[thirdparty/dracut.git] / modules.d / 01fips / fips.sh

#!/bin/sh

# systemd lets stdout go to journal only, but the system
# has to halt when the integrity check fails to satisfy FIPS.
if [ -z "$DRACUT_SYSTEMD" ]; then
    fips_info() {
        info "$*"
    }
else
    fips_info() {
        echo "$*" >&2
    }
fi

mount_boot()
{
    boot=$(getarg boot=)

    if [ -n "$boot" ]; then
        case "$boot" in
        LABEL=*)
            boot="$(echo $boot | sed 's,/,\\x2f,g')"
            boot="/dev/disk/by-label/${boot#LABEL=}"
            ;;
        UUID=*)
            boot="/dev/disk/by-uuid/${boot#UUID=}"
            ;;
        PARTUUID=*)
            boot="/dev/disk/by-partuuid/${boot#PARTUUID=}"
            ;;
        PARTLABEL=*)
            boot="/dev/disk/by-partlabel/${boot#PARTLABEL=}"
            ;;
        /dev/*)
            ;;
        *)
            die "You have to specify boot=<boot device> as a boot option for fips=1" ;;
        esac

        if ! [ -e "$boot" ]; then
            udevadm trigger --action=add >/dev/null 2>&1
            [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version)
            i=0
            while ! [ -e $boot ]; do
                if [ $UDEVVERSION -ge 143 ]; then
                    udevadm settle --exit-if-exists=$boot
                else
                    udevadm settle --timeout=30
                fi
                [ -e $boot ] && break
                sleep 0.5
                i=$(($i+1))
                [ $i -gt 40 ] && break
            done
        fi

        [ -e "$boot" ] || return 1

        mkdir -p /boot
        fips_info "Mounting $boot as /boot"
        mount -oro "$boot" /boot || return 1
    elif [ -d "$NEWROOT/boot" ]; then
        rm -fr -- /boot
        ln -sf "$NEWROOT/boot" /boot
    fi
}

do_rhevh_check()
{
    KERNEL=$(uname -r)
    kpath=${1}

    # If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
    HMAC_SUM_ORIG=$(cat $NEWROOT/boot/.vmlinuz-${KERNEL}.hmac | while read a b || [ -n "$a" ]; do printf "%s\n" $a; done)
    HMAC_SUM_CALC=$(sha512hmac $kpath | while read a b || [ -n "$a" ]; do printf "%s\n" $a; done || return 1)
    if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
        warn "HMAC sum mismatch"
        return 1
    fi
    fips_info "rhevh_check OK"
    return 0
}

nonfatal_modprobe()
{
    modprobe $1 2>&1 > /dev/stdout |
        while read -r line || [ -n "$line" ]; do
            echo "${line#modprobe: FATAL: }" >&2
        done
}

fips_load_crypto()
{
    FIPSMODULES=$(cat /etc/fipsmodules)

    fips_info "Loading and integrity checking all crypto modules"
    mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak
    for _module in $FIPSMODULES; do
        if [ "$_module" != "tcrypt" ]; then
            if ! nonfatal_modprobe "${_module}" 2>/tmp/fips.modprobe_err; then
                # check if kernel provides generic algo
                _found=0
                while read _k _s _v || [ -n "$_k" ]; do
                    [ "$_k" != "name" -a "$_k" != "driver" ] && continue
                    [ "$_v" != "$_module" ] && continue
                    _found=1
                    break
                done </proc/crypto
                [ "$_found" = "0" ] && cat /tmp/fips.modprobe_err >&2 && return 1
            fi
        fi
    done
    mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf

    fips_info "Self testing crypto algorithms"
    modprobe tcrypt || return 1
    rmmod tcrypt
}

do_fips()
{
    local _v
    local _s
    local _v
    local _module

    KERNEL=$(uname -r)

    fips_info "Checking integrity of kernel"
    if [ -e "/run/initramfs/live/vmlinuz0" ]; then
        do_rhevh_check /run/initramfs/live/vmlinuz0 || return 1
    elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
        do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
    elif [ -e "/run/install/repo/images/pxeboot/vmlinuz" ]; then
        # This is a boot.iso with the .hmac inside the install.img
        do_rhevh_check /run/install/repo/images/pxeboot/vmlinuz || return 1
    else
        BOOT_IMAGE="$(getarg BOOT_IMAGE)"

        # Trim off any leading GRUB boot device (e.g. ($root) )
        BOOT_IMAGE="$(echo "${BOOT_IMAGE}" | sed 's/^(.*)//')"

        BOOT_IMAGE_NAME="${BOOT_IMAGE##*/}"
        BOOT_IMAGE_PATH="${BOOT_IMAGE%${BOOT_IMAGE_NAME}}"

        if [ -z "$BOOT_IMAGE_NAME" ]; then
            BOOT_IMAGE_NAME="vmlinuz-${KERNEL}"
        elif ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then
            #if /boot is not a separate partition BOOT_IMAGE might start with /boot
            BOOT_IMAGE_PATH=${BOOT_IMAGE_PATH#"/boot"}
            #on some achitectures BOOT_IMAGE does not contain path to kernel
            #so if we can't find anything, let's treat it in the same way as if it was empty
            if ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then
                BOOT_IMAGE_NAME="vmlinuz-${KERNEL}"
                BOOT_IMAGE_PATH=""
            fi
        fi

        BOOT_IMAGE_HMAC="/boot/${BOOT_IMAGE_PATH}/.${BOOT_IMAGE_NAME}.hmac"
        if ! [ -e "${BOOT_IMAGE_HMAC}" ]; then
            warn "${BOOT_IMAGE_HMAC} does not exist"
            return 1
        fi

        (cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1
    fi

    fips_info "All initrd crypto checks done"

    > /tmp/fipsdone

    umount /boot >/dev/null 2>&1

    return 0
}
Commit	Line	Data
c2bcc5be	1	#!/bin/sh
02c1bd6b	2
e096d861 DM	3	# systemd lets stdout go to journal only, but the system
	4	# has to halt when the integrity check fails to satisfy FIPS.
	5	if [ -z "$DRACUT_SYSTEMD" ]; then
	6	fips_info() {
	7	info "$*"
	8	}
	9	else
	10	fips_info() {
	11	echo "$*" >&2
	12	}
	13	fi
	14
4257798f	15	mount_boot()
03d8ec26	16	{
01583ae4	17	boot=$(getarg boot=)
4257798f HH	18
	19	if [ -n "$boot" ]; then
	20	case "$boot" in
01583ae4	21	LABEL=*)
cc02093d HH	22	boot="$(echo $boot \| sed 's,/,\\x2f,g')"
cc02093d HH	23	boot="/dev/disk/by-label/${boot#LABEL=}"
01583ae4 HH	24	;;
	25	UUID=*)
	26	boot="/dev/disk/by-uuid/${boot#UUID=}"
	27	;;
1e057b35 HH	28	PARTUUID=*)
	29	boot="/dev/disk/by-partuuid/${boot#PARTUUID=}"
	30	;;
	31	PARTLABEL=*)
	32	boot="/dev/disk/by-partlabel/${boot#PARTLABEL=}"
	33	;;
cc02093d	34	/dev/*)
01583ae4	35	;;
b60d5e90 HH	36	*)
b60d5e90 HH	37	die "You have to specify boot=<boot device> as a boot option for fips=1" ;;
4257798f	38	esac
674bdee8	39
4257798f HH	40	if ! [ -e "$boot" ]; then
	41	udevadm trigger --action=add >/dev/null 2>&1
	42	[ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version)
	43	i=0
	44	while ! [ -e $boot ]; do
	45	if [ $UDEVVERSION -ge 143 ]; then
	46	udevadm settle --exit-if-exists=$boot
	47	else
	48	udevadm settle --timeout=30
	49	fi
	50	[ -e $boot ] && break
4257798f HH	51	sleep 0.5
	52	i=$(($i+1))
	53	[ $i -gt 40 ] && break
	54	done
674bdee8	55	fi
03d8ec26	56
4257798f	57	[ -e "$boot" ] \|\| return 1
03d8ec26	58
9cf7b1c5	59	mkdir -p /boot
e096d861	60	fips_info "Mounting $boot as /boot"
4257798f	61	mount -oro "$boot" /boot \|\| return 1
c9a9968d	62	elif [ -d "$NEWROOT/boot" ]; then
32bd2fbb	63	rm -fr -- /boot
c9a9968d	64	ln -sf "$NEWROOT/boot" /boot
4257798f HH	65	fi
4257798f HH	66	}
03d8ec26	67
190047f1 HH	68	do_rhevh_check()
	69	{
	70	KERNEL=$(uname -r)
	71	kpath=${1}
	72
928da574	73	# If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
6d58fa27 HH	74	HMAC_SUM_ORIG=$(cat $NEWROOT/boot/.vmlinuz-${KERNEL}.hmac \| while read a b \|\| [ -n "$a" ]; do printf "%s\n" $a; done)
6d58fa27 HH	75	HMAC_SUM_CALC=$(sha512hmac $kpath \| while read a b \|\| [ -n "$a" ]; do printf "%s\n" $a; done \|\| return 1)
190047f1 HH	76	if [ -z "$HMAC_SUM_ORIG" ] \|\| [ -z "$HMAC_SUM_CALC" ] \|\| [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
	77	warn "HMAC sum mismatch"
	78	return 1
	79	fi
e096d861	80	fips_info "rhevh_check OK"
190047f1 HH	81	return 0
	82	}
	83
da4c9a95 DM	84	nonfatal_modprobe()
	85	{
	86	modprobe $1 2>&1 > /dev/stdout \|
	87	while read -r line \|\| [ -n "$line" ]; do
	88	echo "${line#modprobe: FATAL: }" >&2
	89	done
	90	}
	91
b988934a	92	fips_load_crypto()
4257798f	93	{
02c1bd6b HH	94	FIPSMODULES=$(cat /etc/fipsmodules)
02c1bd6b HH	95
e096d861	96	fips_info "Loading and integrity checking all crypto modules"
748867d1 HH	97	mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak
	98	for _module in $FIPSMODULES; do
	99	if [ "$_module" != "tcrypt" ]; then
da4c9a95	100	if ! nonfatal_modprobe "${_module}" 2>/tmp/fips.modprobe_err; then
748867d1 HH	101	# check if kernel provides generic algo
748867d1 HH	102	_found=0
6d58fa27	103	while read _k _s _v \|\| [ -n "$_k" ]; do
748867d1	104	[ "$_k" != "name" -a "$_k" != "driver" ] && continue
748867d1 HH	105	[ "$_v" != "$_module" ] && continue
	106	_found=1
	107	break
	108	done </proc/crypto
01ffcf34	109	[ "$_found" = "0" ] && cat /tmp/fips.modprobe_err >&2 && return 1
748867d1	110	fi
03d8ec26 HH	111	fi
03d8ec26 HH	112	done
748867d1 HH	113	mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf
748867d1 HH	114
e096d861	115	fips_info "Self testing crypto algorithms"
10b5dca0	116	modprobe tcrypt \|\| return 1
03d8ec26	117	rmmod tcrypt
b988934a LN	118	}
	119
	120	do_fips()
	121	{
	122	local _v
	123	local _s
	124	local _v
	125	local _module
	126
	127	KERNEL=$(uname -r)
6f4c2dad	128
e096d861	129	fips_info "Checking integrity of kernel"
928da574 HH	130	if [ -e "/run/initramfs/live/vmlinuz0" ]; then
	131	do_rhevh_check /run/initramfs/live/vmlinuz0 \|\| return 1
	132	elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
	133	do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 \|\| return 1
05b75703 BL	134	elif [ -e "/run/install/repo/images/pxeboot/vmlinuz" ]; then
	135	# This is a boot.iso with the .hmac inside the install.img
	136	do_rhevh_check /run/install/repo/images/pxeboot/vmlinuz \|\| return 1
190047f1	137	else
3d875f77	138	BOOT_IMAGE="$(getarg BOOT_IMAGE)"
cc6792a0 JL	139
	140	# Trim off any leading GRUB boot device (e.g. ($root) )
	141	BOOT_IMAGE="$(echo "${BOOT_IMAGE}" \| sed 's/^(.*)//')"
	142
d818986d LN	143	BOOT_IMAGE_NAME="${BOOT_IMAGE##*/}"
	144	BOOT_IMAGE_PATH="${BOOT_IMAGE%${BOOT_IMAGE_NAME}}"
	145
	146	if [ -z "$BOOT_IMAGE_NAME" ]; then
	147	BOOT_IMAGE_NAME="vmlinuz-${KERNEL}"
9e759aa9	148	elif ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then
8f5c564c	149	#if /boot is not a separate partition BOOT_IMAGE might start with /boot
d818986d LN	150	BOOT_IMAGE_PATH=${BOOT_IMAGE_PATH#"/boot"}
	151	#on some achitectures BOOT_IMAGE does not contain path to kernel
	152	#so if we can't find anything, let's treat it in the same way as if it was empty
	153	if ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then
	154	BOOT_IMAGE_NAME="vmlinuz-${KERNEL}"
	155	BOOT_IMAGE_PATH=""
	156	fi
8f5c564c	157	fi
3d875f77	158
ca4aa848	159	BOOT_IMAGE_HMAC="/boot/${BOOT_IMAGE_PATH}/.${BOOT_IMAGE_NAME}.hmac"
8f5c564c LN	160	if ! [ -e "${BOOT_IMAGE_HMAC}" ]; then
8f5c564c LN	161	warn "${BOOT_IMAGE_HMAC} does not exist"
3d875f77 HH	162	return 1
3d875f77 HH	163	fi
d818986d	164
ba813779	165	(cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") \|\| return 1
190047f1	166	fi
6f4c2dad	167
e096d861	168	fips_info "All initrd crypto checks done"
4257798f HH	169
	170	> /tmp/fipsdone
	171
	172	umount /boot >/dev/null 2>&1
03d8ec26 HH	173
	174	return 0
	175	}