|
|
d4a4eb |
From a1435c3d535707f1d21aaf85e62175ff2bb1ad2b Mon Sep 17 00:00:00 2001
|
|
|
d4a4eb |
From: Kairui Song <kasong@redhat.com>
|
|
|
d4a4eb |
Date: Thu, 14 Mar 2019 18:54:10 +0800
|
|
|
d4a4eb |
Subject: [PATCH] fips: ensure fs module for /boot is installed
|
|
|
d4a4eb |
|
|
|
d4a4eb |
When using dracut with --hostonly and --no-hostonly-default-device,
|
|
|
d4a4eb |
/boot will be inaccessible as dracut will most fs modules unless
|
|
|
d4a4eb |
specified. But FIPS require /boot to be accessible, and it will try
|
|
|
d4a4eb |
to mount it on boot. It will fail if corresponding fs module is missing.
|
|
|
d4a4eb |
|
|
|
d4a4eb |
For most case /boot will be a simple partition, include the fs module
|
|
|
d4a4eb |
will be enough for FIPS to mount it. For other cases users have to pass
|
|
|
d4a4eb |
extra parameters by themselves.
|
|
|
d4a4eb |
|
|
|
d4a4eb |
Suggested-by: Kenneth Dsouza <kdsouza@redhat.com>
|
|
|
d4a4eb |
Signed-off-by: Kairui Song <kasong@redhat.com>
|
|
|
d4a4eb |
---
|
|
|
d4a4eb |
modules.d/01fips/module-setup.sh | 12 +++++++++++-
|
|
|
d4a4eb |
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
d4a4eb |
|
|
|
d4a4eb |
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
|
|
|
d4a4eb |
index 18186d62..89734a09 100755
|
|
|
d4a4eb |
--- a/modules.d/01fips/module-setup.sh
|
|
|
d4a4eb |
+++ b/modules.d/01fips/module-setup.sh
|
|
|
d4a4eb |
@@ -12,7 +12,7 @@ depends() {
|
|
|
d4a4eb |
|
|
|
d4a4eb |
# called by dracut
|
|
|
d4a4eb |
installkernel() {
|
|
|
d4a4eb |
- local _fipsmodules _mod
|
|
|
d4a4eb |
+ local _fipsmodules _mod _bootfstype
|
|
|
d4a4eb |
if [[ -f "${srcmods}/modules.fips" ]]; then
|
|
|
d4a4eb |
_fipsmodules="$(cat "${srcmods}/modules.fips")"
|
|
|
d4a4eb |
else
|
|
|
d4a4eb |
@@ -47,6 +47,16 @@ installkernel() {
|
|
|
d4a4eb |
echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf"
|
|
|
d4a4eb |
fi
|
|
|
d4a4eb |
done
|
|
|
d4a4eb |
+
|
|
|
d4a4eb |
+ # with hostonly_default_device fs module for /boot is not installed by default
|
|
|
d4a4eb |
+ if [[ $hostonly ]] && [[ "$hostonly_default_device" == "no" ]]; then
|
|
|
d4a4eb |
+ _bootfstype=$(find_mp_fstype /boot)
|
|
|
d4a4eb |
+ if [[ -n "$_bootfstype" ]]; then
|
|
|
d4a4eb |
+ hostonly='' instmods $_bootfstype
|
|
|
d4a4eb |
+ else
|
|
|
d4a4eb |
+ dwarning "Can't determine fs type for /boot, FIPS check may fail."
|
|
|
d4a4eb |
+ fi
|
|
|
d4a4eb |
+ fi
|
|
|
d4a4eb |
}
|
|
|
d4a4eb |
|
|
|
d4a4eb |
# called by dracut
|
|
|
d4a4eb |
|