deleted file mode 100644

@@ -1,295 +0,0 @@

-From a31ce76f47615c99cc429e8ca0c615401a6f0b0e Mon Sep 17 00:00:00 2001

-From: Keerthana K <keerthanak@vmware.com>

-Date: Wed, 20 Sep 2023 07:38:08 +0000

-Subject: [PATCH] FIPS canister binary usage

-

-Build with fips canister and skip building crypto algorithms.

-Invoke fips canister integrity check during kernel startup.

-

-This patch can be used at two stages:

- 1. Prerequisite patch for canister creation.

- 2. Binary canister usage time.

-

-Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>

-Signed-off-by: Keerthana K <keerthanak@vmware.com>

-Signed-off-by: Vamsi Krishna Brahmajosyula <vbrahmajosyula@vmware.com>

- arch/x86/crypto/Makefile |   4 --

- crypto/Makefile          | 116 +++++++++++++++++++++++++++++++--------

- init/main.c              |   3 +

- lib/crypto/Makefile      |   9 ---

- 4 files changed, 95 insertions(+), 37 deletions(-)

-

-diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile

-index 3b1d701a4..3836c4e30 100644

-+++ b/arch/x86/crypto/Makefile

-@@ -46,10 +46,6 @@ obj-$(CONFIG_CRYPTO_CHACHA20_X86_64) += chacha-x86_64.o

- chacha-x86_64-y := chacha-avx2-x86_64.o chacha-ssse3-x86_64.o chacha_glue.o

- chacha-x86_64-$(CONFIG_AS_AVX512) += chacha-avx512vl-x86_64.o

- 

--obj-$(CONFIG_CRYPTO_AES_NI_INTEL) += aesni-intel.o

--aesni-intel-y := aesni-intel_asm.o aesni-intel_glue.o

--aesni-intel-$(CONFIG_64BIT) += aesni-intel_avx-x86_64.o aes_ctrby8_avx-x86_64.o

--

- obj-$(CONFIG_CRYPTO_SHA1_SSSE3) += sha1-ssse3.o

- sha1-ssse3-y := sha1_avx2_x86_64_asm.o sha1_ssse3_asm.o sha1_ssse3_glue.o

- sha1-ssse3-$(CONFIG_AS_SHA1_NI) += sha1_ni_asm.o

-diff --git a/crypto/Makefile b/crypto/Makefile

-index 515ca3a4c..19bf4080d 100644

-+++ b/crypto/Makefile

-@@ -18,10 +18,8 @@ crypto_algapi-y := algapi.o scatterwalk.o $(crypto_algapi-y)

- obj-$(CONFIG_CRYPTO_ALGAPI2) += crypto_algapi.o

- 

- obj-$(CONFIG_CRYPTO_AEAD2) += aead.o

--obj-$(CONFIG_CRYPTO_AEAD2) += geniv.o

- 

- obj-$(CONFIG_CRYPTO_SKCIPHER2) += skcipher.o

--obj-$(CONFIG_CRYPTO_SEQIV) += seqiv.o

- obj-$(CONFIG_CRYPTO_ECHAINIV) += echainiv.o

- 

- crypto_hash-y += ahash.o

-@@ -44,7 +42,6 @@ rsa_generic-y += rsaprivkey.asn1.o

- rsa_generic-y += rsa.o

- rsa_generic-y += rsa_helper.o

- rsa_generic-y += rsa-pkcs1pad.o

--obj-$(CONFIG_CRYPTO_RSA) += rsa_generic.o

- 

- $(obj)/sm2signature.asn1.o: $(obj)/sm2signature.asn1.c $(obj)/sm2signature.asn1.h

- $(obj)/sm2.o: $(obj)/sm2signature.asn1.h

-@@ -53,13 +50,11 @@ sm2_generic-y += sm2signature.asn1.o

- sm2_generic-y += sm2.o

- 

- obj-$(CONFIG_CRYPTO_SM2) += sm2_generic.o

--obj-$(CONFIG_CRYPTO_SELF_TEST) += crypto_self_test.o

- 

- $(obj)/ecdsasignature.asn1.o: $(obj)/ecdsasignature.asn1.c $(obj)/ecdsasignature.asn1.h

- $(obj)/ecdsa.o: $(obj)/ecdsasignature.asn1.h

- ecdsa_generic-y += ecdsa.o

- ecdsa_generic-y += ecdsasignature.asn1.o

--obj-$(CONFIG_CRYPTO_ECDSA) += ecdsa_generic.o

- 

- crypto_acompress-y := acompress.o

- crypto_acompress-y += scompress.o

-@@ -67,22 +62,15 @@ obj-$(CONFIG_CRYPTO_ACOMP2) += crypto_acompress.o

- 

- cryptomgr-y := algboss.o testmgr.o

- 

--obj-$(CONFIG_CRYPTO_MANAGER2) += cryptomgr.o

- obj-$(CONFIG_CRYPTO_USER) += crypto_user.o

- crypto_user-y := crypto_user_base.o

- crypto_user-$(CONFIG_CRYPTO_STATS) += crypto_user_stat.o

--obj-$(CONFIG_CRYPTO_CMAC) += cmac.o

--obj-$(CONFIG_CRYPTO_HMAC) += hmac.o

- obj-$(CONFIG_CRYPTO_VMAC) += vmac.o

- obj-$(CONFIG_CRYPTO_XCBC) += xcbc.o

- obj-$(CONFIG_CRYPTO_NULL2) += crypto_null.o

- obj-$(CONFIG_CRYPTO_MD4) += md4.o

- obj-$(CONFIG_CRYPTO_MD5) += md5.o

- obj-$(CONFIG_CRYPTO_RMD160) += rmd160.o

--obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o

--obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o

--obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o

--obj-$(CONFIG_CRYPTO_SHA3) += sha3_generic.o

- obj-$(CONFIG_CRYPTO_SM3) += sm3.o

- obj-$(CONFIG_CRYPTO_SM3_GENERIC) += sm3_generic.o

- obj-$(CONFIG_CRYPTO_STREEBOG) += streebog_generic.o

-@@ -91,21 +79,13 @@ CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns)  # https://gcc.gnu.org/b

- obj-$(CONFIG_CRYPTO_BLAKE2B) += blake2b_generic.o

- CFLAGS_blake2b_generic.o := -Wframe-larger-than=4096 #  https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105930

- obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o

--obj-$(CONFIG_CRYPTO_ECB) += ecb.o

--obj-$(CONFIG_CRYPTO_CBC) += cbc.o

--obj-$(CONFIG_CRYPTO_CFB) += cfb.o

- obj-$(CONFIG_CRYPTO_PCBC) += pcbc.o

--obj-$(CONFIG_CRYPTO_CTS) += cts.o

- obj-$(CONFIG_CRYPTO_LRW) += lrw.o

--obj-$(CONFIG_CRYPTO_XTS) += xts.o

--obj-$(CONFIG_CRYPTO_CTR) += ctr.o

- obj-$(CONFIG_CRYPTO_XCTR) += xctr.o

- obj-$(CONFIG_CRYPTO_HCTR2) += hctr2.o

- obj-$(CONFIG_CRYPTO_KEYWRAP) += keywrap.o

- obj-$(CONFIG_CRYPTO_ADIANTUM) += adiantum.o

- obj-$(CONFIG_CRYPTO_NHPOLY1305) += nhpoly1305.o

--obj-$(CONFIG_CRYPTO_GCM) += gcm.o

--obj-$(CONFIG_CRYPTO_CCM) += ccm.o

- obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) += chacha20poly1305.o

- obj-$(CONFIG_CRYPTO_AEGIS128) += aegis128.o

- aegis128-y := aegis128-core.o

-@@ -140,7 +120,6 @@ obj-$(CONFIG_CRYPTO_TWOFISH) += twofish_generic.o

- obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o

- obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o

- CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure)  # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149

--obj-$(CONFIG_CRYPTO_AES) += aes_generic.o

- CFLAGS_aes_generic.o := $(call cc-option,-fno-code-hoisting) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356

- obj-$(CONFIG_CRYPTO_SM4) += sm4.o

- obj-$(CONFIG_CRYPTO_SM4_GENERIC) += sm4_generic.o

-@@ -171,7 +150,6 @@ obj-$(CONFIG_CRYPTO_XXHASH) += xxhash_generic.o

- obj-$(CONFIG_CRYPTO_842) += 842.o

- obj-$(CONFIG_CRYPTO_RNG2) += rng.o

- obj-$(CONFIG_CRYPTO_ANSI_CPRNG) += ansi_cprng.o

--obj-$(CONFIG_CRYPTO_DRBG) += drbg.o

- CFLAGS_jitterentropy.o = -O0

- KASAN_SANITIZE_jitterentropy.o = n

- UBSAN_SANITIZE_jitterentropy.o = n

-@@ -185,13 +163,11 @@ obj-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o

- obj-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o

- obj-$(CONFIG_CRYPTO_ZSTD) += zstd.o

- obj-$(CONFIG_CRYPTO_OFB) += ofb.o

--obj-$(CONFIG_CRYPTO_ECC) += ecc.o

- obj-$(CONFIG_CRYPTO_ESSIV) += essiv.o

- obj-$(CONFIG_CRYPTO_CURVE25519) += curve25519-generic.o

- 

- ecdh_generic-y += ecdh.o

- ecdh_generic-y += ecdh_helper.o

--obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o

- 

- $(obj)/ecrdsa_params.asn1.o: $(obj)/ecrdsa_params.asn1.c $(obj)/ecrdsa_params.asn1.h

- $(obj)/ecrdsa_pub_key.asn1.o: $(obj)/ecrdsa_pub_key.asn1.c $(obj)/ecrdsa_pub_key.asn1.h

-@@ -215,3 +191,95 @@ obj-$(CONFIG_CRYPTO_SIMD) += crypto_simd.o

- # Key derivation function

- #

- obj-$(CONFIG_CRYPTO_KDF800108_CTR) += kdf_sp800108.o

-+obj-$(CONFIG_CRYPTO_FIPS) += fips_canister_wrapper_asm.o fips_canister_wrapper.o fips_canister.o

-+obj-$(CONFIG_CRYPTO_FIPS) += testmgr_fips_canister_wrapper.o aesni-intel_glue_fips_canister_wrapper.o

-+

-+ifdef CONFIG_CRYPTO_FIPS

-+ifneq ($(CONFIG_CRYPTO_FIPS),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_FIPS=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_AEAD)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_AEAD=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_AEAD2)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_AEAD2=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_SEQIV)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_SEQIV=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_RSA)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_RSA=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_MANAGER)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_MANAGER=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_MANAGER2)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_MANAGER2=y)

-+endif

-+ifdef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS

-+  $(error FIPS canister requires CONFIG_CRYPTO_MANAGER_DISABLE_TESTS to be unset)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_HMAC)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_HMAC=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_SHA256)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_SHA256=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_SHA512)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_SHA512=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_AES)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_AES=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_ECB)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_ECB=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CBC)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_CBC=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_XTS)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_XTS=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CTR)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_CTR=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_DRBG)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_DRBG=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_DRBG_HASH)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_DRBG_HASH=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_DRBG_CTR)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_DRBG_CTR=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_ECC)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_ECC=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_ECDH)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_ECDH=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_AES_NI_INTEL)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_AES_NI_INTEL=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CFB)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_CFB=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CMAC)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_CMAC=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CTS)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_CTS=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_ECDSA)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_ECDSA=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CCM)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_CCM=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_GCM)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_GCM=y)

-+endif

-+ifneq ($(subst Y,y,$(CONFIG_CRYPTO_SHA3)),y)

-+  $(error FIPS canister requires CONFIG_CRYPTO_SHA3=y)

-+endif

-+endif

-diff --git a/init/main.c b/init/main.c

-index fe378351e..962edcc54 100644

-+++ b/init/main.c

-@@ -882,6 +882,8 @@ static int __init early_randomize_kstack_offset(char *buf)

- early_param("randomize_kstack_offset", early_randomize_kstack_offset);

- #endif

- 

-+extern int fips_integrity_init(void);

-+

- void __init __weak arch_call_rest_init(void)

- {

- 	rest_init();

-@@ -983,6 +985,7 @@ asmlinkage __visible void __init __no_sanitize_address start_kernel(void)

- 	/* Architectural and non-timekeeping rng init, before allocator init */

- 	random_init_early(command_line);

- 

-+	fips_integrity_init();

- 	/*

- 	 * These use large bootmem allocations and must precede

- 	 * kmem_cache_init()

-diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile

-index c852f067a..33d229c6d 100644

-+++ b/lib/crypto/Makefile

-@@ -7,9 +7,6 @@ libcryptoutils-y				:= memneq.o utils.o

- obj-y						+= chacha.o

- obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC)		+= libchacha.o

- 

--obj-$(CONFIG_CRYPTO_LIB_AES)			+= libaes.o

--libaes-y					:= aes.o

--

- obj-$(CONFIG_CRYPTO_LIB_ARC4)			+= libarc4.o

- libarc4-y					:= arc4.o

- 

-@@ -37,12 +34,6 @@ libpoly1305-y					:= poly1305-donna32.o

- libpoly1305-$(CONFIG_ARCH_SUPPORTS_INT128)	:= poly1305-donna64.o

- libpoly1305-y					+= poly1305.o

- 

--obj-$(CONFIG_CRYPTO_LIB_SHA1)			+= libsha1.o

--libsha1-y					:= sha1.o

--

--obj-$(CONFIG_CRYPTO_LIB_SHA256)			+= libsha256.o

--libsha256-y					:= sha256.o

--

- ifneq ($(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS),y)

- libblake2s-y					+= blake2s-selftest.o

- libchacha20poly1305-y				+= chacha20poly1305-selftest.o

-2.41.0

new file mode 100644

@@ -0,0 +1,295 @@

+From a31ce76f47615c99cc429e8ca0c615401a6f0b0e Mon Sep 17 00:00:00 2001

+From: Keerthana K <keerthanak@vmware.com>

+Date: Wed, 20 Sep 2023 07:38:08 +0000

+Subject: [PATCH] FIPS canister binary usage

+

+Build with fips canister and skip building crypto algorithms.

+Invoke fips canister integrity check during kernel startup.

+

+This patch can be used at two stages:

+ 1. Prerequisite patch for canister creation.

+ 2. Binary canister usage time.

+

+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>

+Signed-off-by: Keerthana K <keerthanak@vmware.com>

+Signed-off-by: Vamsi Krishna Brahmajosyula <vbrahmajosyula@vmware.com>

+---

+ arch/x86/crypto/Makefile |   4 --

+ crypto/Makefile          | 116 +++++++++++++++++++++++++++++++--------

+ init/main.c              |   3 +

+ lib/crypto/Makefile      |   9 ---

+ 4 files changed, 95 insertions(+), 37 deletions(-)

+

+diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile

+index 3b1d701a4..3836c4e30 100644

+--- a/arch/x86/crypto/Makefile

+@@ -46,10 +46,6 @@ obj-$(CONFIG_CRYPTO_CHACHA20_X86_64) += chacha-x86_64.o

+ chacha-x86_64-y := chacha-avx2-x86_64.o chacha-ssse3-x86_64.o chacha_glue.o

+ chacha-x86_64-$(CONFIG_AS_AVX512) += chacha-avx512vl-x86_64.o

+ 

+-obj-$(CONFIG_CRYPTO_AES_NI_INTEL) += aesni-intel.o

+-aesni-intel-y := aesni-intel_asm.o aesni-intel_glue.o

+-aesni-intel-$(CONFIG_64BIT) += aesni-intel_avx-x86_64.o aes_ctrby8_avx-x86_64.o

+-

+ obj-$(CONFIG_CRYPTO_SHA1_SSSE3) += sha1-ssse3.o

+ sha1-ssse3-y := sha1_avx2_x86_64_asm.o sha1_ssse3_asm.o sha1_ssse3_glue.o

+ sha1-ssse3-$(CONFIG_AS_SHA1_NI) += sha1_ni_asm.o

+diff --git a/crypto/Makefile b/crypto/Makefile

+index 515ca3a4c..19bf4080d 100644

+--- a/crypto/Makefile

+@@ -18,10 +18,8 @@ crypto_algapi-y := algapi.o scatterwalk.o $(crypto_algapi-y)

+ obj-$(CONFIG_CRYPTO_ALGAPI2) += crypto_algapi.o

+ 

+ obj-$(CONFIG_CRYPTO_AEAD2) += aead.o

+-obj-$(CONFIG_CRYPTO_AEAD2) += geniv.o

+ 

+ obj-$(CONFIG_CRYPTO_SKCIPHER2) += skcipher.o

+-obj-$(CONFIG_CRYPTO_SEQIV) += seqiv.o

+ obj-$(CONFIG_CRYPTO_ECHAINIV) += echainiv.o

+ 

+ crypto_hash-y += ahash.o

+@@ -44,7 +42,6 @@ rsa_generic-y += rsaprivkey.asn1.o

+ rsa_generic-y += rsa.o

+ rsa_generic-y += rsa_helper.o

+ rsa_generic-y += rsa-pkcs1pad.o

+-obj-$(CONFIG_CRYPTO_RSA) += rsa_generic.o

+ 

+ $(obj)/sm2signature.asn1.o: $(obj)/sm2signature.asn1.c $(obj)/sm2signature.asn1.h

+ $(obj)/sm2.o: $(obj)/sm2signature.asn1.h

+@@ -53,13 +50,11 @@ sm2_generic-y += sm2signature.asn1.o

+ sm2_generic-y += sm2.o

+ 

+ obj-$(CONFIG_CRYPTO_SM2) += sm2_generic.o

+-obj-$(CONFIG_CRYPTO_SELF_TEST) += crypto_self_test.o

+ 

+ $(obj)/ecdsasignature.asn1.o: $(obj)/ecdsasignature.asn1.c $(obj)/ecdsasignature.asn1.h

+ $(obj)/ecdsa.o: $(obj)/ecdsasignature.asn1.h

+ ecdsa_generic-y += ecdsa.o

+ ecdsa_generic-y += ecdsasignature.asn1.o

+-obj-$(CONFIG_CRYPTO_ECDSA) += ecdsa_generic.o

+ 

+ crypto_acompress-y := acompress.o

+ crypto_acompress-y += scompress.o

+@@ -67,22 +62,15 @@ obj-$(CONFIG_CRYPTO_ACOMP2) += crypto_acompress.o

+ 

+ cryptomgr-y := algboss.o testmgr.o

+ 

+-obj-$(CONFIG_CRYPTO_MANAGER2) += cryptomgr.o

+ obj-$(CONFIG_CRYPTO_USER) += crypto_user.o

+ crypto_user-y := crypto_user_base.o

+ crypto_user-$(CONFIG_CRYPTO_STATS) += crypto_user_stat.o

+-obj-$(CONFIG_CRYPTO_CMAC) += cmac.o

+-obj-$(CONFIG_CRYPTO_HMAC) += hmac.o

+ obj-$(CONFIG_CRYPTO_VMAC) += vmac.o

+ obj-$(CONFIG_CRYPTO_XCBC) += xcbc.o

+ obj-$(CONFIG_CRYPTO_NULL2) += crypto_null.o

+ obj-$(CONFIG_CRYPTO_MD4) += md4.o

+ obj-$(CONFIG_CRYPTO_MD5) += md5.o

+ obj-$(CONFIG_CRYPTO_RMD160) += rmd160.o

+-obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o

+-obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o

+-obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o

+-obj-$(CONFIG_CRYPTO_SHA3) += sha3_generic.o

+ obj-$(CONFIG_CRYPTO_SM3) += sm3.o

+ obj-$(CONFIG_CRYPTO_SM3_GENERIC) += sm3_generic.o

+ obj-$(CONFIG_CRYPTO_STREEBOG) += streebog_generic.o

+@@ -91,21 +79,13 @@ CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns)  # https://gcc.gnu.org/b

+ obj-$(CONFIG_CRYPTO_BLAKE2B) += blake2b_generic.o

+ CFLAGS_blake2b_generic.o := -Wframe-larger-than=4096 #  https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105930

+ obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o

+-obj-$(CONFIG_CRYPTO_ECB) += ecb.o

+-obj-$(CONFIG_CRYPTO_CBC) += cbc.o

+-obj-$(CONFIG_CRYPTO_CFB) += cfb.o

+ obj-$(CONFIG_CRYPTO_PCBC) += pcbc.o

+-obj-$(CONFIG_CRYPTO_CTS) += cts.o

+ obj-$(CONFIG_CRYPTO_LRW) += lrw.o

+-obj-$(CONFIG_CRYPTO_XTS) += xts.o

+-obj-$(CONFIG_CRYPTO_CTR) += ctr.o

+ obj-$(CONFIG_CRYPTO_XCTR) += xctr.o

+ obj-$(CONFIG_CRYPTO_HCTR2) += hctr2.o

+ obj-$(CONFIG_CRYPTO_KEYWRAP) += keywrap.o

+ obj-$(CONFIG_CRYPTO_ADIANTUM) += adiantum.o

+ obj-$(CONFIG_CRYPTO_NHPOLY1305) += nhpoly1305.o

+-obj-$(CONFIG_CRYPTO_GCM) += gcm.o

+-obj-$(CONFIG_CRYPTO_CCM) += ccm.o

+ obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) += chacha20poly1305.o

+ obj-$(CONFIG_CRYPTO_AEGIS128) += aegis128.o

+ aegis128-y := aegis128-core.o

+@@ -140,7 +120,6 @@ obj-$(CONFIG_CRYPTO_TWOFISH) += twofish_generic.o

+ obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o

+ obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o

+ CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure)  # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149

+-obj-$(CONFIG_CRYPTO_AES) += aes_generic.o

+ CFLAGS_aes_generic.o := $(call cc-option,-fno-code-hoisting) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356

+ obj-$(CONFIG_CRYPTO_SM4) += sm4.o

+ obj-$(CONFIG_CRYPTO_SM4_GENERIC) += sm4_generic.o

+@@ -171,7 +150,6 @@ obj-$(CONFIG_CRYPTO_XXHASH) += xxhash_generic.o

+ obj-$(CONFIG_CRYPTO_842) += 842.o

+ obj-$(CONFIG_CRYPTO_RNG2) += rng.o

+ obj-$(CONFIG_CRYPTO_ANSI_CPRNG) += ansi_cprng.o

+-obj-$(CONFIG_CRYPTO_DRBG) += drbg.o

+ CFLAGS_jitterentropy.o = -O0

+ KASAN_SANITIZE_jitterentropy.o = n

+ UBSAN_SANITIZE_jitterentropy.o = n

+@@ -185,13 +163,11 @@ obj-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o

+ obj-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o

+ obj-$(CONFIG_CRYPTO_ZSTD) += zstd.o

+ obj-$(CONFIG_CRYPTO_OFB) += ofb.o

+-obj-$(CONFIG_CRYPTO_ECC) += ecc.o

+ obj-$(CONFIG_CRYPTO_ESSIV) += essiv.o

+ obj-$(CONFIG_CRYPTO_CURVE25519) += curve25519-generic.o

+ 

+ ecdh_generic-y += ecdh.o

+ ecdh_generic-y += ecdh_helper.o

+-obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o

+ 

+ $(obj)/ecrdsa_params.asn1.o: $(obj)/ecrdsa_params.asn1.c $(obj)/ecrdsa_params.asn1.h

+ $(obj)/ecrdsa_pub_key.asn1.o: $(obj)/ecrdsa_pub_key.asn1.c $(obj)/ecrdsa_pub_key.asn1.h

+@@ -215,3 +191,95 @@ obj-$(CONFIG_CRYPTO_SIMD) += crypto_simd.o

+ # Key derivation function

+ #

+ obj-$(CONFIG_CRYPTO_KDF800108_CTR) += kdf_sp800108.o

++obj-$(CONFIG_CRYPTO_FIPS) += fips_canister_wrapper_asm.o fips_canister_wrapper.o fips_canister.o

++obj-$(CONFIG_CRYPTO_FIPS) += testmgr_fips_canister_wrapper.o aesni-intel_glue_fips_canister_wrapper.o

++

++ifdef CONFIG_CRYPTO_FIPS

++ifneq ($(CONFIG_CRYPTO_FIPS),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_FIPS=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_AEAD)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_AEAD=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_AEAD2)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_AEAD2=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_SEQIV)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_SEQIV=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_RSA)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_RSA=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_MANAGER)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_MANAGER=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_MANAGER2)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_MANAGER2=y)

++endif

++ifdef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS

++  $(error FIPS canister requires CONFIG_CRYPTO_MANAGER_DISABLE_TESTS to be unset)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_HMAC)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_HMAC=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_SHA256)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_SHA256=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_SHA512)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_SHA512=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_AES)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_AES=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_ECB)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_ECB=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CBC)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_CBC=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_XTS)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_XTS=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CTR)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_CTR=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_DRBG)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_DRBG=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_DRBG_HASH)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_DRBG_HASH=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_DRBG_CTR)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_DRBG_CTR=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_ECC)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_ECC=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_ECDH)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_ECDH=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_AES_NI_INTEL)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_AES_NI_INTEL=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CFB)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_CFB=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CMAC)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_CMAC=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CTS)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_CTS=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_ECDSA)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_ECDSA=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_CCM)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_CCM=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_GCM)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_GCM=y)

++endif

++ifneq ($(subst Y,y,$(CONFIG_CRYPTO_SHA3)),y)

++  $(error FIPS canister requires CONFIG_CRYPTO_SHA3=y)

++endif

++endif

+diff --git a/init/main.c b/init/main.c

+index fe378351e..962edcc54 100644

+--- a/init/main.c

+@@ -882,6 +882,8 @@ static int __init early_randomize_kstack_offset(char *buf)

+ early_param("randomize_kstack_offset", early_randomize_kstack_offset);

+ #endif

+ 

++extern int fips_integrity_init(void);

++

+ void __init __weak arch_call_rest_init(void)

+ {

+ 	rest_init();

+@@ -983,6 +985,7 @@ asmlinkage __visible void __init __no_sanitize_address start_kernel(void)

+ 	/* Architectural and non-timekeeping rng init, before allocator init */

+ 	random_init_early(command_line);

+ 

++	fips_integrity_init();

+ 	/*

+ 	 * These use large bootmem allocations and must precede

+ 	 * kmem_cache_init()

+diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile

+index c852f067a..33d229c6d 100644

+--- a/lib/crypto/Makefile

+@@ -7,9 +7,6 @@ libcryptoutils-y				:= memneq.o utils.o

+ obj-y						+= chacha.o

+ obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC)		+= libchacha.o

+ 

+-obj-$(CONFIG_CRYPTO_LIB_AES)			+= libaes.o

+-libaes-y					:= aes.o

+-

+ obj-$(CONFIG_CRYPTO_LIB_ARC4)			+= libarc4.o

+ libarc4-y					:= arc4.o

+ 

+@@ -37,12 +34,6 @@ libpoly1305-y					:= poly1305-donna32.o

+ libpoly1305-$(CONFIG_ARCH_SUPPORTS_INT128)	:= poly1305-donna64.o

+ libpoly1305-y					+= poly1305.o

+ 

+-obj-$(CONFIG_CRYPTO_LIB_SHA1)			+= libsha1.o

+-libsha1-y					:= sha1.o

+-

+-obj-$(CONFIG_CRYPTO_LIB_SHA256)			+= libsha256.o

+-libsha256-y					:= sha256.o

+-

+ ifneq ($(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS),y)

+ libblake2s-y					+= blake2s-selftest.o

+ libchacha20poly1305-y				+= chacha20poly1305-selftest.o

+-- 

+2.41.0

@@ -21,7 +21,7 @@

 Summary:        Kernel

 Name:           linux-esx

 Version:        6.1.62

-Release:        5%{?dist}

+Release:        6%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org

 Group:          System Environment/Kernel

@@ -57,9 +57,9 @@ Source8:       https://sourceforge.net/projects/e1000/files/ice%20stable/%{ice_v

 %if 0%{?fips}

 Source9:        check_fips_canister_struct_compatibility.inc

-%define fips_canister_version 5.0.0-6.1.62-2%{?dist}-secure

+%define fips_canister_version 5.0.0-6.1.62-7%{?dist}-secure

 Source16:       fips-canister-%{fips_canister_version}.tar.bz2

-%define sha512 fips-canister=212844b76c93cb7b07d630c558a2968740ab1eec80209ea7f407f3f32a21135e6be74fd5622a252601495d4b3e2fe952c2a17f8501724ea1c804ca6078eef4f8

+%define sha512 fips-canister=e63f5200a669cc40952fc1cfea499d4bc029999098f8252d2c5ffac08392aefe3d57aa68226079dffa4e0f5ddd26c83f85fcebcb21bfd0935aecc8a02f1714a9

 Source18:       speedup-algos-registration-in-non-fips-mode.patch

 %endif

@@ -219,7 +219,7 @@ Patch505: 0001-changes-to-build-with-jitterentropy-v3.4.1.patch

 %if 0%{?fips}

 # FIPS canister usage patch

-Patch508: 6.1.62-2-0001-FIPS-canister-binary-usage.patch

+Patch508: 6.1.62-7-0001-FIPS-canister-binary-usage.patch

 Patch509: 0001-scripts-kallsyms-Extra-kallsyms-parsing.patch

 Patch510: FIPS-do-not-allow-not-certified-algos-in-fips-2.patch

 %endif

@@ -548,6 +548,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 %{_usrsrc}/linux-headers-%{uname_r}

 %changelog

+* Wed Dec 20 2023 Keerthana K <keerthanak@vmware.com> 6.1.62-6

+- Update canister to 5.0.0-6.1.62-7

 * Wed Dec 20 2023 Keerthana K <keerthanak@vmware.com> 6.1.62-5

 - Update canister to 5.0.0-6.1.62-2

 * Wed Dec 20 2023 Vamsi Krishna Brahmajosyula <vbrahmajosyula@vmware.com> 6.1.62-4

@@ -14,7 +14,7 @@

 Summary:        Kernel

 Name:           linux-rt

 Version:        6.1.62

-Release:        4%{?dist}

+Release:        5%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org

 Group:          System Environment/Kernel

@@ -58,9 +58,9 @@ Source9: https://sourceforge.net/projects/e1000/files/ice%20stable/%{ice_version

 %if 0%{?fips}

 Source10: check_fips_canister_struct_compatibility.inc

-%define fips_canister_version 5.0.0-6.1.62-2%{?dist}-secure

+%define fips_canister_version 5.0.0-6.1.62-7%{?dist}-secure

 Source16: fips-canister-%{fips_canister_version}.tar.bz2

-%define sha512 fips-canister=212844b76c93cb7b07d630c558a2968740ab1eec80209ea7f407f3f32a21135e6be74fd5622a252601495d4b3e2fe952c2a17f8501724ea1c804ca6078eef4f8

+%define sha512 fips-canister=e63f5200a669cc40952fc1cfea499d4bc029999098f8252d2c5ffac08392aefe3d57aa68226079dffa4e0f5ddd26c83f85fcebcb21bfd0935aecc8a02f1714a9

 %endif

 Source19: spec_install_post.inc

@@ -184,7 +184,7 @@ Patch1005: 0001-changes-to-build-with-jitterentropy-v3.4.1.patch

 %if 0%{?fips}

 # FIPS canister usage patch

-Patch1008: 6.1.62-2-0001-FIPS-canister-binary-usage.patch

+Patch1008: 6.1.62-7-0001-FIPS-canister-binary-usage.patch

 Patch1009: 0001-scripts-kallsyms-Extra-kallsyms-parsing.patch

 Patch1010: FIPS-do-not-allow-not-certified-algos-in-fips-2.patch

 %endif

@@ -506,6 +506,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 %{_usrsrc}/linux-headers-%{uname_r}

 %changelog

+* Wed Dec 20 2023 Keerthana K <keerthanak@vmware.com> 6.1.62-5

+- Update canister to 5.0.0-6.1.62-7

 * Wed Dec 20 2023 Keerthana K <keerthanak@vmware.com> 6.1.62-4

 - Update canister to 5.0.0-6.1.62-2

 * Wed Dec 20 2023 Vamsi Krishna Brahmajosyula <vbrahmajosyula@vmware.com> 6.1.62-3

@@ -14,7 +14,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        6.1.62

-Release:        9%{?kat_build:.kat}%{?dist}

+Release:        10%{?kat_build:.kat}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org

 Group:          System Environment/Kernel

@@ -40,9 +40,9 @@ Source5:        linux-sbat.csv.in

 %if 0%{?fips}

 Source9:        check_fips_canister_struct_compatibility.inc

-%define fips_canister_version 5.0.0-6.1.62-2%{dist}-secure

+%define fips_canister_version 5.0.0-6.1.62-7%{dist}-secure

 Source16:       fips-canister-%{fips_canister_version}.tar.bz2

-%define sha512 fips-canister=212844b76c93cb7b07d630c558a2968740ab1eec80209ea7f407f3f32a21135e6be74fd5622a252601495d4b3e2fe952c2a17f8501724ea1c804ca6078eef4f8

+%define sha512 fips-canister=e63f5200a669cc40952fc1cfea499d4bc029999098f8252d2c5ffac08392aefe3d57aa68226079dffa4e0f5ddd26c83f85fcebcb21bfd0935aecc8a02f1714a9

 %endif

 %if 0%{?canister_build}

@@ -155,7 +155,7 @@ Patch505: 0001-changes-to-build-with-jitterentropy-v3.4.1.patch

 %if 0%{?fips}

 # FIPS canister usage patch

-Patch508: 6.1.62-2-0001-FIPS-canister-binary-usage.patch

+Patch508: 6.1.62-7-0001-FIPS-canister-binary-usage.patch

 Patch509: 0001-scripts-kallsyms-Extra-kallsyms-parsing.patch

 Patch510: FIPS-do-not-allow-not-certified-algos-in-fips-2.patch

 %endif

@@ -164,7 +164,7 @@ Patch510: FIPS-do-not-allow-not-certified-algos-in-fips-2.patch

 # Below patches are common for fips and canister_build flags

 # 0001-FIPS-canister-binary-usage.patch is renamed as <ver-rel>-0001-FIPS-canister-binary-usage.patch

 # in both places until final canister binary is released

-Patch10000: 6.1.62-2-0001-FIPS-canister-binary-usage.patch

+Patch10000: 6.1.62-7-0001-FIPS-canister-binary-usage.patch

 Patch10001: 0001-scripts-kallsyms-Extra-kallsyms-parsing.patch

 # Below patches are specific to canister_build flag

 Patch10003: 0002-FIPS-canister-creation.patch

@@ -468,6 +468,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 %endif

 %changelog

+* Wed Dec 20 2023 Keerthana K <keerthanak@vmware.com> 6.1.62-10

+- Update canister to 5.0.0-6.1.62-7

 * Wed Dec 20 2023 Keerthana K <keerthanak@vmware.com> 6.1.62-9

 - Include a RSA patch to canister that verifies whether public exponent is in prescribed range

 * Wed Dec 20 2023 Keerthana K <keerthanak@vmware.com> 6.1.62-8

@@ -25,7 +25,7 @@

 Summary:        Kernel

 Name:           linux

 Version:        6.1.62

-Release:        4%{?acvp_build:.acvp}%{?dist}

+Release:        5%{?acvp_build:.acvp}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -70,9 +70,9 @@ Source13:       https://sourceforge.net/projects/e1000/files/ice%20stable/%{ice_

 %if 0%{?fips}

 Source9:        check_fips_canister_struct_compatibility.inc

-%define fips_canister_version 5.0.0-6.1.62-2%{?dist}-secure

+%define fips_canister_version 5.0.0-6.1.62-7%{?dist}-secure

 Source16:       fips-canister-%{fips_canister_version}.tar.bz2

-%define sha512 fips-canister=212844b76c93cb7b07d630c558a2968740ab1eec80209ea7f407f3f32a21135e6be74fd5622a252601495d4b3e2fe952c2a17f8501724ea1c804ca6078eef4f8

+%define sha512 fips-canister=e63f5200a669cc40952fc1cfea499d4bc029999098f8252d2c5ffac08392aefe3d57aa68226079dffa4e0f5ddd26c83f85fcebcb21bfd0935aecc8a02f1714a9

 %endif

 Source18:       spec_install_post.inc

@@ -221,7 +221,7 @@ Patch505: 0001-changes-to-build-with-jitterentropy-v3.4.1.patch

 %if 0%{?fips}

 # FIPS canister usage patch

-Patch508: 6.1.62-2-0001-FIPS-canister-binary-usage.patch

+Patch508: 6.1.62-7-0001-FIPS-canister-binary-usage.patch

 Patch509: 0001-scripts-kallsyms-Extra-kallsyms-parsing.patch

 Patch510: FIPS-do-not-allow-not-certified-algos-in-fips-2.patch

 %endif

@@ -799,6 +799,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 %{_datadir}/bash-completion/completions/bpftool

 %changelog

+* Wed Dec 20 2023 Keerthana K <keerthanak@vmware.com> 6.1.62-5

+- Update canister to 5.0.0-6.1.62-7

 * Wed Dec 20 2023 Keerthana K <keerthanak@vmware.com> 6.1.62-4

 - Update canister to 5.0.0-6.1.62-2

 * Wed Dec 20 2023 Vamsi Krishna Brahmajosyula <vbrahmajosyula@vmware.com> 6.1.62-3