01fips: turn info calls into fips_info calls

systemd lets stdout go to journal only. Usually, this is desired
behavior to ensure that plymouth does not get disrupted.

However in the 01fips case, the system has to halt when the integrity
check fails to satisfy FIPS requirements. So the user will not be able
to inspect the journal.

As this is special to the fips module, we introduce a fips_info() which
works like info(), but deviates the output to stderr when running with
systemd.

Reference: bsc#1164076

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 37cde0c0592130c7392d0a12db8e6b703765e9c0..f46da5c66d95587a49ca7c74f32c043606a9fe67 100755 (executable)
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -1,5 +1,17 @@
 #!/bin/sh
 
+# systemd lets stdout go to journal only, but the system
+# has to halt when the integrity check fails to satisfy FIPS.
+if [ -z "$DRACUT_SYSTEMD" ]; then
+    fips_info() {
+        info "$*"
+    }
+else
+    fips_info() {
+        echo "$*" >&2
+    }
+fi
+
 mount_boot()
 {
     boot=$(getarg boot=)
@@ -45,7 +57,7 @@ mount_boot()
         [ -e "$boot" ] || return 1
 
         mkdir /boot
-        info "Mounting $boot as /boot"
+        fips_info "Mounting $boot as /boot"
         mount -oro "$boot" /boot || return 1
     elif [ -d "$NEWROOT/boot" ]; then
         rm -fr -- /boot
@@ -65,7 +77,7 @@ do_rhevh_check()
         warn "HMAC sum mismatch"
         return 1
     fi
-    info "rhevh_check OK"
+    fips_info "rhevh_check OK"
     return 0
 }
 
@@ -81,7 +93,7 @@ fips_load_crypto()
 {
     FIPSMODULES=$(cat /etc/fipsmodules)
 
-    info "Loading and integrity checking all crypto modules"
+    fips_info "Loading and integrity checking all crypto modules"
     mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak
     for _module in $FIPSMODULES; do
         if [ "$_module" != "tcrypt" ]; then
@@ -100,7 +112,7 @@ fips_load_crypto()
     done
     mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf
 
-    info "Self testing crypto algorithms"
+    fips_info "Self testing crypto algorithms"
     modprobe tcrypt || return 1
     rmmod tcrypt
 }
@@ -114,7 +126,7 @@ do_fips()
 
     KERNEL=$(uname -r)
 
-    info "Checking integrity of kernel"
+    fips_info "Checking integrity of kernel"
     if [ -e "/run/initramfs/live/vmlinuz0" ]; then
         do_rhevh_check /run/initramfs/live/vmlinuz0 || return 1
     elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
@@ -153,7 +165,7 @@ do_fips()
         (cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1
     fi
 
-    info "All initrd crypto checks done"
+    fips_info "All initrd crypto checks done"
 
     > /tmp/fipsdone