#!/bin/sh
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
# systemd lets stdout go to journal only, but the system
# has to halt when the integrity check fails to satisfy FIPS.
if [ -z "$DRACUT_SYSTEMD" ]; then
udevadm trigger --action=add > /dev/null 2>&1
[ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version)
i=0
- while ! [ -e $boot ]; do
- if [ $UDEVVERSION -ge 143 ]; then
- udevadm settle --exit-if-exists=$boot
+ while ! [ -e "$boot" ]; do
+ if [ "$UDEVVERSION" -ge 143 ]; then
+ udevadm settle --exit-if-exists="$boot"
else
udevadm settle --timeout=30
fi
- [ -e $boot ] && break
+ [ -e "$boot" ] && break
sleep 0.5
i=$((i + 1))
[ $i -gt 40 ] && break
fips_info "Mounting $boot as /boot"
mount -oro "$boot" /boot || return 1
elif [ -d "$NEWROOT/boot" ]; then
+ # shellcheck disable=SC2114
rm -fr -- /boot
ln -sf "$NEWROOT/boot" /boot
fi
kpath=${1}
# If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
- HMAC_SUM_ORIG=$(cat $NEWROOT/boot/.vmlinuz-${KERNEL}.hmac | while read a b || [ -n "$a" ]; do printf "%s\n" $a; done)
- HMAC_SUM_CALC=$(sha512hmac $kpath | while read a b || [ -n "$a" ]; do printf "%s\n" $a; done || return 1)
+ HMAC_SUM_ORIG=$(while read -r a _ || [ -n "$a" ]; do printf "%s\n" "$a"; done < "$NEWROOT/boot/.vmlinuz-${KERNEL}.hmac")
+ HMAC_SUM_CALC=$(sha512hmac "$kpath" | while read -r a _ || [ -n "$a" ]; do printf "%s\n" "$a"; done || return 1)
if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
warn "HMAC sum mismatch"
return 1
}
nonfatal_modprobe() {
- modprobe $1 2>&1 > /dev/stdout \
+ modprobe "$1" 2>&1 > /dev/stdout \
| while read -r line || [ -n "$line" ]; do
echo "${line#modprobe: FATAL: }" >&2
done
}
fips_load_crypto() {
+ local _k
+ local _v
+ local _found
+
FIPSMODULES=$(cat /etc/fipsmodules)
fips_info "Loading and integrity checking all crypto modules"
if ! nonfatal_modprobe "${_module}" 2> /tmp/fips.modprobe_err; then
# check if kernel provides generic algo
_found=0
- while read _k _s _v || [ -n "$_k" ]; do
+ while read -r _k _ _v || [ -n "$_k" ]; do
[ "$_k" != "name" -a "$_k" != "driver" ] && continue
[ "$_v" != "$_module" ] && continue
_found=1
}
do_fips() {
- local _v
- local _s
local _v
local _module
fips_info "All initrd crypto checks done"
- > /tmp/fipsdone
+ : > /tmp/fipsdone
umount /boot > /dev/null 2>&1
_fipsmodules+="aead cryptomgr tcrypt crypto_user "
fi
+ # shellcheck disable=SC2174
mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
for _mod in $_fipsmodules; do
- if hostonly='' instmods -c -s $_mod; then
- echo $_mod >> "${initdir}/etc/fipsmodules"
+ if hostonly='' instmods -c -s "$_mod"; then
+ echo "$_mod" >> "${initdir}/etc/fipsmodules"
echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf"
fi
done
if [[ $hostonly ]] && [[ $hostonly_default_device == "no" ]]; then
_bootfstype=$(find_mp_fstype /boot)
if [[ -n $_bootfstype ]]; then
- hostonly='' instmods $_bootfstype
+ hostonly='' instmods "$_bootfstype"
else
dwarning "Can't determine fs type for /boot, FIPS check may fail."
fi
# called by dracut
install() {
- local _dir
inst_hook pre-mount 01 "$moddir/fips-boot.sh"
inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
inst_multiple sha512hmac rmmod insmod mount uname umount
inst_simple /etc/system-fips
- [ -c ${initdir}/dev/random ] || mknod ${initdir}/dev/random c 1 8 \
+ [ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \
|| {
dfatal "Cannot create /dev/random"
dfatal "To create an initramfs with fips support, dracut has to run as root"
return 1
}
- [ -c ${initdir}/dev/urandom ] || mknod ${initdir}/dev/urandom c 1 9 \
+ [ -c "${initdir}"/dev/urandom ] || mknod "${initdir}"/dev/urandom c 1 9 \
|| {
dfatal "Cannot create /dev/random"
dfatal "To create an initramfs with fips support, dracut has to run as root"
projects / thirdparty / dracut.git / commitdiff
