From: Harald Hoyer Date: Mon, 2 May 2011 09:15:46 +0000 (+0200) Subject: fips: forward port RHEL-6 fips changes X-Git-Tag: 011~82 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4257798f8ad8570e6918ca9b819ffa254d4316ff;p=platform%2Fupstream%2Fdracut.git fips: forward port RHEL-6 fips changes - also support FIPS on separate LVM partition - use small settle loop to get /boot - "set -e" has no effect, if we use "||" - make fips work with encrypted root and seperate boot - moved to pre-pivot to support /boot in / --- diff --git a/modules.d/01fips/fips-boot.sh b/modules.d/01fips/fips-boot.sh new file mode 100755 index 0000000..a2f64ec --- /dev/null +++ b/modules.d/01fips/fips-boot.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +if ! fipsmode=$(getarg fips) || [ $fipsmode = "0" ]; then + rm -f /etc/modprobe.d/fips.conf >/dev/null 2>&1 +elif getarg boot= >/dev/null; then + . /sbin/fips.sh + if mount_boot; then + do_fips || die "FIPS integrity test failed" + fi +fi diff --git a/modules.d/01fips/fips-noboot.sh b/modules.d/01fips/fips-noboot.sh new file mode 100755 index 0000000..8c4ac0b --- /dev/null +++ b/modules.d/01fips/fips-noboot.sh @@ -0,0 +1,11 @@ +#!/bin/sh +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +if ! fipsmode=$(getarg fips) || [ $fipsmode = "0" ]; then + rm -f /etc/modprobe.d/fips.conf >/dev/null 2>&1 +elif ! [ -f /tmp/fipsdone ]; then + . /sbin/fips.sh + mount_boot + do_fips || die "FIPS integrity test failed" +fi diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh index da47b27..67eefb8 100755 --- a/modules.d/01fips/fips.sh +++ b/modules.d/01fips/fips.sh @@ -2,11 +2,12 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -do_fipskernel() +mount_boot() { boot=$(getarg boot=) - KERNEL=$(uname -r) - case "$boot" in + + if [ -n "$boot" ]; then + case "$boot" in LABEL=*) boot="$(echo $boot | sed 's,/,\\x2f,g')" boot="/dev/disk/by-label/${boot#LABEL=}" @@ -18,45 +19,52 @@ do_fipskernel() ;; *) die "You have to specify boot= as a boot option for fips=1" ;; - esac - - if ! [ -e "$boot" ]; then - udevadm trigger --action=add >/dev/null 2>&1 - [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version) + esac - if [ $UDEVVERSION -ge 143 ]; then - udevadm settle --exit-if-exists=$boot - else - udevadm settle --timeout=30 + if ! [ -e "$boot" ]; then + udevadm trigger --action=add >/dev/null 2>&1 + [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version) + i=0 + while ! [ -e $boot ]; do + if [ $UDEVVERSION -ge 143 ]; then + udevadm settle --exit-if-exists=$boot + else + udevadm settle --timeout=30 + fi + [ -e $boot ] && break + modprobe scsi_wait_scan && rmmod scsi_wait_scan + [ -e $boot ] && break + sleep 0.5 + i=$(($i+1)) + [ $i -gt 40 ] && break + done fi - fi - [ -e "$boot" ] + [ -e "$boot" ] || return 1 - mkdir -m 0755 /boot - info "Mounting $boot as /boot" - mount -oro "$boot" /boot + mkdir /boot + info "Mounting $boot as /boot" + mount -oro "$boot" /boot || return 1 + fi +} +do_fips() +{ info "Checking integrity of kernel" + newroot=$NEWROOT + KERNEL=$(uname -r) - if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then - warn "/boot/.vmlinuz-${KERNEL}.hmac does not exist" + [ -e "$newroot/boot/.vmlinuz-${KERNEL}.hmac" ] || unset newroot + + if ! [ -e "$newroot/boot/.vmlinuz-${KERNEL}.hmac" ]; then + warn "$newroot/boot/.vmlinuz-${KERNEL}.hmac does not exist" return 1 fi - sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1 - - info "Umounting /boot" - umount /boot -} + sha512hmac -c "$newroot/boot/.vmlinuz-${KERNEL}.hmac" || return 1 -do_fips() -{ FIPSMODULES=$(cat /etc/fipsmodules) - if ! getarg rd.fips.skipkernel >/dev/null; then - do_fipskernel - fi info "Loading and integrity checking all crypto modules" for module in $FIPSMODULES; do if [ "$module" != "tcrypt" ]; then @@ -66,15 +74,11 @@ do_fips() info "Self testing crypto algorithms" modprobe tcrypt || return 1 rmmod tcrypt - info "All initrd crypto checks done" + info "All initrd crypto checks done" + + > /tmp/fipsdone + + umount /boot >/dev/null 2>&1 return 0 } - -if ! fipsmode=$(getarg fips) || [ $fipsmode = "0" ]; then - rm -f /etc/modprobe.d/fips.conf >/dev/null 2>&1 -else - set -e - do_fips || die "FIPS integrity test failed" - set +e -fi diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh index 23c550a..10199fe 100755 --- a/modules.d/01fips/module-setup.sh +++ b/modules.d/01fips/module-setup.sh @@ -26,7 +26,10 @@ installkernel() { } install() { - inst_hook pre-trigger 01 "$moddir/fips.sh" + inst_hook pre-trigger 01 "$moddir/fips-boot.sh" + inst_hook pre-pivot 01 "$moddir/fips-noboot.sh" + inst "$moddir/fips.sh" /sbin/fips.sh + dracut_install sha512hmac rmmod insmod mount uname umount for dir in "$usrlibdir" "$libdir"; do @@ -37,5 +40,8 @@ install() { done dracut_install $usrlibdir/hmaccalc/sha512hmac.hmac + if command -v prelink >/dev/null; then + dracut_install prelink + fi }