modules.d/01fips/fips.sh

   1 #!/bin/sh
   2 # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
   3 # ex: ts=8 sw=4 sts=4 et filetype=sh
   4
   5 mount_boot()
   6 {
   7     boot=$(getarg boot=)
   8
   9     if [ -n "$boot" ]; then
  10         case "$boot" in
  11         LABEL=*)
  12             boot="$(echo $boot | sed 's,/,\\x2f,g')"
  13             boot="/dev/disk/by-label/${boot#LABEL=}"
  14             ;;
  15         UUID=*)
  16             boot="/dev/disk/by-uuid/${boot#UUID=}"
  17             ;;
  18         /dev/*)
  19             ;;
  20         *)
  21             die "You have to specify boot=<boot device> as a boot option for fips=1" ;;
  22         esac
  23
  24         if ! [ -e "$boot" ]; then
  25             udevadm trigger --action=add >/dev/null 2>&1
  26             [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version)
  27             i=0
  28             while ! [ -e $boot ]; do
  29                 if [ $UDEVVERSION -ge 143 ]; then
  30                     udevadm settle --exit-if-exists=$boot
  31                 else
  32                     udevadm settle --timeout=30
  33                 fi
  34                 [ -e $boot ] && break
  35                 sleep 0.5
  36                 i=$(($i+1))
  37                 [ $i -gt 40 ] && break
  38             done
  39         fi
  40
  41         [ -e "$boot" ] || return 1
  42
  43         mkdir /boot
  44         info "Mounting $boot as /boot"
  45         mount -oro "$boot" /boot || return 1
  46     elif [ -d "$NEWROOT/boot" ]; then
  47         rm -fr -- /boot
  48         ln -sf "$NEWROOT/boot" /boot
  49     fi
  50 }
  51
  52 do_fips()
  53 {
  54     KERNEL=$(uname -r)
  55
  56     if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
  57         warn "/boot/.vmlinuz-${KERNEL}.hmac does not exist"
  58         return 1
  59     fi
  60
  61     FIPSMODULES=$(cat /etc/fipsmodules)
  62
  63     info "Loading and integrity checking all crypto modules"
  64     for module in $FIPSMODULES; do
  65         if [ "$module" != "tcrypt" ]; then
  66             modprobe ${module}
  67         fi
  68     done
  69     info "Self testing crypto algorithms"
  70     modprobe tcrypt || return 1
  71     rmmod tcrypt
  72
  73     info "Checking integrity of kernel"
  74     sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
  75
  76     info "All initrd crypto checks done"
  77
  78     > /tmp/fipsdone
  79
  80     umount /boot >/dev/null 2>&1
  81
  82     return 0
  83 }