]>
git.ipfire.org Git - thirdparty/dracut.git/blob - modules.d/01fips/fips.sh
2 # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
3 # ex: ts=8 sw=4 sts=4 et filetype=sh
9 if [ -n "$boot" ]; then
12 boot
="$(echo $boot | sed 's,/,\\x2f,g')"
13 boot
="/dev/disk/by-label/${boot#LABEL=}"
16 boot
="/dev/disk/by-uuid/${boot#UUID=}"
21 die
"You have to specify boot=<boot device> as a boot option for fips=1" ;;
24 if ! [ -e "$boot" ]; then
25 udevadm trigger
--action=add
>/dev
/null
2>&1
26 [ -z "$UDEVVERSION" ] && UDEVVERSION
=$
(udevadm
--version)
28 while ! [ -e $boot ]; do
29 if [ $UDEVVERSION -ge 143 ]; then
30 udevadm settle
--exit-if-exists=$boot
32 udevadm settle
--timeout=30
37 [ $i -gt 40 ] && break
41 [ -e "$boot" ] ||
return 1
44 info
"Mounting $boot as /boot"
45 mount
-oro "$boot" /boot ||
return 1
46 elif [ -d "$NEWROOT/boot" ]; then
48 ln -sf "$NEWROOT/boot" /boot
56 if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
57 warn
"/boot/.vmlinuz-${KERNEL}.hmac does not exist"
61 FIPSMODULES
=$
(cat /etc
/fipsmodules
)
63 info
"Loading and integrity checking all crypto modules"
64 for module
in $FIPSMODULES; do
65 if [ "$module" != "tcrypt" ]; then
69 info
"Self testing crypto algorithms"
70 modprobe tcrypt ||
return 1
73 info
"Checking integrity of kernel"
74 sha512hmac
-c "/boot/.vmlinuz-${KERNEL}.hmac" ||
return 1
76 info
"All initrd crypto checks done"
80 umount
/boot
>/dev
/null
2>&1