Implement support for protecting the exported symbols of
protected GKI modules.
Only signed GKI modules are permitted to export symbols
listed in the android/abi_gki_protected_exports file.
Attempting to export these symbols from an unsigned module
will result in the module failing to load, with a
'Permission denied' error message.
Bug: 232430739
Test: TH
Change-Id: I3e8b330938e116bb2e022d356ac0d55108a84a01
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Add CONFIG_MODULE_SIG_PROTECT to enable lookup for the unprotected
symbols from the build time generated list of symbols.
Module loading behavior will change as follows:
- Allows Android GKI Modules signed using MODULE_SIG_ALL during build.
- Allows other modules to load if they don't violate the access to
Android GKI protected symbols. Loading will fail and return
-EACCES (Permission denied) if these modules access the symbol which
is not allowlisted via symbol list or exported by a GKI module.
Bug: 232430739
Test: TH
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I751b1951241b45712c20ac0e3878abd2152dd002
This reverts commit 31d5735baf.
Reason for revert: Part of old protected/unprotected module implemenation.
It is being replaced by a new design listed as option 2A at
go/gki-modules-build-integration
Bug: 232430739
Test: TH
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I649c57196b167d9452e5e6d3b2af2dd8c1d4bcdd
This reverts commit 438c43687f.
Reason for revert: Part of old protected/unprotected module implemenation.
It is being replaced by a new design listed as option 2A at
go/gki-modules-build-integration
Bug: 232430739
Test: TH
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I994b0ce0f30c4098bc5d3d2560b10a117486cc1f
Script doesn't honor the Kernel's quiet command
mechanism with KBuild; so need to remove info
only echo. Added set -x in case make V=1 for keeping
debugging handy for script in the future.
Bug: 234116152
Test: TH
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: Iea881816b9bc8c47157a33da67d6cf5f8357a7be
(cherry picked from commit 08a1879c87)
Called By: KERNEL_SRC/kernel/Makefile if CONFIG_MODULE_SIG_PROTECT=y
Generates headers required by gki_modules.c from symbol lists:
gki_module_protected.h: from android/abi_gki_modules_protected
gki_module_exported.h: from android/abi_gki_modules_exports
Bug: 200082547
Test: Treehugger
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: Ibcc6e6fe0ad6c7850d48f7c0a283c7f9b06e4456
(cherry picked from commit 23cd26aab14d813fd73eced18988bae06d5b9334)
