Enable FIPS
Build the bcm sources with a linker script to inject extra
symbols and then set inject_bssl_hash to add the hash of the
bcm .text section to the shared library.
Bug: 137267623
Test: m checkbuild
Change-Id: I648dd860739ebd4ddd1ba8a71dadeb87d5d3a53b
diff --git a/Android.bp b/Android.bp
index 5e6cf0f..8ac988a 100644
--- a/Android.bp
+++ b/Android.bp
@@ -76,6 +76,60 @@
clang_asflags: ["-march=armv8-a+crypto"],
},
},
+ // To allow integrity check to read and checksum the code
+ xom: false,
+}
+
+cc_object {
+ name: "bcm_object",
+ device_supported: true,
+ recovery_available: true,
+ native_bridge_supported: true,
+ defaults: [
+ "libcrypto_bcm_sources",
+ "libcrypto_defaults",
+ "boringssl_defaults",
+ "boringssl_flags",
+ ],
+ target: {
+ android: {
+ cflags: [
+ "-DBORINGSSL_FIPS",
+ "-fPIC",
+ ],
+ linker_script: "src/crypto/fipsmodule/fips_shared.lds",
+ },
+ },
+}
+
+bootstrap_go_package {
+ name: "bssl_ar",
+ pkgPath: "boringssl.googlesource.com/boringssl/util/ar",
+ srcs: [
+ "src/util/ar/ar.go",
+ ],
+ testSrcs: [
+ "src/util/ar/ar_test.go",
+ ],
+}
+
+bootstrap_go_package {
+ name: "bssl_fipscommon",
+ pkgPath: "boringssl.googlesource.com/boringssl/util/fipstools/fipscommon",
+ srcs: [
+ "src/util/fipstools/fipscommon/const.go",
+ ],
+}
+
+blueprint_go_binary {
+ name: "bssl_inject_hash",
+ srcs: [
+ "src/util/fipstools/inject_hash/inject_hash.go",
+ ],
+ deps: [
+ "bssl_ar",
+ "bssl_fipscommon",
+ ],
}
// Target and host library
@@ -90,13 +144,23 @@
double_loadable: true,
recovery_available: true,
defaults: [
- "libcrypto_bcm_sources",
"libcrypto_sources",
"libcrypto_defaults",
"boringssl_defaults",
"boringssl_flags",
],
unique_host_soname: true,
+ srcs: [
+ ":bcm_object",
+ ],
+ target: {
+ android: {
+ cflags: [
+ "-DBORINGSSL_FIPS",
+ ],
+ inject_bssl_hash: true,
+ },
+ },
}
// Static library