From 6c128565b10871eef5ab048cc25e59940919f140 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Tue, 16 Oct 2012 14:53:26 +0200
Subject: [PATCH] strip initramfs binaries by default (not all for FIPS)

---
 dracut.8.asc |  4 ++--
 dracut.sh    | 27 ++++++++++++++++++++-------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/dracut.8.asc b/dracut.8.asc
index 3880cf64..5062db3f 100644
--- a/dracut.8.asc
+++ b/dracut.8.asc
@@ -248,10 +248,10 @@ example:
     inhibit installation of any fsck tools
 
 **--strip**::
-    strip binaries in the initramfs
+    strip binaries in the initramfs (default)
 
 **--nostrip**::
-    do not strip binaries in the initramfs (default)
+    do not strip binaries in the initramfs
 
 **--hardlink**::
     hardlink files in the initramfs (default)
diff --git a/dracut.sh b/dracut.sh
index 90f4fdf3..7678f192 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -90,8 +90,8 @@ Creates initial ramdisk images for preloading modules
   --kernel-only         Only install kernel drivers and firmware files
   --no-kernel           Do not install kernel drivers and firmware files
   --kernel-cmdline [PARAMETERS] Specify default kernel command line parameters
-  --strip               Strip binaries in the initramfs
-  --nostrip             Do not strip binaries in the initramfs (default)
+  --strip               Strip binaries in the initramfs (default)
+  --nostrip             Do not strip binaries in the initramfs
   --hardlink            Hardlink files in the initramfs (default)
   --nohardlink          Do not hardlink files in the initramfs
   --prefix [DIR]        Prefix initramfs files with [DIR]
@@ -551,7 +551,7 @@ stdloglvl=$((stdloglvl + verbosity_mod_l))
 
 [[ $drivers_dir_l ]] && drivers_dir=$drivers_dir_l
 [[ $do_strip_l ]] && do_strip=$do_strip_l
-[[ $do_strip ]] || do_strip=no
+[[ $do_strip ]] || do_strip=yes
 [[ $do_hardlink_l ]] && do_hardlink=$do_hardlink_l
 [[ $do_hardlink ]] || do_hardlink=yes
 [[ $prefix_l ]] && prefix=$prefix_l
@@ -1029,10 +1029,23 @@ fi
 
 if [[ $do_strip = yes ]] ; then
     dinfo "*** Stripping files ***"
-    find "$initdir" -type f \
-        '(' -perm -0100 -or -perm -0010 -or -perm -0001 \
-        -or -path '*/lib/modules/*.ko' ')' -print0 \
-        | xargs -r -0 strip -g 2>/dev/null
+    if [[ $DRACUT_FIPS_MODE ]]; then
+        find "$initdir" -type f \
+            '(' -perm -0100 -or -perm -0010 -or -perm -0001 \
+            -or -path '*/lib/modules/*.ko' ')' -print0 \
+            | while read -r -d $'\0' f; do
+            if ! [[ -e "${f%/*}/.${f##*/}.hmac" ]] \
+                && ! [[ -e "/lib/fipscheck/${f##*/}.hmac" ]] \
+                && ! [[ -e "/lib64/fipscheck/${f##*/}.hmac" ]]; then
+                echo -n "$f"; echo -n -e "\000"
+            fi
+        done |xargs -r -0 strip -g 2>/dev/null
+    else
+        find "$initdir" -type f \
+            '(' -perm -0100 -or -perm -0010 -or -perm -0001 \
+            -or -path '*/lib/modules/*.ko' ')' -print0 \
+            | xargs -r -0 strip -g 2>/dev/null
+    fi
     dinfo "*** Stripping files done ***"
 fi