]>
Commit | Line | Data |
---|---|---|
95d2dabc | 1 | #!/bin/bash |
95d2dabc | 2 | |
8bcfd683 | 3 | # called by dracut |
95d2dabc HH |
4 | check() { |
5 | return 255 | |
6 | } | |
7 | ||
8bcfd683 | 8 | # called by dracut |
95d2dabc HH |
9 | depends() { |
10 | return 0 | |
11 | } | |
12 | ||
8bcfd683 | 13 | # called by dracut |
95d2dabc | 14 | installkernel() { |
83651776 | 15 | local _fipsmodules _mod _bootfstype |
7c29d205 HH |
16 | if [[ -f "${srcmods}/modules.fips" ]]; then |
17 | _fipsmodules="$(cat "${srcmods}/modules.fips")" | |
18 | else | |
f4d34357 OM |
19 | _fipsmodules="" |
20 | ||
21 | # Hashes: | |
cec0d041 | 22 | _fipsmodules+="sha1 sha224 sha256 sha384 sha512 " |
f4d34357 | 23 | _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 " |
cec0d041 | 24 | _fipsmodules+="crc32c crct10dif ghash " |
f4d34357 OM |
25 | |
26 | # Ciphers: | |
9f96bb4c | 27 | _fipsmodules+="cipher_null des3_ede aes cfb " |
f4d34357 OM |
28 | |
29 | # Modes/templates: | |
958ca9e9 | 30 | _fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac ofb cts " |
f4d34357 OM |
31 | |
32 | # Compression algs: | |
33 | _fipsmodules+="deflate lzo zlib " | |
34 | ||
35 | # PRNG algs: | |
36 | _fipsmodules+="ansi_cprng " | |
37 | ||
38 | # Misc: | |
39 | _fipsmodules+="aead cryptomgr tcrypt crypto_user " | |
7c29d205 | 40 | fi |
95d2dabc | 41 | |
d125a470 | 42 | mkdir -m 0755 -p "${initdir}/etc/modprobe.d" |
95d2dabc | 43 | |
29b10e65 | 44 | for _mod in $_fipsmodules; do |
338b43cd | 45 | if hostonly='' instmods -c -s $_mod; then |
29b10e65 HH |
46 | echo $_mod >> "${initdir}/etc/fipsmodules" |
47 | echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf" | |
95d2dabc HH |
48 | fi |
49 | done | |
83651776 KS |
50 | |
51 | # with hostonly_default_device fs module for /boot is not installed by default | |
52 | if [[ $hostonly ]] && [[ "$hostonly_default_device" == "no" ]]; then | |
53 | _bootfstype=$(find_mp_fstype /boot) | |
54 | if [[ -n "$_bootfstype" ]]; then | |
55 | hostonly='' instmods $_bootfstype | |
56 | else | |
57 | dwarning "Can't determine fs type for /boot, FIPS check may fail." | |
58 | fi | |
59 | fi | |
95d2dabc HH |
60 | } |
61 | ||
8bcfd683 | 62 | # called by dracut |
95d2dabc | 63 | install() { |
29b10e65 | 64 | local _dir |
e54ab383 | 65 | inst_hook pre-mount 01 "$moddir/fips-boot.sh" |
4257798f | 66 | inst_hook pre-pivot 01 "$moddir/fips-noboot.sh" |
b988934a | 67 | inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh" |
53fe81e7 | 68 | inst_script "$moddir/fips.sh" /sbin/fips.sh |
4257798f | 69 | |
bca1967c | 70 | inst_multiple sha512hmac rmmod insmod mount uname umount |
95d2dabc | 71 | |
185e940e | 72 | inst_simple /etc/system-fips |
1d832b4b HH |
73 | [ -c ${initdir}/dev/random ] || mknod ${initdir}/dev/random c 1 8 \ |
74 | || { | |
75 | dfatal "Cannot create /dev/random" | |
76 | dfatal "To create an initramfs with fips support, dracut has to run as root" | |
77 | return 1 | |
78 | } | |
79 | [ -c ${initdir}/dev/urandom ] || mknod ${initdir}/dev/urandom c 1 9 \ | |
80 | || { | |
81 | dfatal "Cannot create /dev/random" | |
82 | dfatal "To create an initramfs with fips support, dracut has to run as root" | |
83 | return 1 | |
84 | } | |
95d2dabc | 85 | } |