From 6f4c2dada400f455cf7ee0afcd6bf41974c712d4 Mon Sep 17 00:00:00 2001

From: Harald Hoyer <harald@redhat.com>

Date: Thu, 25 Apr 2013 19:44:01 +0200

Subject: [PATCH] fixed fips mode

- preserve timestamps

- copy /lib*/hmaccalc files

- run sha512hmac after kernel module loading

- add more fips kernel modules

---

 dracut.sh                        |  2 ++

 install/dracut-install.c         | 10 +++++++++-

 modules.d/01fips/fips.sh         |  7 ++++---

 modules.d/01fips/module-setup.sh |  8 +++++---

 modules.d/99base/dracut-lib.sh   |  2 +-

 5 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/dracut.sh b/dracut.sh

index 586172c..82b4a5f 100755

--- a/dracut.sh

+++ b/dracut.sh

@@ -1179,6 +1179,8 @@ if [[ $do_strip = yes ]] ; then

             -executable -not -path '*/lib/modules/*.ko' -print0 \

             | while read -r -d $'\0' f; do

             if ! [[ -e "${f%/*}/.${f##*/}.hmac" ]] \

+                && ! [[ -e "/lib/hmaccalc/${f##*/}.hmac" ]] \

+                && ! [[ -e "/lib64/hmaccalc/${f##*/}.hmac" ]] \

                 && ! [[ -e "/lib/fipscheck/${f##*/}.hmac" ]] \

                 && ! [[ -e "/lib64/fipscheck/${f##*/}.hmac" ]]; then

                 echo -n "$f"; echo -n -e "\000"

diff --git a/install/dracut-install.c b/install/dracut-install.c

index 2d0412c..2fad6df 100644

--- a/install/dracut-install.c

+++ b/install/dracut-install.c

@@ -214,8 +214,14 @@ static int cp(const char *src, const char *dst)

                 ret = clone_file(dest_desc, source_desc);

                 close(source_desc);

                 if (ret == 0) {

+                        struct timeval tv[2];

                         if (fchown(dest_desc, sb.st_uid, sb.st_gid) != 0)

                                 fchown(dest_desc, -1, sb.st_gid);

+                        tv[0].tv_sec = sb.st_atime;

+                        tv[0].tv_usec = 0;

+                        tv[1].tv_sec = sb.st_mtime;

+                        tv[1].tv_usec = 0;

+                        futimes(dest_desc, tv);

                         close(dest_desc);

                         return ret;

                 }

@@ -230,7 +236,7 @@ static int cp(const char *src, const char *dst)

  normal_copy:

         pid = fork();

         if (pid == 0) {

-                execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode", "-fL", src, dst, NULL);

+                execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode,timestamps", "-fL", src, dst, NULL);

                 _exit(EXIT_FAILURE);

         }

@@ -350,6 +356,8 @@ static int hmac_install(const char *src, const char *dst, const char *hmacpath)

 	if (!hmacpath) {

                 hmac_install(src, dst, "/lib/fipscheck");

                 hmac_install(src, dst, "/lib64/fipscheck");

+                hmac_install(src, dst, "/lib/hmaccalc");

+                hmac_install(src, dst, "/lib64/hmaccalc");

         }

         srcpath[dlen] = '\0';

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh

index 48ad0e6..ce3e49c 100755

--- a/modules.d/01fips/fips.sh

+++ b/modules.d/01fips/fips.sh

@@ -51,7 +51,6 @@ mount_boot()

 do_fips()

 {

-    info "Checking integrity of kernel"

     KERNEL=$(uname -r)

     if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then

@@ -59,8 +58,6 @@ do_fips()

         return 1

     fi

-    sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1

-

     FIPSMODULES=$(cat /etc/fipsmodules)

     info "Loading and integrity checking all crypto modules"

@@ -72,6 +69,10 @@ do_fips()

     info "Self testing crypto algorithms"

     modprobe tcrypt || return 1

     rmmod tcrypt

+

+    info "Checking integrity of kernel"

+    sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1

+

     info "All initrd crypto checks done"

     > /tmp/fipsdone

diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh

index 8953132..a7f5be8 100755

--- a/modules.d/01fips/module-setup.sh

+++ b/modules.d/01fips/module-setup.sh

@@ -12,9 +12,11 @@ depends() {

 installkernel() {

     local _fipsmodules _mod

-    _fipsmodules="aead aes_generic xts aes-x86_64 ansi_cprng cbc ccm chainiv ctr gcm ghash_generic"

-    _fipsmodules+=" des deflate ecb eseqiv hmac seqiv sha256 sha256_generic sha512 sha512_generic"

-    _fipsmodules+=" cryptomgr crypto_null tcrypt dm-mod dm-crypt lzo"

+    _fipsmodules="aead aes_generic aes-x86_64 ansi_cprng arc4 blowfish camellia cast6 cbc ccm "

+    _fipsmodules+="chainiv crc32c cryptomgr crypto_null ctr cts deflate des des3_ede dm-crypt dm-mod "

+    _fipsmodules+="ecb eseqiv fcrypt gcm ghash_generic hmac khazad lzo md4 md5 michael_mic rmd128 "

+    _fipsmodules+="rmd160 rmd256 rmd320 rot13 salsa20 seed seqiv serpent sha1 sha224 sha256 sha256_generic "

+    _fipsmodules+="sha384 sha512 sha512_generic tcrypt tea tnepres twofish wp256 wp384 wp512 xeta xtea xts zlib"

     mkdir -m 0755 -p "${initdir}/etc/modprobe.d"

diff --git a/modules.d/99base/dracut-lib.sh b/modules.d/99base/dracut-lib.sh

index ae79a82..9bd25f4 100755

--- a/modules.d/99base/dracut-lib.sh

+++ b/modules.d/99base/dracut-lib.sh

@@ -384,7 +384,7 @@ die() {

         echo "warn dracut: FATAL: \"$*\"";

         echo "warn dracut: Refusing to continue";

     } >> $hookdir/emergency/01-die.sh

-

+    [ -d /run/initramfs ] || mkdir -p /run/initramfs

     > /run/initramfs/.die

     emergency_shell

     exit 1