]>
git.ipfire.org Git - thirdparty/dracut.git/blob - modules.d/01fips/fips.sh
2 # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
3 # ex: ts=8 sw=4 sts=4 et filetype=sh
9 if [ -n "$boot" ]; then
12 boot
="$(echo $boot | sed 's,/,\\x2f,g')"
13 boot
="/dev/disk/by-label/${boot#LABEL=}"
16 boot
="/dev/disk/by-uuid/${boot#UUID=}"
19 boot
="/dev/disk/by-partuuid/${boot#PARTUUID=}"
22 boot
="/dev/disk/by-partlabel/${boot#PARTLABEL=}"
27 die
"You have to specify boot=<boot device> as a boot option for fips=1" ;;
30 if ! [ -e "$boot" ]; then
31 udevadm trigger
--action=add
>/dev
/null
2>&1
32 [ -z "$UDEVVERSION" ] && UDEVVERSION
=$
(udevadm
--version)
34 while ! [ -e $boot ]; do
35 if [ $UDEVVERSION -ge 143 ]; then
36 udevadm settle
--exit-if-exists=$boot
38 udevadm settle
--timeout=30
43 [ $i -gt 40 ] && break
47 [ -e "$boot" ] ||
return 1
50 info
"Mounting $boot as /boot"
51 mount
-oro "$boot" /boot ||
return 1
52 elif [ -d "$NEWROOT/boot" ]; then
54 ln -sf "$NEWROOT/boot" /boot
63 # If we're on RHEV-H, the kernel is in /dev/.initramfs/live/vmlinuz0
64 HMAC_SUM_ORIG
=$
(cat /boot
/.vmlinuz-
${KERNEL}.hmac |
while read a b
; do printf "%s\n" $a; done)
65 HMAC_SUM_CALC
=$
(sha512hmac
$kpath |
while read a b
; do printf "%s\n" $a; done ||
return 1)
66 if [ -z "$HMAC_SUM_ORIG" ] ||
[ -z "$HMAC_SUM_CALC" ] ||
[ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
67 warn
"HMAC sum mismatch"
83 if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
84 warn
"/boot/.vmlinuz-${KERNEL}.hmac does not exist"
88 FIPSMODULES
=$
(cat /etc
/fipsmodules
)
90 info
"Loading and integrity checking all crypto modules"
91 mv /etc
/modprobe.d
/fips.conf
/etc
/modprobe.d
/fips.conf.bak
92 for _module
in $FIPSMODULES; do
93 if [ "$_module" != "tcrypt" ]; then
94 if ! modprobe
"${_module}"; then
95 # check if kernel provides generic algo
97 while read _k _s _v
; do
98 [ "$_k" != "name" -a "$_k" != "driver" ] && continue
99 [ "$_k" = "driver" ] && _v
=$
(str_replace
"$_v" "_" "-")
100 [ "$_v" != "$_module" ] && continue
104 [ "$_found" = "0" ] && return 1
108 mv /etc
/modprobe.d
/fips.conf.bak
/etc
/modprobe.d
/fips.conf
110 info
"Self testing crypto algorithms"
111 modprobe tcrypt ||
return 1
114 info
"Checking integrity of kernel"
115 if [ -e "$NEWROOT/dev/.initramfs/live/vmlinuz0" ]; then
116 do_rhevh_check
"$NEWROOT/dev/.initramfs/live/vmlinuz0" ||
return 1
117 elif [ -e "$NEWROOT/dev/.initramfs/live/isolinux/vmlinuz0" ]; then
118 do_rhevh_check
"$NEWROOT/dev/.initramfs/live/isolinux/vmlinuz0" ||
return 1
120 sha512hmac
-c "/boot/.vmlinuz-${KERNEL}.hmac" ||
return 1
123 info
"All initrd crypto checks done"
127 umount
/boot
>/dev
/null
2>&1