[thirdparty/dracut.git] / modules.d / 01fips / module-setup.sh

#!/bin/bash

# called by dracut
check() {
    return 255
}

# called by dracut
depends() {
    return 0
}

# called by dracut
installkernel() {
    local _fipsmodules _mod _bootfstype
    if [[ -f "${srcmods}/modules.fips" ]]; then
        _fipsmodules="$(cat "${srcmods}/modules.fips")"
    else
        _fipsmodules=""

        # Hashes:
        _fipsmodules+="sha1 sha224 sha256 sha384 sha512 "
        _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 "
        _fipsmodules+="crc32c crct10dif ghash "

        # Ciphers:
        _fipsmodules+="cipher_null des3_ede aes cfb "

        # Modes/templates:
        _fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac ofb cts "

        # Compression algs:
        _fipsmodules+="deflate lzo zlib "

        # PRNG algs:
        _fipsmodules+="ansi_cprng "

        # Misc:
        _fipsmodules+="aead cryptomgr tcrypt crypto_user "
    fi

    mkdir -m 0755 -p "${initdir}/etc/modprobe.d"

    for _mod in $_fipsmodules; do
        if hostonly='' instmods -c -s $_mod; then
            echo $_mod >> "${initdir}/etc/fipsmodules"
            echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf"
        fi
    done

    # with hostonly_default_device fs module for /boot is not installed by default
    if [[ $hostonly ]] && [[ "$hostonly_default_device" == "no" ]]; then
        _bootfstype=$(find_mp_fstype /boot)
        if [[ -n "$_bootfstype" ]]; then
            hostonly='' instmods $_bootfstype
        else
            dwarning "Can't determine fs type for /boot, FIPS check may fail."
        fi
    fi
}

# called by dracut
install() {
    local _dir
    inst_hook pre-mount 01 "$moddir/fips-boot.sh"
    inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
    inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
    inst_script "$moddir/fips.sh" /sbin/fips.sh

    inst_multiple sha512hmac rmmod insmod mount uname umount

    inst_simple /etc/system-fips
    [ -c ${initdir}/dev/random ] || mknod ${initdir}/dev/random c 1 8 \
        || {
            dfatal "Cannot create /dev/random"
            dfatal "To create an initramfs with fips support, dracut has to run as root"
            return 1
        }
    [ -c ${initdir}/dev/urandom ] || mknod ${initdir}/dev/urandom c 1 9 \
        || {
            dfatal "Cannot create /dev/random"
            dfatal "To create an initramfs with fips support, dracut has to run as root"
            return 1
        }
}
Commit	Line	Data
95d2dabc	1	#!/bin/bash
95d2dabc	2
8bcfd683	3	# called by dracut
95d2dabc HH	4	check() {
	5	return 255
	6	}
	7
8bcfd683	8	# called by dracut
95d2dabc HH	9	depends() {
	10	return 0
	11	}
	12
8bcfd683	13	# called by dracut
95d2dabc	14	installkernel() {
83651776	15	local _fipsmodules _mod _bootfstype
7c29d205 HH	16	if [[ -f "${srcmods}/modules.fips" ]]; then
	17	_fipsmodules="$(cat "${srcmods}/modules.fips")"
	18	else
f4d34357 OM	19	_fipsmodules=""
	20
	21	# Hashes:
cec0d041	22	_fipsmodules+="sha1 sha224 sha256 sha384 sha512 "
f4d34357	23	_fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 "
cec0d041	24	_fipsmodules+="crc32c crct10dif ghash "
f4d34357 OM	25
f4d34357 OM	26	# Ciphers:
9f96bb4c	27	_fipsmodules+="cipher_null des3_ede aes cfb "
f4d34357 OM	28
f4d34357 OM	29	# Modes/templates:
958ca9e9	30	_fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac ofb cts "
f4d34357 OM	31
	32	# Compression algs:
	33	_fipsmodules+="deflate lzo zlib "
	34
	35	# PRNG algs:
	36	_fipsmodules+="ansi_cprng "
	37
	38	# Misc:
	39	_fipsmodules+="aead cryptomgr tcrypt crypto_user "
7c29d205	40	fi
95d2dabc	41
d125a470	42	mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
95d2dabc	43
29b10e65	44	for _mod in $_fipsmodules; do
338b43cd	45	if hostonly='' instmods -c -s $_mod; then
29b10e65 HH	46	echo $_mod >> "${initdir}/etc/fipsmodules"
29b10e65 HH	47	echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf"
95d2dabc HH	48	fi
95d2dabc HH	49	done
83651776 KS	50
	51	# with hostonly_default_device fs module for /boot is not installed by default
	52	if [[ $hostonly ]] && [[ "$hostonly_default_device" == "no" ]]; then
	53	_bootfstype=$(find_mp_fstype /boot)
	54	if [[ -n "$_bootfstype" ]]; then
	55	hostonly='' instmods $_bootfstype
	56	else
	57	dwarning "Can't determine fs type for /boot, FIPS check may fail."
	58	fi
	59	fi
95d2dabc HH	60	}
95d2dabc HH	61
8bcfd683	62	# called by dracut
95d2dabc	63	install() {
29b10e65	64	local _dir
e54ab383	65	inst_hook pre-mount 01 "$moddir/fips-boot.sh"
4257798f	66	inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
b988934a	67	inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
53fe81e7	68	inst_script "$moddir/fips.sh" /sbin/fips.sh
4257798f	69
bca1967c	70	inst_multiple sha512hmac rmmod insmod mount uname umount
95d2dabc	71
185e940e	72	inst_simple /etc/system-fips
1d832b4b HH	73	[ -c ${initdir}/dev/random ] \|\| mknod ${initdir}/dev/random c 1 8 \
	74	\|\| {
	75	dfatal "Cannot create /dev/random"
	76	dfatal "To create an initramfs with fips support, dracut has to run as root"
	77	return 1
	78	}
	79	[ -c ${initdir}/dev/urandom ] \|\| mknod ${initdir}/dev/urandom c 1 9 \
	80	\|\| {
	81	dfatal "Cannot create /dev/random"
	82	dfatal "To create an initramfs with fips support, dracut has to run as root"
	83	return 1
	84	}
95d2dabc	85	}