[thirdparty/dracut.git] / modules.d / 01fips / module-setup.sh

#!/bin/bash

# called by dracut
check() {
    return 255
}

# called by dracut
depends() {
    return 0
}

# called by dracut
installkernel() {
    local _fipsmodules _mod
    if [[ -f "${srcmods}/modules.fips" ]]; then
        _fipsmodules="$(cat "${srcmods}/modules.fips")"
    else
        _fipsmodules=""

        # Hashes:
        _fipsmodules+="sha1 sha224 sha256 sha384 sha512 "
        _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 "
        _fipsmodules+="crc32c crct10dif ghash "

        # Ciphers:
        _fipsmodules+="cipher_null des3_ede aes "

        # Modes/templates:
        _fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac "

        # Compression algs:
        _fipsmodules+="deflate lzo zlib "

        # PRNG algs:
        _fipsmodules+="ansi_cprng "

        # Misc:
        _fipsmodules+="aead cryptomgr tcrypt crypto_user "
    fi

    mkdir -m 0755 -p "${initdir}/etc/modprobe.d"

    for _mod in $_fipsmodules; do
        if hostonly='' instmods -c -s $_mod; then
            echo $_mod >> "${initdir}/etc/fipsmodules"
            echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf"
        fi
    done
}

# called by dracut
install() {
    local _dir
    inst_hook pre-mount 01 "$moddir/fips-boot.sh"
    inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
    inst_script "$moddir/fips.sh" /sbin/fips.sh

    inst_multiple sha512hmac rmmod insmod mount uname umount

    inst_simple /etc/system-fips
    [ -c ${initdir}/dev/random ] || mknod ${initdir}/dev/random c 1 8 \
        || {
            dfatal "Cannot create /dev/random"
            dfatal "To create an initramfs with fips support, dracut has to run as root"
            return 1
        }
    [ -c ${initdir}/dev/urandom ] || mknod ${initdir}/dev/urandom c 1 9 \
        || {
            dfatal "Cannot create /dev/random"
            dfatal "To create an initramfs with fips support, dracut has to run as root"
            return 1
        }
}
Commit	Line	Data
95d2dabc	1	#!/bin/bash
95d2dabc	2
8bcfd683	3	# called by dracut
95d2dabc HH	4	check() {
	5	return 255
	6	}
	7
8bcfd683	8	# called by dracut
95d2dabc HH	9	depends() {
	10	return 0
	11	}
	12
8bcfd683	13	# called by dracut
95d2dabc	14	installkernel() {
29b10e65	15	local _fipsmodules _mod
7c29d205 HH	16	if [[ -f "${srcmods}/modules.fips" ]]; then
	17	_fipsmodules="$(cat "${srcmods}/modules.fips")"
	18	else
f4d34357 OM	19	_fipsmodules=""
	20
	21	# Hashes:
cec0d041	22	_fipsmodules+="sha1 sha224 sha256 sha384 sha512 "
f4d34357	23	_fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 "
cec0d041	24	_fipsmodules+="crc32c crct10dif ghash "
f4d34357 OM	25
f4d34357 OM	26	# Ciphers:
cec0d041	27	_fipsmodules+="cipher_null des3_ede aes "
f4d34357 OM	28
f4d34357 OM	29	# Modes/templates:
cec0d041	30	_fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac "
f4d34357 OM	31
	32	# Compression algs:
	33	_fipsmodules+="deflate lzo zlib "
	34
	35	# PRNG algs:
	36	_fipsmodules+="ansi_cprng "
	37
	38	# Misc:
	39	_fipsmodules+="aead cryptomgr tcrypt crypto_user "
7c29d205	40	fi
95d2dabc	41
d125a470	42	mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
95d2dabc	43
29b10e65	44	for _mod in $_fipsmodules; do
338b43cd	45	if hostonly='' instmods -c -s $_mod; then
29b10e65 HH	46	echo $_mod >> "${initdir}/etc/fipsmodules"
29b10e65 HH	47	echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf"
95d2dabc HH	48	fi
	49	done
	50	}
	51
8bcfd683	52	# called by dracut
95d2dabc	53	install() {
29b10e65	54	local _dir
e54ab383	55	inst_hook pre-mount 01 "$moddir/fips-boot.sh"
4257798f	56	inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
53fe81e7	57	inst_script "$moddir/fips.sh" /sbin/fips.sh
4257798f	58
bca1967c	59	inst_multiple sha512hmac rmmod insmod mount uname umount
95d2dabc	60
185e940e	61	inst_simple /etc/system-fips
1d832b4b HH	62	[ -c ${initdir}/dev/random ] \|\| mknod ${initdir}/dev/random c 1 8 \
	63	\|\| {
	64	dfatal "Cannot create /dev/random"
	65	dfatal "To create an initramfs with fips support, dracut has to run as root"
	66	return 1
	67	}
	68	[ -c ${initdir}/dev/urandom ] \|\| mknod ${initdir}/dev/urandom c 1 9 \
	69	\|\| {
	70	dfatal "Cannot create /dev/random"
	71	dfatal "To create an initramfs with fips support, dracut has to run as root"
	72	return 1
	73	}
95d2dabc	74	}