|
 |
e83cdd |
From 9c54932f590fd7accadc780c6ee946a94286b7e6 Mon Sep 17 00:00:00 2001
|
|
|
e83cdd |
From: Lukas Nykryn <lnykryn@redhat.com>
|
|
|
e83cdd |
Date: Tue, 14 May 2019 09:23:55 +0200
|
|
|
e83cdd |
Subject: [PATCH] fips: split loading the crypto modules and checking the
|
|
|
e83cdd |
kernel
|
|
|
e83cdd |
|
|
|
e83cdd |
In e54ab383 we moved the fips script to a later pahse of boot, since
|
|
|
e83cdd |
the /boot might not be available early on.
|
|
|
e83cdd |
|
|
|
e83cdd |
The problem is that systemd-cryptsetup* services could be run now
|
|
|
e83cdd |
started before the do_fips is executed and need the crypto modules
|
|
|
e83cdd |
to decrypted the devices.
|
|
|
e83cdd |
|
|
|
e83cdd |
So let's split the do_fips and load the module before udev does the
|
|
|
e83cdd |
trigger.
|
|
|
e83cdd |
---
|
|
|
e83cdd |
modules.d/01fips/fips-load-crypto.sh | 8 ++++++++
|
|
|
e83cdd |
modules.d/01fips/fips.sh | 19 +++++++++++--------
|
|
|
e83cdd |
modules.d/01fips/module-setup.sh | 1 +
|
|
|
e83cdd |
3 files changed, 20 insertions(+), 8 deletions(-)
|
|
|
e83cdd |
|
|
|
e83cdd |
diff --git a/modules.d/01fips/fips-load-crypto.sh b/modules.d/01fips/fips-load-crypto.sh
|
|
|
e83cdd |
new file mode 100644
|
|
|
e83cdd |
index 00000000..82cbeee4
|
|
|
e83cdd |
--- /dev/null
|
|
|
e83cdd |
+++ b/modules.d/01fips/fips-load-crypto.sh
|
|
|
e83cdd |
@@ -0,0 +1,8 @@
|
|
|
e83cdd |
+#!/bin/sh
|
|
|
e83cdd |
+
|
|
|
e83cdd |
+if ! fipsmode=$(getarg fips) || [ $fipsmode = "0" ]; then
|
|
|
e83cdd |
+ rm -f -- /etc/modprobe.d/fips.conf >/dev/null 2>&1
|
|
|
e83cdd |
+else
|
|
|
e83cdd |
+ . /sbin/fips.sh
|
|
|
e83cdd |
+ fips_load_crypto || die "FIPS integrity test failed"
|
|
|
e83cdd |
+fi
|
|
|
e83cdd |
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
|
|
|
e83cdd |
index 9bc089f2..beaa692b 100755
|
|
|
e83cdd |
--- a/modules.d/01fips/fips.sh
|
|
|
e83cdd |
+++ b/modules.d/01fips/fips.sh
|
|
|
e83cdd |
@@ -69,15 +69,8 @@ do_rhevh_check()
|
|
|
e83cdd |
return 0
|
|
|
e83cdd |
}
|
|
|
e83cdd |
|
|
|
e83cdd |
-do_fips()
|
|
|
e83cdd |
+fips_load_crypto()
|
|
|
e83cdd |
{
|
|
|
e83cdd |
- local _v
|
|
|
e83cdd |
- local _s
|
|
|
e83cdd |
- local _v
|
|
|
e83cdd |
- local _module
|
|
|
e83cdd |
-
|
|
|
e83cdd |
- KERNEL=$(uname -r)
|
|
|
e83cdd |
-
|
|
|
e83cdd |
FIPSMODULES=$(cat /etc/fipsmodules)
|
|
|
e83cdd |
|
|
|
e83cdd |
info "Loading and integrity checking all crypto modules"
|
|
|
e83cdd |
@@ -102,6 +95,16 @@ do_fips()
|
|
|
e83cdd |
info "Self testing crypto algorithms"
|
|
|
e83cdd |
modprobe tcrypt || return 1
|
|
|
e83cdd |
rmmod tcrypt
|
|
|
e83cdd |
+}
|
|
|
e83cdd |
+
|
|
|
e83cdd |
+do_fips()
|
|
|
e83cdd |
+{
|
|
|
e83cdd |
+ local _v
|
|
|
e83cdd |
+ local _s
|
|
|
e83cdd |
+ local _v
|
|
|
e83cdd |
+ local _module
|
|
|
e83cdd |
+
|
|
|
e83cdd |
+ KERNEL=$(uname -r)
|
|
|
e83cdd |
|
|
|
e83cdd |
info "Checking integrity of kernel"
|
|
|
e83cdd |
if [ -e "/run/initramfs/live/vmlinuz0" ]; then
|
|
|
e83cdd |
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
|
|
|
e83cdd |
index f3af4d90..18186d62 100755
|
|
|
e83cdd |
--- a/modules.d/01fips/module-setup.sh
|
|
|
e83cdd |
+++ b/modules.d/01fips/module-setup.sh
|
|
|
e83cdd |
@@ -54,6 +54,7 @@ install() {
|
|
|
e83cdd |
local _dir
|
|
|
e83cdd |
inst_hook pre-trigger 01 "$moddir/fips-boot.sh"
|
|
|
e83cdd |
inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
|
|
|
e83cdd |
+ inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
|
|
|
e83cdd |
inst_script "$moddir/fips.sh" /sbin/fips.sh
|
|
|
e83cdd |
|
|
|
e83cdd |
inst_multiple sha512hmac rmmod insmod mount uname umount
|
|
|
e83cdd |
|