rpms / dracut

Clone
Source Code
GIT

Blame 0130.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   99c74373eee952f26c7d256f12c024fe29397ae6
  2.   0130.patch
Blob History Raw
Harald Hoyer 460d2c 
From e096d861ed8d5956152aa0ba48ca17fb2de6efe0 Mon Sep 17 00:00:00 2001
Harald Hoyer 460d2c 
From: Daniel Molkentin <dmolkentin@suse.com>
Harald Hoyer 460d2c 
Date: Mon, 6 Jul 2020 16:36:42 +0200
Harald Hoyer 460d2c 
Subject: [PATCH] 01fips: turn info calls into fips_info calls
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
systemd lets stdout go to journal only. Usually, this is desired
Harald Hoyer 460d2c 
behavior to ensure that plymouth does not get disrupted.
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
However in the 01fips case, the system has to halt when the integrity
Harald Hoyer 460d2c 
check fails to satisfy FIPS requirements. So the user will not be able
Harald Hoyer 460d2c 
to inspect the journal.
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
As this is special to the fips module, we introduce a fips_info() which
Harald Hoyer 460d2c 
works like info(), but deviates the output to stderr when running with
Harald Hoyer 460d2c 
systemd.
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
Reference: bsc#1164076
Harald Hoyer 460d2c 
---
Harald Hoyer 460d2c 
 modules.d/01fips/fips.sh | 24 ++++++++++++++++++------
Harald Hoyer 460d2c 
 1 file changed, 18 insertions(+), 6 deletions(-)
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
Harald Hoyer 460d2c 
index 37cde0c0..f46da5c6 100755
Harald Hoyer 460d2c 
--- a/modules.d/01fips/fips.sh
Harald Hoyer 460d2c 
+++ b/modules.d/01fips/fips.sh
Harald Hoyer 460d2c 
@@ -1,5 +1,17 @@
Harald Hoyer 460d2c 
 #!/bin/sh
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
+# systemd lets stdout go to journal only, but the system
Harald Hoyer 460d2c 
+# has to halt when the integrity check fails to satisfy FIPS.
Harald Hoyer 460d2c 
+if [ -z "$DRACUT_SYSTEMD" ]; then
Harald Hoyer 460d2c 
+    fips_info() {
Harald Hoyer 460d2c 
+        info "$*"
Harald Hoyer 460d2c 
+    }
Harald Hoyer 460d2c 
+else
Harald Hoyer 460d2c 
+    fips_info() {
Harald Hoyer 460d2c 
+        echo "$*" >&2
Harald Hoyer 460d2c 
+    }
Harald Hoyer 460d2c 
+fi
Harald Hoyer 460d2c 
+
Harald Hoyer 460d2c 
 mount_boot()
Harald Hoyer 460d2c 
 {
Harald Hoyer 460d2c 
     boot=$(getarg boot=)
Harald Hoyer 460d2c 
@@ -45,7 +57,7 @@ mount_boot()
Harald Hoyer 460d2c 
         [ -e "$boot" ] || return 1
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
         mkdir /boot
Harald Hoyer 460d2c 
-        info "Mounting $boot as /boot"
Harald Hoyer 460d2c 
+        fips_info "Mounting $boot as /boot"
Harald Hoyer 460d2c 
         mount -oro "$boot" /boot || return 1
Harald Hoyer 460d2c 
     elif [ -d "$NEWROOT/boot" ]; then
Harald Hoyer 460d2c 
         rm -fr -- /boot
Harald Hoyer 460d2c 
@@ -65,7 +77,7 @@ do_rhevh_check()
Harald Hoyer 460d2c 
         warn "HMAC sum mismatch"
Harald Hoyer 460d2c 
         return 1
Harald Hoyer 460d2c 
     fi
Harald Hoyer 460d2c 
-    info "rhevh_check OK"
Harald Hoyer 460d2c 
+    fips_info "rhevh_check OK"
Harald Hoyer 460d2c 
     return 0
Harald Hoyer 460d2c 
 }
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
@@ -81,7 +93,7 @@ fips_load_crypto()
Harald Hoyer 460d2c 
 {
Harald Hoyer 460d2c 
     FIPSMODULES=$(cat /etc/fipsmodules)
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
-    info "Loading and integrity checking all crypto modules"
Harald Hoyer 460d2c 
+    fips_info "Loading and integrity checking all crypto modules"
Harald Hoyer 460d2c 
     mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak
Harald Hoyer 460d2c 
     for _module in $FIPSMODULES; do
Harald Hoyer 460d2c 
         if [ "$_module" != "tcrypt" ]; then
Harald Hoyer 460d2c 
@@ -100,7 +112,7 @@ fips_load_crypto()
Harald Hoyer 460d2c 
     done
Harald Hoyer 460d2c 
     mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
-    info "Self testing crypto algorithms"
Harald Hoyer 460d2c 
+    fips_info "Self testing crypto algorithms"
Harald Hoyer 460d2c 
     modprobe tcrypt || return 1
Harald Hoyer 460d2c 
     rmmod tcrypt
Harald Hoyer 460d2c 
 }
Harald Hoyer 460d2c 
@@ -114,7 +126,7 @@ do_fips()
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
     KERNEL=$(uname -r)
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
-    info "Checking integrity of kernel"
Harald Hoyer 460d2c 
+    fips_info "Checking integrity of kernel"
Harald Hoyer 460d2c 
     if [ -e "/run/initramfs/live/vmlinuz0" ]; then
Harald Hoyer 460d2c 
         do_rhevh_check /run/initramfs/live/vmlinuz0 || return 1
Harald Hoyer 460d2c 
     elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
Harald Hoyer 460d2c 
@@ -153,7 +165,7 @@ do_fips()
Harald Hoyer 460d2c 
         (cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1
Harald Hoyer 460d2c 
     fi
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
-    info "All initrd crypto checks done"
Harald Hoyer 460d2c 
+    fips_info "All initrd crypto checks done"
Harald Hoyer 460d2c
Harald Hoyer 460d2c 
     > /tmp/fipsdone
Harald Hoyer 460d2c
Harald Hoyer 460d2c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation