fips: forward port RHEL-6 fips changes

- also support FIPS on separate LVM partition
- use small settle loop to get /boot
- "set -e" has no effect, if we use "||"
- make fips work with encrypted root and seperate boot
- moved to pre-pivot to support /boot in /

diff --git a/modules.d/01fips/fips-boot.sh b/modules.d/01fips/fips-boot.sh
new file mode 100755 (executable)
index 0000000..a2f64ec
--- /dev/null
+++ b/modules.d/01fips/fips-boot.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+if ! fipsmode=$(getarg fips) || [ $fipsmode = "0" ]; then
+    rm -f /etc/modprobe.d/fips.conf >/dev/null 2>&1
+elif getarg boot= >/dev/null; then
+    . /sbin/fips.sh
+    if mount_boot; then
+        do_fips || die "FIPS integrity test failed"
+    fi
+fi

diff --git a/modules.d/01fips/fips-noboot.sh b/modules.d/01fips/fips-noboot.sh
new file mode 100755 (executable)
index 0000000..8c4ac0b
--- /dev/null
+++ b/modules.d/01fips/fips-noboot.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+if ! fipsmode=$(getarg fips) || [ $fipsmode = "0" ]; then
+    rm -f /etc/modprobe.d/fips.conf >/dev/null 2>&1
+elif ! [ -f /tmp/fipsdone ]; then
+    . /sbin/fips.sh
+    mount_boot
+    do_fips || die "FIPS integrity test failed"
+fi

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index da47b27..67eefb8 100755 (executable)
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -2,11 +2,12 @@
 # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
 # ex: ts=8 sw=4 sts=4 et filetype=sh
 
-do_fipskernel()
+mount_boot()
 {
     boot=$(getarg boot=)
-    KERNEL=$(uname -r)
-    case "$boot" in
+
+    if [ -n "$boot" ]; then
+        case "$boot" in
         LABEL=*)
             boot="$(echo $boot | sed 's,/,\\x2f,g')"
             boot="/dev/disk/by-label/${boot#LABEL=}"
@@ -18,45 +19,52 @@ do_fipskernel()
             ;;
         *)
             die "You have to specify boot=<boot device> as a boot option for fips=1" ;;
-    esac
-
-    if ! [ -e "$boot" ]; then
-        udevadm trigger --action=add >/dev/null 2>&1
-        [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version)
+        esac
 
-        if [ $UDEVVERSION -ge 143 ]; then
-            udevadm settle --exit-if-exists=$boot
-        else
-            udevadm settle --timeout=30
+        if ! [ -e "$boot" ]; then
+            udevadm trigger --action=add >/dev/null 2>&1
+            [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version)
+            i=0
+            while ! [ -e $boot ]; do
+                if [ $UDEVVERSION -ge 143 ]; then
+                    udevadm settle --exit-if-exists=$boot
+                else
+                    udevadm settle --timeout=30
+                fi
+                [ -e $boot ] && break
+                modprobe scsi_wait_scan && rmmod scsi_wait_scan
+                [ -e $boot ] && break
+                sleep 0.5
+                i=$(($i+1))
+                [ $i -gt 40 ] && break
+            done
         fi
-    fi
 
-    [ -e "$boot" ]
+        [ -e "$boot" ] || return 1
 
-    mkdir -m 0755 /boot
-    info "Mounting $boot as /boot"
-    mount -oro "$boot" /boot
+        mkdir /boot
+        info "Mounting $boot as /boot"
+        mount -oro "$boot" /boot || return 1
+    fi
+}
 
+do_fips()
+{
     info "Checking integrity of kernel"
+    newroot=$NEWROOT
+    KERNEL=$(uname -r)
 
-    if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
-        warn "/boot/.vmlinuz-${KERNEL}.hmac does not exist"
+    [ -e "$newroot/boot/.vmlinuz-${KERNEL}.hmac" ] || unset newroot
+
+    if ! [ -e "$newroot/boot/.vmlinuz-${KERNEL}.hmac" ]; then
+        warn "$newroot/boot/.vmlinuz-${KERNEL}.hmac does not exist"
         return 1
     fi
 
-    sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
-
-    info "Umounting /boot"
-    umount /boot
-}
+    sha512hmac -c "$newroot/boot/.vmlinuz-${KERNEL}.hmac" || return 1
 
-do_fips()
-{
     FIPSMODULES=$(cat /etc/fipsmodules)
 
-    if ! getarg rd.fips.skipkernel >/dev/null; then
-       do_fipskernel
-    fi
     info "Loading and integrity checking all crypto modules"
     for module in $FIPSMODULES; do
         if [ "$module" != "tcrypt" ]; then
@@ -66,15 +74,11 @@ do_fips()
     info "Self testing crypto algorithms"
     modprobe tcrypt || return 1
     rmmod tcrypt
-    info "All initrd crypto checks done"  
+    info "All initrd crypto checks done"
+
+    > /tmp/fipsdone
+
+    umount /boot >/dev/null 2>&1
 
     return 0
 }
-
-if ! fipsmode=$(getarg fips) || [ $fipsmode = "0" ]; then
-    rm -f /etc/modprobe.d/fips.conf >/dev/null 2>&1
-else
-    set -e
-    do_fips || die "FIPS integrity test failed"
-    set +e
-fi

diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 23c550a..10199fe 100755 (executable)
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -26,7 +26,10 @@ installkernel() {
 }
 
 install() {
-    inst_hook pre-trigger 01 "$moddir/fips.sh"
+    inst_hook pre-trigger 01 "$moddir/fips-boot.sh"
+    inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
+    inst "$moddir/fips.sh" /sbin/fips.sh
+
     dracut_install sha512hmac rmmod insmod mount uname umount
 
     for dir in "$usrlibdir" "$libdir"; do
@@ -37,5 +40,8 @@ install() {
     done
 
     dracut_install $usrlibdir/hmaccalc/sha512hmac.hmac
+    if command -v prelink >/dev/null; then
+        dracut_install prelink
+    fi
 }