From 03d8ec26017effea8afd111f1ef5dc2c25142b74 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Thu, 12 Nov 2009 14:58:27 +0100
Subject: [PATCH] add module fips

---
 modules.d/01fips/fips.sh       | 69 ++++++++++++++++++++++++++++++++++++++++++
 modules.d/01fips/install       | 14 +++++++++
 modules.d/01fips/installkernel | 14 +++++++++
 3 files changed, 97 insertions(+)
 create mode 100755 modules.d/01fips/fips.sh
 create mode 100755 modules.d/01fips/install
 create mode 100755 modules.d/01fips/installkernel

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
new file mode 100755
index 0000000..ac385f8
--- /dev/null
+++ b/modules.d/01fips/fips.sh
@@ -0,0 +1,69 @@
+do_fips()
+{
+    FIPSMODULES=$(cat /etc/fipsmodules)
+    BOOT=$(getarg boot=)
+    KERNEL=$(uname -r)
+    udevadm trigger >/dev/null 2>&1
+    case "$boot" in
+    block:LABEL=*|LABEL=*)
+        boot="${boot#block:}"
+        boot="$(echo $boot | sed 's,/,\\x2f,g')"
+        boot="/dev/disk/by-label/${boot#LABEL=}"
+        bootok=1 ;;
+    block:UUID=*|UUID=*)
+        boot="${boot#block:}"
+        boot="/dev/disk/by-uuid/${root#UUID=}"
+        bootok=1 ;;
+    /dev/*)
+        bootok=1 ;;
+    esac
+
+    [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version)
+
+    if [ $UDEVVERSION -ge 143 ]; then
+        udevadm settle --exit-if-exists=$boot
+    else
+        udevadm settle --timeout=30
+    fi
+
+    [ -e "$boot" ]
+
+    mkdir /boot
+    info "Mounting $boot as /boot"
+    mount -oro "$boot" /boot
+
+    info "Checking integrity of kernel"
+
+    if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
+        warn "/boot/.vmlinuz-${KERNEL}.hmac does not exist"
+        return 1
+    fi
+
+    sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
+
+    info "Umounting /boot"
+    umount /boot
+
+    info "Loading and integrity checking all crypto modules"
+    for module in $FIPSMODULES; do
+        if [ "$module" != "tcrypt" ]; then
+            modprobe ${module} || return 1
+        fi
+    done
+    info "Self testing crypto algorithms"
+    modprobe tcrypt noexit=1 || return 1
+    rmmod tcrypt
+    info "All initrd crypto checks done"  
+
+    return 0
+}
+
+if ! fipsmode=$(getarg fips) || [ $fipsmode == "0" ]; then
+    rm -f /etc/modprobe.d/fips.conf >/dev/null 2>&1
+else
+    set -e
+    do_fips || die "FIPS integrity test failed"
+    set +e
+fi
+
+# vim:ts=8:sw=4:sts=4:et
diff --git a/modules.d/01fips/install b/modules.d/01fips/install
new file mode 100755
index 0000000..5fa35dd
--- /dev/null
+++ b/modules.d/01fips/install
@@ -0,0 +1,14 @@
+inst_hook pre-trigger 01 "$moddir/fips.sh"
+dracut_install sha512hmac rmmod insmod mount uname
+
+libdir="lib"
+if ldd $(find_binary sha512hmac) |grep -q /lib64/libc; then
+    libdir="lib64"
+fi
+
+dracut_install \
+    /usr/$libdir/libsoftokn3.so /usr/$libdir/libsoftokn3.chk \
+    /usr/$libdir/libfreebl3.so /usr/$libdir/libfreebl3.chk \
+    /usr/$libdir/hmaccalc/sha512hmac.hmac
+
+# vim:ts=8:sw=4:sts=4:et
diff --git a/modules.d/01fips/installkernel b/modules.d/01fips/installkernel
new file mode 100755
index 0000000..ccdf17f
--- /dev/null
+++ b/modules.d/01fips/installkernel
@@ -0,0 +1,14 @@
+FIPSMODULES="aead aes_generic aes-x86_64 ansi_cprng cbc ccm chainiv ctr"
+FIPSMODULES="$FIPSMODULES des deflate ecb eseqiv hmac seqiv sha256 sha512"
+FIPSMODULES="$FIPSMODULES cryptomgr crypto_null tcrypt" 
+
+mkdir -p "${initdir}/etc/modprobe.d"
+
+for mod in $FIPSMODULES; do 
+    if instmods $mod; then
+        echo $mod >> "${initdir}/etc/fipsmodules"
+        echo "blacklist $mod" >> "${initdir}/etc/modprobe.d/fips.conf"
+    fi
+done
+
+# vim:ts=8:sw=4:sts=4:et
-- 
2.7.4