|
 |
49e6a8 |
From 65623826c102b0cbcd04774d55dc28388e9c942c Mon Sep 17 00:00:00 2001
|
|
|
49e6a8 |
From: Lukas Nykryn <lnykryn@redhat.com>
|
|
|
49e6a8 |
Date: Tue, 14 May 2019 09:23:55 +0200
|
|
|
49e6a8 |
Subject: [PATCH] fips: split loading the crypto modules and checking the
|
|
|
49e6a8 |
kernel
|
|
|
49e6a8 |
|
|
|
49e6a8 |
In e54ab383 we moved the fips script to a later pahse of boot, since
|
|
|
49e6a8 |
the /boot might not be available early on.
|
|
|
49e6a8 |
|
|
|
49e6a8 |
The problem is that systemd-cryptsetup* services could be run now
|
|
|
49e6a8 |
started before the do_fips is executed and need the crypto modules
|
|
|
49e6a8 |
to decrypted the devices.
|
|
|
49e6a8 |
|
|
|
49e6a8 |
So let's split the do_fips and load the module before udev does the
|
|
|
49e6a8 |
trigger.
|
|
|
49e6a8 |
---
|
|
|
49e6a8 |
modules.d/01fips/fips-load-crypto.sh | 8 ++++++++
|
|
|
49e6a8 |
modules.d/01fips/fips.sh | 19 +++++++++++--------
|
|
|
49e6a8 |
modules.d/01fips/module-setup.sh | 1 +
|
|
|
49e6a8 |
3 files changed, 20 insertions(+), 8 deletions(-)
|
|
|
49e6a8 |
create mode 100644 modules.d/01fips/fips-load-crypto.sh
|
|
|
49e6a8 |
|
|
|
49e6a8 |
diff --git a/modules.d/01fips/fips-load-crypto.sh b/modules.d/01fips/fips-load-crypto.sh
|
|
|
49e6a8 |
new file mode 100644
|
|
|
49e6a8 |
index 00000000..82cbeee4
|
|
|
49e6a8 |
--- /dev/null
|
|
|
49e6a8 |
+++ b/modules.d/01fips/fips-load-crypto.sh
|
|
|
49e6a8 |
@@ -0,0 +1,8 @@
|
|
|
49e6a8 |
+#!/bin/sh
|
|
|
49e6a8 |
+
|
|
|
49e6a8 |
+if ! fipsmode=$(getarg fips) || [ $fipsmode = "0" ]; then
|
|
|
49e6a8 |
+ rm -f -- /etc/modprobe.d/fips.conf >/dev/null 2>&1
|
|
|
49e6a8 |
+else
|
|
|
49e6a8 |
+ . /sbin/fips.sh
|
|
|
49e6a8 |
+ fips_load_crypto || die "FIPS integrity test failed"
|
|
|
49e6a8 |
+fi
|
|
|
49e6a8 |
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
|
|
|
49e6a8 |
index 7ba1ab27..642fafbe 100755
|
|
|
49e6a8 |
--- a/modules.d/01fips/fips.sh
|
|
|
49e6a8 |
+++ b/modules.d/01fips/fips.sh
|
|
|
49e6a8 |
@@ -71,15 +71,8 @@ do_rhevh_check()
|
|
|
49e6a8 |
return 0
|
|
|
49e6a8 |
}
|
|
|
49e6a8 |
|
|
|
49e6a8 |
-do_fips()
|
|
|
49e6a8 |
+fips_load_crypto()
|
|
|
49e6a8 |
{
|
|
|
49e6a8 |
- local _v
|
|
|
49e6a8 |
- local _s
|
|
|
49e6a8 |
- local _v
|
|
|
49e6a8 |
- local _module
|
|
|
49e6a8 |
-
|
|
|
49e6a8 |
- KERNEL=$(uname -r)
|
|
|
49e6a8 |
-
|
|
|
49e6a8 |
FIPSMODULES=$(cat /etc/fipsmodules)
|
|
|
49e6a8 |
|
|
|
49e6a8 |
info "Loading and integrity checking all crypto modules"
|
|
|
49e6a8 |
@@ -104,6 +97,16 @@ do_fips()
|
|
|
49e6a8 |
info "Self testing crypto algorithms"
|
|
|
49e6a8 |
modprobe tcrypt || return 1
|
|
|
49e6a8 |
rmmod tcrypt
|
|
|
49e6a8 |
+}
|
|
|
49e6a8 |
+
|
|
|
49e6a8 |
+do_fips()
|
|
|
49e6a8 |
+{
|
|
|
49e6a8 |
+ local _v
|
|
|
49e6a8 |
+ local _s
|
|
|
49e6a8 |
+ local _v
|
|
|
49e6a8 |
+ local _module
|
|
|
49e6a8 |
+
|
|
|
49e6a8 |
+ KERNEL=$(uname -r)
|
|
|
49e6a8 |
|
|
|
49e6a8 |
info "Checking integrity of kernel"
|
|
|
49e6a8 |
if [ -e "/run/initramfs/live/vmlinuz0" ]; then
|
|
|
49e6a8 |
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
|
|
|
49e6a8 |
index 834e7d7d..306f3ada 100755
|
|
|
49e6a8 |
--- a/modules.d/01fips/module-setup.sh
|
|
|
49e6a8 |
+++ b/modules.d/01fips/module-setup.sh
|
|
|
49e6a8 |
@@ -52,6 +52,7 @@ install() {
|
|
|
49e6a8 |
local _dir
|
|
|
49e6a8 |
inst_hook pre-mount 01 "$moddir/fips-boot.sh"
|
|
|
49e6a8 |
inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
|
|
|
49e6a8 |
+ inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
|
|
|
49e6a8 |
inst_script "$moddir/fips.sh" /sbin/fips.sh
|
|
|
49e6a8 |
|
|
|
49e6a8 |
inst_multiple sha512hmac rmmod insmod mount uname umount fipscheck
|