse.de>

Date: Sun, 28 Nov 2021 20:45:56 +0100

Subject: [PATCH 1/2] crypto: implement downstream solution for disabling

 drivers in FIPS mode

References: jsc#SLE-21132,bsc#1191270,bsc#1193976

Patch-mainline: Never, downstream solution to block unapproved crypto drivers

Non-verified crypto implementations from drivers/crypto must not be used in

FIPS mode and this has to be enforced from the crypto API.

The most reasonable way of achieving this is to make the testmgr to force

these algorithm instances' tests to fail: the crypto API's lookup

primitives only return algorithm implementations which have successfully

completed their associated tests. From the resp. driver's perspective, the

algorithm registrations would still succeed, so no errors would get thrown

e.g. during boot and potential services outside the scope of FIPS could

still be provided.

Implement the new suse_fips_is_driver_unapproved() for searching a given

driver name on a to-be-populated list of unapproved implementations to be

rejected in FIPS mode. Make alg_test() query it in FIPS mode if the

algorithm has not been determined to be disallowed by some other means

already, i.e. if no matching test with ->fips_allowed == 0 has been found.

Now that it's more common to have driver algorithm instances in failed

state potentially aliasing with approved implementations around, there's

one subtlety in the crypto API's lookup code which needs to get addressed.

A lot of those crypto drivers register "fused" implementations of certain

algorithm constructions, which would otherwise get served by some generic

templates. However, these instances are kept on the global algorithms list

and crypto_alg_lookup() would return -ELIBBAD upon encountering a matching

such one in forced-fail state, c.f. commit eb02c38f0197 ("crypto: api -

Keep failed instances alive"). This would then subsequently prevent the

calling code from attempting to construct an (approved) instantiation of

the generic templates. Make crypto_alg_lookup()'s caller,

crypto_larval_lookup(), pass on the -ELIBBAD only if it had been caused by

some generic template instantiation in failed state, i.e. by a real test

failure rather by than some unapproved driver.

Finally, due to the asynchronous nature of the testmgr execution, the

algorithm registration code always keeps a placeholder test larval on the

global algorithm list until alg_test() eventually gets to run and has a

chance to force-fail the test for unapproved drivers. Until that has

happened, any matching request coming in through crypto_alg_mod_lookup()

would end up waiting on this test larval in crypto_larval_wait().

crypto_larval_wait() would return -EAGAIN once the test has been

force-failed asynchronously and the whole lookup would then subsequently

fail. As failing test larvals are much more common in FIPS mode now, make

crypto_larval_lookup() to retry the whole operation when any of its two

descendant crypto_larval_wait() invocations return -EAGAIN.

Signed-off-by: Nicolai Stange <nstange@suse.de>

---

 crypto/api.c                          |   46 +++++++++++++++++++++++++++

 crypto/suse_fips_unapproved_drivers.h |    1 

 crypto/testmgr.c                      |   57 ++++++++++++++++++++++++++++++++++

 3 files changed, 104 insertions(+)

 create mode 100644 crypto/suse_fips_unapproved_drivers.h

--- a/crypto/api.c

+++ b/crypto/api.c

@@ -20,6 +20,7 @@

 #include <linux/slab.h>

 #include <linux/string.h>

 #include <linux/completion.h>

+#include <linux/fips.h>

 #include "internal.h"

 LIST_HEAD(crypto_alg_list);

@@ -128,6 +129,15 @@ static struct crypto_alg *crypto_larval_

 	struct crypto_alg *alg;

 	struct crypto_larval *larval;

+	if (fips_enabled && !((type | mask) & CRYPTO_ALG_TESTED)) {

+		/*

+		 * Make sure the __crypto_alg_lookup() below won't return

+		 * any untested algorithm.

+		 */

+		mask |= CRYPTO_ALG_TESTED;

+		type |= CRYPTO_ALG_TESTED;

+	}

+

 	larval = crypto_larval_alloc(name, type, mask);

 	if (IS_ERR(larval))

 		return ERR_CAST(larval);

@@ -240,6 +250,7 @@ static struct crypto_alg *crypto_larval_

 	type &= ~(CRYPTO_ALG_LARVAL | CRYPTO_ALG_DEAD);

 	mask &= ~(CRYPTO_ALG_LARVAL | CRYPTO_ALG_DEAD);

+again:

 	alg = crypto_alg_lookup(name, type, mask);

 	if (!alg && !(mask & CRYPTO_NOLOAD)) {

 		request_module("crypto-%s", name);

@@ -251,11 +262,46 @@ static struct crypto_alg *crypto_larval_

 		alg = crypto_alg_lookup(name, type, mask);

 	}

+	/*

+	 * As a downstream solution, unapproved crypto driver

+	 * instances' tests are forced to fail in FIPS mode from

+	 * testmgr. A lot of those register "fused" implementations of

+	 * certain algorithm constructions, which would otherwise get

+	 * served by some generic templates. However, those driver

+	 * instances are kept on the global algorithms list in failed

+	 * state and crypto_alg_lookup() would return -ELIBBAD upon

+	 * encountering a matching such one. In order to still allow

+	 * the generic template implementations to serve the request,

+	 * check if the the ELIBBAD had been coming from a matching

+	 * template instantiation in failed state and ignore it if

+	 * not.

+	 */

+	if (fips_enabled && IS_ERR(alg) && PTR_ERR(alg) == -ELIBBAD &&

+	    strchr(name, '(')) {

+		alg = crypto_alg_lookup(name,

+					type | CRYPTO_ALG_INSTANCE,

+					mask | CRYPTO_ALG_INSTANCE);

+	}

+

 	if (!IS_ERR_OR_NULL(alg) && crypto_is_larval(alg))

 		alg = crypto_larval_wait(alg);

 	else if (!alg)

 		alg = crypto_larval_add(name, type, mask);

+	/*

+	 * As outlined above, unapproved crypto driver instances'

+	 * tests are forced to fail in FIPS mode from testmgr. If

+	 * crypto_larval_wait() returned -EAGAIN, chances are the wait

+	 * had been on such a driver instance's failed test larval.

+	 * Retry the search in this case.

+	 */

+	if (fips_enabled && IS_ERR(alg) && PTR_ERR(alg) == -EAGAIN) {

+		if (fatal_signal_pending(current))

+			return ERR_PTR(-EINTR);

+		cond_resched();

+		goto again;

+	}

+

 	return alg;

 }

--- /dev/null

+++ b/crypto/suse_fips_unapproved_drivers.h

@@ -0,0 +1 @@

+

--- a/crypto/testmgr.c

+++ b/crypto/testmgr.c

@@ -5559,6 +5559,50 @@ static void testmgr_onetime_init(void)

 #endif

 }

+#ifdef CONFIG_CRYPTO_FIPS

+static bool suse_fips_is_driver_unapproved(const char *driver)

+{

+	/*

+	 * unapproved_drivers[] contains a sorted list of

+	 * cra_driver_name's to reject in FIPS mode.

+	 */

+	static const char *unapproved_drivers[] = {

+#include "suse_fips_unapproved_drivers.h"

+	};

+	int start = 0;

+	int end = ARRAY_SIZE(unapproved_drivers);

+

+	if (!fips_enabled)

+		return false;

+

+	while (start < end) {

+		int i = (start + end) / 2;

+		int diff = strcmp(unapproved_drivers[i], driver);

+

+		if (diff > 0) {

+			end = i;

+			continue;

+		}

+

+		if (diff < 0) {

+			start = i + 1;

+			continue;

+		}

+

+		pr_info("alg: disabling driver '%s' in FIPS mode\n", driver);

+

+		return true;

+	}

+

+	return false;

+}

+#else /* !CONFIG_CRYPTO_FIPS */

+static bool suse_fips_is_driver_unapproved(const char *driver)

+{

+	return false;

+}

+#endif /* CONFIG_CRYPTO_FIPS */

+

 static int alg_find_test(const char *alg)

 {

 	int start = 0;

@@ -5615,6 +5659,9 @@ int alg_test(const char *driver, const c

 		if (i < 0)

 			goto notest;

+		if (suse_fips_is_driver_unapproved(driver))

+			return -EINVAL;

+

 		if (fips_enabled && !alg_test_descs[i].fips_allowed)

 			goto non_fips_alg;

@@ -5630,6 +5677,8 @@ int alg_test(const char *driver, const c

 	if (fips_enabled) {

 		if (j >= 0 && !alg_test_descs[j].fips_allowed)

 			return -EINVAL;

+		else if (suse_fips_is_driver_unapproved(driver))

+			return -EINVAL;

 		if (i >= 0 && !alg_test_descs[i].fips_allowed)

 			goto non_fips_alg;

@@ -5662,6 +5711,14 @@ test_done:

 	return rc;

 notest:

+	/*

+	 * Unapproved drivers can register constructions for which

+	 * there is no matching test with ->fips_allowed == 0, check

+	 * for this.

+	 */

+	if (suse_fips_is_driver_unapproved(driver))

+		return -EINVAL;

+

 	printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver);

 	if (type & CRYPTO_ALG_FIPS_INTERNAL)