Skip to content

Commit

Permalink
FIPS support
Browse files Browse the repository at this point in the history
  • Loading branch information
justsmth committed Jun 15, 2024
1 parent 0827e9d commit e137a16
Showing 1 changed file with 38 additions and 21 deletions.
59 changes: 38 additions & 21 deletions crypto/fipsmodule/rand/snapsafe_detect.c
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,18 @@
#define SNAPSAFE_TEST_MODE_DISABLED 0x00
#define SNAPSAFE_TEST_MODE_ENABLED 0x01
DEFINE_STATIC_MUTEX(test_mode_mutex);
static volatile int test_mode_enabled = 0;
static volatile uint32_t test_mode_sgn = 0;
static volatile int test_mode_status = 1;

DEFINE_BSS_GET(volatile int, test_mode_enabled);
DEFINE_BSS_GET(volatile uint32_t, test_mode_sgn);
DEFINE_BSS_GET(volatile int, test_mode_status);

DEFINE_STATIC_ONCE(aws_snapsafe_init)

static void aws_snapsafe_test_init(void) {
*test_mode_enabled_bss_get() = 0;
*test_mode_sgn_bss_get() = 0;
*test_mode_status_bss_get() = 1;
}

#if defined(OPENSSL_LINUX)
#include <fcntl.h>
Expand All @@ -32,9 +41,8 @@ static volatile int test_mode_status = 1;
#define SYSGENID_IOCTL 0xE4
#define SYSGENID_TRIGGER_GEN_UPDATE _IO(SYSGENID_IOCTL, 3)

static const char *sgc_file_path = "/dev/sysgenid";
static volatile uint32_t *sgc_addr = NULL;
DEFINE_STATIC_ONCE(aws_snapsafe_init)
DEFINE_BSS_GET(const char *, sgc_file_path);
DEFINE_BSS_GET(volatile uint32_t *, sgc_addr);

static int snapsafety_state = SNAPSAFETY_STATE_FAILED_INITIALISE;

Expand All @@ -43,13 +51,18 @@ static int snapsafety_state = SNAPSAFETY_STATE_FAILED_INITIALISE;
static int aws_snapsafe_check_kernel_support(void) {
/* This file-exist method is generally brittle. But for our purpose, this
* should be more than fine. */
if (access(sgc_file_path, F_OK) != 0) {
if (access(*sgc_file_path_bss_get(), F_OK) != 0) {
return 0;
}
return 1;
}

static void do_aws_snapsafe_init(void) {
aws_snapsafe_test_init();

*sgc_file_path_bss_get() = "/dev/sysgenid";
*sgc_addr_bss_get() = NULL;

if (aws_snapsafe_check_kernel_support() != 1) {
snapsafety_state = SNAPSAFETY_STATE_NOT_SUPPORTED;
return;
Expand All @@ -63,8 +76,8 @@ static void do_aws_snapsafe_init(void) {
return;
}

if (sgc_addr == NULL) {
int fd_sgc = open(sgc_file_path, O_RDONLY);
if (*sgc_addr_bss_get() == NULL) {
int fd_sgc = open(*sgc_file_path_bss_get(), O_RDONLY);
if (fd_sgc == -1) {
snapsafety_state = SNAPSAFETY_STATE_FAILED_INITIALISE;
return;
Expand All @@ -88,15 +101,15 @@ static void do_aws_snapsafe_init(void) {

/* sgc_addr will now point at the mapped memory and any 4-byte read from
* this pointer will correspond to the sgn manager by the VMM. */
sgc_addr = addr;
*sgc_addr_bss_get() = addr;

snapsafety_state = SNAPSAFETY_STATE_SUCCESS_INITIALISE;
}
}

static uint32_t aws_snapsafe_read_sgn(void) {
if (snapsafety_state == SNAPSAFETY_STATE_SUCCESS_INITIALISE) {
return *sgc_addr;
return **sgc_addr_bss_get();
}

return 0;
Expand All @@ -106,9 +119,9 @@ int CRYPTO_get_snapsafe_generation(uint32_t *snapsafe_generation_number) {
CRYPTO_once(aws_snapsafe_init_bss_get(), do_aws_snapsafe_init);

CRYPTO_STATIC_MUTEX_lock_read(test_mode_mutex_bss_get());
if (test_mode_enabled == SNAPSAFE_TEST_MODE_ENABLED) {
*snapsafe_generation_number = test_mode_sgn;
return test_mode_status;
if (*test_mode_enabled_bss_get() == SNAPSAFE_TEST_MODE_ENABLED) {
*snapsafe_generation_number = *test_mode_sgn_bss_get();
return *test_mode_status_bss_get();
}
CRYPTO_STATIC_MUTEX_unlock_read(test_mode_mutex_bss_get());

Expand All @@ -131,10 +144,12 @@ int CRYPTO_get_snapsafe_generation(uint32_t *snapsafe_generation_number) {
#else // !defined(OPENSSL_LINUX)

int CRYPTO_get_snapsafe_generation(uint32_t *snapsafe_generation_number) {
CRYPTO_once(aws_snapsafe_init_bss_get(), aws_snapsafe_test_init);

CRYPTO_STATIC_MUTEX_lock_read(test_mode_mutex_bss_get());
if (test_mode_enabled == SNAPSAFE_TEST_MODE_ENABLED) {
*snapsafe_generation_number = test_mode_sgn;
return test_mode_status;
if (*test_mode_enabled_bss_get() == SNAPSAFE_TEST_MODE_ENABLED) {
*snapsafe_generation_number = *test_mode_sgn_bss_get();
return *test_mode_status_bss_get();
}
CRYPTO_STATIC_MUTEX_unlock_read(test_mode_mutex_bss_get());

Expand All @@ -144,24 +159,26 @@ int CRYPTO_get_snapsafe_generation(uint32_t *snapsafe_generation_number) {

#endif // defined(OPENSSL_LINUX)



void HAZMAT_snapsafe_testing_status(int status) {
CRYPTO_STATIC_MUTEX_lock_write(test_mode_mutex_bss_get());
test_mode_status = status;
*test_mode_status_bss_get() = status;
CRYPTO_STATIC_MUTEX_unlock_write(test_mode_mutex_bss_get());
}

void HAZMAT_snapsafe_testing(int enable) {
CRYPTO_STATIC_MUTEX_lock_write(test_mode_mutex_bss_get());
if (enable == 0) {
test_mode_enabled = SNAPSAFE_TEST_MODE_DISABLED;
*test_mode_enabled_bss_get() = SNAPSAFE_TEST_MODE_DISABLED;
} else {
test_mode_enabled = SNAPSAFE_TEST_MODE_ENABLED;
*test_mode_enabled_bss_get() = SNAPSAFE_TEST_MODE_ENABLED;
}
CRYPTO_STATIC_MUTEX_unlock_write(test_mode_mutex_bss_get());
}

void HAZMAT_snapsafe_testing_value(uint32_t val) {
CRYPTO_STATIC_MUTEX_lock_write(test_mode_mutex_bss_get());
test_mode_sgn = val;
*test_mode_sgn_bss_get() = val;
CRYPTO_STATIC_MUTEX_unlock_write(test_mode_mutex_bss_get());
}

0 comments on commit e137a16

Please sign in to comment.