From 6f4c2dada400f455cf7ee0afcd6bf41974c712d4 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Thu, 25 Apr 2013 19:44:01 +0200
Subject: [PATCH] fixed fips mode

- preserve timestamps
- copy /lib*/hmaccalc files
- run sha512hmac after kernel module loading
- add more fips kernel modules
---
 dracut.sh                        |  2 ++
 install/dracut-install.c         | 10 +++++++++-
 modules.d/01fips/fips.sh         |  7 ++++---
 modules.d/01fips/module-setup.sh |  8 +++++---
 modules.d/99base/dracut-lib.sh   |  2 +-
 5 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/dracut.sh b/dracut.sh
index 586172c..82b4a5f 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -1179,6 +1179,8 @@ if [[ $do_strip = yes ]] ; then
             -executable -not -path '*/lib/modules/*.ko' -print0 \
             | while read -r -d $'\0' f; do
             if ! [[ -e "${f%/*}/.${f##*/}.hmac" ]] \
+                && ! [[ -e "/lib/hmaccalc/${f##*/}.hmac" ]] \
+                && ! [[ -e "/lib64/hmaccalc/${f##*/}.hmac" ]] \
                 && ! [[ -e "/lib/fipscheck/${f##*/}.hmac" ]] \
                 && ! [[ -e "/lib64/fipscheck/${f##*/}.hmac" ]]; then
                 echo -n "$f"; echo -n -e "\000"
diff --git a/install/dracut-install.c b/install/dracut-install.c
index 2d0412c..2fad6df 100644
--- a/install/dracut-install.c
+++ b/install/dracut-install.c
@@ -214,8 +214,14 @@ static int cp(const char *src, const char *dst)
                 ret = clone_file(dest_desc, source_desc);
                 close(source_desc);
                 if (ret == 0) {
+                        struct timeval tv[2];
                         if (fchown(dest_desc, sb.st_uid, sb.st_gid) != 0)
                                 fchown(dest_desc, -1, sb.st_gid);
+                        tv[0].tv_sec = sb.st_atime;
+                        tv[0].tv_usec = 0;
+                        tv[1].tv_sec = sb.st_mtime;
+                        tv[1].tv_usec = 0;
+                        futimes(dest_desc, tv);
                         close(dest_desc);
                         return ret;
                 }
@@ -230,7 +236,7 @@ static int cp(const char *src, const char *dst)
  normal_copy:
         pid = fork();
         if (pid == 0) {
-                execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode", "-fL", src, dst, NULL);
+                execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode,timestamps", "-fL", src, dst, NULL);
                 _exit(EXIT_FAILURE);
         }
 
@@ -350,6 +356,8 @@ static int hmac_install(const char *src, const char *dst, const char *hmacpath)
 	if (!hmacpath) {
                 hmac_install(src, dst, "/lib/fipscheck");
                 hmac_install(src, dst, "/lib64/fipscheck");
+                hmac_install(src, dst, "/lib/hmaccalc");
+                hmac_install(src, dst, "/lib64/hmaccalc");
         }
 
         srcpath[dlen] = '\0';
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 48ad0e6..ce3e49c 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -51,7 +51,6 @@ mount_boot()
 
 do_fips()
 {
-    info "Checking integrity of kernel"
     KERNEL=$(uname -r)
 
     if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
@@ -59,8 +58,6 @@ do_fips()
         return 1
     fi
 
-    sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
-
     FIPSMODULES=$(cat /etc/fipsmodules)
 
     info "Loading and integrity checking all crypto modules"
@@ -72,6 +69,10 @@ do_fips()
     info "Self testing crypto algorithms"
     modprobe tcrypt || return 1
     rmmod tcrypt
+
+    info "Checking integrity of kernel"
+    sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
+
     info "All initrd crypto checks done"
 
     > /tmp/fipsdone
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 8953132..a7f5be8 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -12,9 +12,11 @@ depends() {
 
 installkernel() {
     local _fipsmodules _mod
-    _fipsmodules="aead aes_generic xts aes-x86_64 ansi_cprng cbc ccm chainiv ctr gcm ghash_generic"
-    _fipsmodules+=" des deflate ecb eseqiv hmac seqiv sha256 sha256_generic sha512 sha512_generic"
-    _fipsmodules+=" cryptomgr crypto_null tcrypt dm-mod dm-crypt lzo"
+    _fipsmodules="aead aes_generic aes-x86_64 ansi_cprng arc4 blowfish camellia cast6 cbc ccm "
+    _fipsmodules+="chainiv crc32c cryptomgr crypto_null ctr cts deflate des des3_ede dm-crypt dm-mod "
+    _fipsmodules+="ecb eseqiv fcrypt gcm ghash_generic hmac khazad lzo md4 md5 michael_mic rmd128 "
+    _fipsmodules+="rmd160 rmd256 rmd320 rot13 salsa20 seed seqiv serpent sha1 sha224 sha256 sha256_generic "
+    _fipsmodules+="sha384 sha512 sha512_generic tcrypt tea tnepres twofish wp256 wp384 wp512 xeta xtea xts zlib"
 
     mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
 
diff --git a/modules.d/99base/dracut-lib.sh b/modules.d/99base/dracut-lib.sh
index ae79a82..9bd25f4 100755
--- a/modules.d/99base/dracut-lib.sh
+++ b/modules.d/99base/dracut-lib.sh
@@ -384,7 +384,7 @@ die() {
         echo "warn dracut: FATAL: \"$*\"";
         echo "warn dracut: Refusing to continue";
     } >> $hookdir/emergency/01-die.sh
-
+    [ -d /run/initramfs ] || mkdir -p /run/initramfs
     > /run/initramfs/.die
     emergency_shell
     exit 1