kernel
/
dracut
mirror of https://git.kernel.org/pub/scm/boot/dracut/dracut.git/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

01fips: turn info calls into fips_info calls 

systemd lets stdout go to journal only. Usually, this is desired
behavior to ensure that plymouth does not get disrupted.

However in the 01fips case, the system has to halt when the integrity
check fails to satisfy FIPS requirements. So the user will not be able
to inspect the journal.

As this is special to the fips module, we introduce a fips_info() which
works like info(), but deviates the output to stderr when running with
systemd.

Reference: bsc#1164076
master
Daniel Molkentin 5 years ago committed by Daniel Molkentin
parent
da4c9a950f
commit
e096d861ed
1 changed files with 18 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 24
      modules.d/01fips/fips.sh

24
modules.d/01fips/fips.sh
Unescape View File

@ -1,5 +1,17 @@ @@ -1,5 +1,17 @@
#!/bin/sh

# systemd lets stdout go to journal only, but the system
# has to halt when the integrity check fails to satisfy FIPS.
if [ -z "$DRACUT_SYSTEMD" ]; then
fips_info() {
info "$*"
}
else
fips_info() {
echo "$*" >&2
}
fi

mount_boot()
{
boot=$(getarg boot=)
@ -45,7 +57,7 @@ mount_boot() @@ -45,7 +57,7 @@ mount_boot()
[ -e "$boot" ] || return 1

mkdir /boot
info "Mounting $boot as /boot"
fips_info "Mounting $boot as /boot"
mount -oro "$boot" /boot || return 1
elif [ -d "$NEWROOT/boot" ]; then
rm -fr -- /boot
@ -65,7 +77,7 @@ do_rhevh_check() @@ -65,7 +77,7 @@ do_rhevh_check()
warn "HMAC sum mismatch"
return 1
fi
info "rhevh_check OK"
fips_info "rhevh_check OK"
return 0
}

@ -81,7 +93,7 @@ fips_load_crypto() @@ -81,7 +93,7 @@ fips_load_crypto()
{
FIPSMODULES=$(cat /etc/fipsmodules)

info "Loading and integrity checking all crypto modules"
fips_info "Loading and integrity checking all crypto modules"
mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak
for _module in $FIPSMODULES; do
if [ "$_module" != "tcrypt" ]; then
@ -100,7 +112,7 @@ fips_load_crypto() @@ -100,7 +112,7 @@ fips_load_crypto()
done
mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf

info "Self testing crypto algorithms"
fips_info "Self testing crypto algorithms"
modprobe tcrypt || return 1
rmmod tcrypt
}
@ -114,7 +126,7 @@ do_fips() @@ -114,7 +126,7 @@ do_fips()

KERNEL=$(uname -r)

info "Checking integrity of kernel"
fips_info "Checking integrity of kernel"
if [ -e "/run/initramfs/live/vmlinuz0" ]; then
do_rhevh_check /run/initramfs/live/vmlinuz0 || return 1
elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
@ -153,7 +165,7 @@ do_fips() @@ -153,7 +165,7 @@ do_fips()
(cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1
fi

info "All initrd crypto checks done"
fips_info "All initrd crypto checks done"

> /tmp/fipsdone


Write Preview
Loading…
Cancel
Save