From 6aa59dd8ab36b4ad9789996154b0aefc14500e2d Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Fri, 26 Mar 2021 10:29:06 +0100
Subject: [PATCH] fix(fips): shellcheck for modules.d/01fips

---
 modules.d/01fips/.shchkdir           |  0
 modules.d/01fips/fips-boot.sh        |  2 ++
 modules.d/01fips/fips-load-crypto.sh |  6 +++++-
 modules.d/01fips/fips.sh             | 27 ++++++++++++++++-----------
 modules.d/01fips/module-setup.sh     | 12 ++++++------
 5 files changed, 29 insertions(+), 18 deletions(-)
 create mode 100644 modules.d/01fips/.shchkdir

diff --git a/modules.d/01fips/.shchkdir b/modules.d/01fips/.shchkdir
new file mode 100644
index 000000000..e69de29bb
diff --git a/modules.d/01fips/fips-boot.sh b/modules.d/01fips/fips-boot.sh
index 3eaef6751..031d169a6 100755
--- a/modules.d/01fips/fips-boot.sh
+++ b/modules.d/01fips/fips-boot.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
 if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then
     rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1
 elif [ -z "$fipsmode" ]; then
diff --git a/modules.d/01fips/fips-load-crypto.sh b/modules.d/01fips/fips-load-crypto.sh
index 23d48a6a3..21e992785 100644
--- a/modules.d/01fips/fips-load-crypto.sh
+++ b/modules.d/01fips/fips-load-crypto.sh
@@ -1,7 +1,11 @@
 #!/bin/sh
 
-if ! fipsmode=$(getarg fips) || [ $fipsmode = "0" ]; then
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
+if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then
     rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1
+elif [ -z "$fipsmode" ]; then
+    die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
 else
     . /sbin/fips.sh
     fips_load_crypto || die "FIPS integrity test failed"
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index b4e3db666..d293b224e 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
 # systemd lets stdout go to journal only, but the system
 # has to halt when the integrity check fails to satisfy FIPS.
 if [ -z "$DRACUT_SYSTEMD" ]; then
@@ -31,13 +33,13 @@ mount_boot() {
             udevadm trigger --action=add > /dev/null 2>&1
             [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version)
             i=0
-            while ! [ -e $boot ]; do
-                if [ $UDEVVERSION -ge 143 ]; then
-                    udevadm settle --exit-if-exists=$boot
+            while ! [ -e "$boot" ]; do
+                if [ "$UDEVVERSION" -ge 143 ]; then
+                    udevadm settle --exit-if-exists="$boot"
                 else
                     udevadm settle --timeout=30
                 fi
-                [ -e $boot ] && break
+                [ -e "$boot" ] && break
                 sleep 0.5
                 i=$((i + 1))
                 [ $i -gt 40 ] && break
@@ -50,6 +52,7 @@ mount_boot() {
         fips_info "Mounting $boot as /boot"
         mount -oro "$boot" /boot || return 1
     elif [ -d "$NEWROOT/boot" ]; then
+        # shellcheck disable=SC2114
         rm -fr -- /boot
         ln -sf "$NEWROOT/boot" /boot
     fi
@@ -60,8 +63,8 @@ do_rhevh_check() {
     kpath=${1}
 
     # If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
-    HMAC_SUM_ORIG=$(cat $NEWROOT/boot/.vmlinuz-${KERNEL}.hmac | while read a b || [ -n "$a" ]; do printf "%s\n" $a; done)
-    HMAC_SUM_CALC=$(sha512hmac $kpath | while read a b || [ -n "$a" ]; do printf "%s\n" $a; done || return 1)
+    HMAC_SUM_ORIG=$(while read -r a _ || [ -n "$a" ]; do printf "%s\n" "$a"; done < "$NEWROOT/boot/.vmlinuz-${KERNEL}.hmac")
+    HMAC_SUM_CALC=$(sha512hmac "$kpath" | while read -r a _ || [ -n "$a" ]; do printf "%s\n" "$a"; done || return 1)
     if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
         warn "HMAC sum mismatch"
         return 1
@@ -71,13 +74,17 @@ do_rhevh_check() {
 }
 
 nonfatal_modprobe() {
-    modprobe $1 2>&1 > /dev/stdout \
+    modprobe "$1" 2>&1 > /dev/stdout \
         | while read -r line || [ -n "$line" ]; do
             echo "${line#modprobe: FATAL: }" >&2
         done
 }
 
 fips_load_crypto() {
+    local _k
+    local _v
+    local _found
+
     FIPSMODULES=$(cat /etc/fipsmodules)
 
     fips_info "Loading and integrity checking all crypto modules"
@@ -87,7 +94,7 @@ fips_load_crypto() {
             if ! nonfatal_modprobe "${_module}" 2> /tmp/fips.modprobe_err; then
                 # check if kernel provides generic algo
                 _found=0
-                while read _k _s _v || [ -n "$_k" ]; do
+                while read -r _k _ _v || [ -n "$_k" ]; do
                     [ "$_k" != "name" -a "$_k" != "driver" ] && continue
                     [ "$_v" != "$_module" ] && continue
                     _found=1
@@ -105,8 +112,6 @@ fips_load_crypto() {
 }
 
 do_fips() {
-    local _v
-    local _s
     local _v
     local _module
 
@@ -153,7 +158,7 @@ do_fips() {
 
     fips_info "All initrd crypto checks done"
 
-    > /tmp/fipsdone
+    : > /tmp/fipsdone
 
     umount /boot > /dev/null 2>&1
 
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 38485cfb7..75fcc1b67 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -39,11 +39,12 @@ installkernel() {
         _fipsmodules+="aead cryptomgr tcrypt crypto_user "
     fi
 
+    # shellcheck disable=SC2174
     mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
 
     for _mod in $_fipsmodules; do
-        if hostonly='' instmods -c -s $_mod; then
-            echo $_mod >> "${initdir}/etc/fipsmodules"
+        if hostonly='' instmods -c -s "$_mod"; then
+            echo "$_mod" >> "${initdir}/etc/fipsmodules"
             echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf"
         fi
     done
@@ -52,7 +53,7 @@ installkernel() {
     if [[ $hostonly ]] && [[ $hostonly_default_device == "no" ]]; then
         _bootfstype=$(find_mp_fstype /boot)
         if [[ -n $_bootfstype ]]; then
-            hostonly='' instmods $_bootfstype
+            hostonly='' instmods "$_bootfstype"
         else
             dwarning "Can't determine fs type for /boot, FIPS check may fail."
         fi
@@ -61,7 +62,6 @@ installkernel() {
 
 # called by dracut
 install() {
-    local _dir
     inst_hook pre-mount 01 "$moddir/fips-boot.sh"
     inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
     inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
@@ -70,13 +70,13 @@ install() {
     inst_multiple sha512hmac rmmod insmod mount uname umount
 
     inst_simple /etc/system-fips
-    [ -c ${initdir}/dev/random ] || mknod ${initdir}/dev/random c 1 8 \
+    [ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \
         || {
             dfatal "Cannot create /dev/random"
             dfatal "To create an initramfs with fips support, dracut has to run as root"
             return 1
         }
-    [ -c ${initdir}/dev/urandom ] || mknod ${initdir}/dev/urandom c 1 9 \
+    [ -c "${initdir}"/dev/urandom ] || mknod "${initdir}"/dev/urandom c 1 9 \
         || {
             dfatal "Cannot create /dev/random"
             dfatal "To create an initramfs with fips support, dracut has to run as root"
-- 
2.47.3