Commit Graph

48 Commits (07c944b48c5c92364df70d0f137480b8a42d4e83)

Author SHA1 Message Date
Harald Hoyer 6aa59dd8ab fix(fips): shellcheck for modules.d/01fips 2021-03-26 12:20:15 +01:00
Harald Hoyer 75d758e8f1 style: shfmt -s reformat
reproducible with:

```
$ shfmt_version=3.0.1
$ wget "https://github.com/mvdan/sh/releases/download/v${shfmt_version}/shfmt_v${shfmt_version}_linux_amd64" -O shfmt
$ chmod u+x shfmt
$ ./shfmt -w -s .
```
2021-03-13 20:10:43 +01:00
Alexey Kodanev 958ca9e912 fips: add 'ofb' and 'cts' block cipher modes
Add cts, Linux-5.0 commit:
* 196ad6043e9f ("crypto: testmgr - mark cts(cbc(aes)) as FIPS allowed")

Linux 4.20 commits for 'ofb':
* dfb89ab3f0a7 ("crypto: tcrypt - add OFB functional tests")
* e497c51896b3 ("crypto: ofb - add output feedback mode")

Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
2019-11-29 18:56:56 +01:00
Lukas Nykryn b988934a38 fips: split loading the crypto modules and checking the kernel
In e54ab383 we moved the fips script to a later pahse of boot, since
the /boot might not be available early on.

The problem is that systemd-cryptsetup* services could be run now
started before the do_fips is executed and need the crypto modules
to decrypted the devices.

So let's split the do_fips and load the module before udev does the
trigger.
2019-07-19 16:26:05 +02:00
Lukas Nykryn 9f96bb4c73 01fips: add cfb cipher
Required by FIPS standard
2019-07-16 14:31:32 +02:00
Kairui Song 8365177644 fips: ensure fs module for /boot is installed
When using dracut with  --hostonly and --no-hostonly-default-device,
/boot will be inaccessible as dracut will most fs modules unless
specified. But FIPS require /boot to be accessible, and it will try
to mount it on boot. It will fail if corresponding fs module is missing.

For most case /boot will be a simple partition, include the fs module
will be enough for FIPS to mount it. For other cases users have to pass
extra parameters by themselves.

Suggested-by: Kenneth Dsouza <kdsouza@redhat.com>
Signed-off-by: Kairui Song <kasong@redhat.com>
2019-03-22 12:58:09 +01:00
Renaud Métrich e54ab383f7 fips: check fips integrity just before mounting local filesystems in /sysroot
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
2018-10-19 15:08:53 +02:00
Ondrej Mosnacek cec0d04112 fips: only install FIPS-compliant crypto modules
Since the kernel doesn't allow using any non-FIPS-compliant crypto
algorithms, it doesn't make sense to install them. Even if they are
installed, tcrypt will not test them anyway.

Tested on Fedora 28 x86_64 by booting with fips=1 (with hand-patched
module-setup.sh).
2018-07-02 11:42:04 +02:00
Ondrej Mosnacek f4d34357c0 fips: cleanup FIPS crypto module list
This patch cleans up the default list of kernel modules in the 01fips
dracut module. All the algorithms that are tested in tcrypt are listed
by their algorithm name so that all the generic implementations and
drivers are picked up automatically based on the module alias.

This drops several unneeded modules and even a bogus one (rot13 -- this
one was obviously copy-pasted from tcrypt.c where it was listed as an
easter egg :).

The patch adds also some algorithms that weren't included in the
original set. It turns out in FIPS mode we only need those algorithms
that are marked as FIPS-allowed in testmgr.c (failure to find a non-FIPS
algorithm is ignored). The non-FIPS algorithms are further removed in a
subsequent patch.
2018-07-02 11:42:04 +02:00
Ondrej Mosnacek eed91294f8 fips: add crypto_user module for new hmaccalc
In Fedora 28+, hmaccalc (sha512hmac) is provided by libkcapi-hmaccalc,
which needs the crypto_user module for its functionality.
2018-07-02 11:42:04 +02:00
Ondrej Mosnacek bca1967c90 fips: Drop obsolete dependencies
Explicitly require libkcapi-hmaccalc and stop installing NSS/prelink
dependencies that are no longer needed.
2018-06-14 13:07:07 +02:00
Daniel Molkentin d00cfc2a7b Remove obsolete prelinking functionality 2018-06-14 12:58:59 +02:00
Ondrej Mosnacek 935dd5746a fips: add sha3_generic and sm3_generic modules
SHA-3 and SM3 have been added to the tcrypt module recently, so without
them the 'modprobe tcrypt' step causes a kernel panic.
2018-06-07 17:18:29 +02:00
Lukas Nykryn 0a50111ab3 01fips: add authenec module
Resolves: #1465946
2017-06-28 17:46:04 +02:00
Lukas Nykryn 63c7b358f5 fips: add cmac kernel module
cmac is now marked as fips_allowed

Resolves: rhbz#1460865
2017-06-13 10:29:54 +02:00
Harald Hoyer 7c29d205f4 fips: use /lib/modules/$(uname -r)/modules.fips
if /lib/modules/$(uname -r)/modules.fips exists, use that list instead
of the hardcoded dracut module list.
2017-01-25 16:39:09 +01:00
Harald Hoyer 1d832b4bf4 fips: precreate /dev/random /dev/urandom
otherwise libgcrypt might be unhappy, if used before devtmpfs is mounted

https://bugzilla.redhat.com/show_bug.cgi?id=1401444
2017-01-18 10:34:00 +01:00
Lukas Nykryn 1c132d39a6 fips-module: add missing space 2016-07-28 12:33:03 +02:00
Harald Hoyer c97209fe69 fips: add authenc and authencesn kernel modules
https://bugzilla.redhat.com/show_bug.cgi?id=1115112#c5
2015-11-11 11:48:32 +01:00
Harald Hoyer 822a7ae504 fips: add some s390 kernel modules 2015-04-28 10:46:33 +02:00
Harald Hoyer 7e9341434f fips: add drbg kernel module 2015-02-19 10:45:35 +01:00
Harald Hoyer 4089949033 fips: remove c&p "and" 2015-01-09 14:53:42 +01:00
Harald Hoyer 3659d64df3 fips: add libfreeblpriv3.so and libfreeblpriv3.chk 2014-11-28 15:32:17 +01:00
Harald Hoyer 967cc19ab1 remove all vim and emacs code format comments 2014-08-29 13:38:47 +02:00
Harald Hoyer 185e940e27 fips: also install /etc/system-fips in the initramfs 2013-11-04 17:32:22 +01:00
Kyle McMartin 0a8e91bb24 fips: include crct10dif_generic
Resolves: rhbz#1024455
2013-10-30 12:35:27 +01:00
Harald Hoyer 8bcfd683bd */module-setup.sh: add comments for dracut called functions 2013-10-08 10:37:56 +02:00
Harald Hoyer af11946054 dracut-functions.sh: inst_multiple == dracut_install 2013-08-07 10:33:15 +02:00
Baoquan He 15b93069bb 01fips/module-setup.sh: add libssl.so.10 to make kdump work with fips mode
FIPS can work well in 1st kernel, but failed in kdump kernel. the
libssl.so.10 and related hmac file are needed. Now add it and it
works.

Signed-off-by: Baoquan He <bhe@redhat.com>
2013-05-28 14:26:31 +02:00
Harald Hoyer 6f4c2dada4 fixed fips mode
- preserve timestamps
- copy /lib*/hmaccalc files
- run sha512hmac after kernel module loading
- add more fips kernel modules
2013-04-25 19:44:01 +02:00
Harald Hoyer 1161f03777 fips: add lzo module 2013-03-08 07:05:55 +01:00
Harald Hoyer 0fc0dcff60 bye bye iscsi_wait_scan ... officially gone for kernel 3.6 2012-09-18 13:39:54 +02:00
Milan Broz 104727ad6e Require fipscheck and libssl in FIPS module
To properly perform verification in FIPS mode,
we need to install fipscheck and libssl explicitly.

(cryptsetup seems to be the first user of this verification in ramdisk...)

Signed-off-by: Milan Broz <mbroz@redhat.com>
2012-08-24 09:26:59 +02:00
Milan Broz 4ee59ab3ed Fix fips module list.
If dracut is build only with fips/fips-aesni (no crypto module),
FIPS mode fails because of missing GCM modules.

Just add proper modules to list (kernel have both maker as FIPS compliant already).

Signed-off-by: Milan Broz <mbroz@redhat.com>
2012-07-16 16:58:51 +02:00
Harald Hoyer 338b43cd6a fips: add instmods silent check mode "-c -s" 2012-07-05 11:15:42 +02:00
Harald Hoyer 0251fcd400 fips: change module list 2012-07-05 10:11:27 +02:00
Harald Hoyer 0d339e7ffb fips/module-setup.sh: s/aes-xts/xts 2012-06-29 12:41:27 +02:00
Harald Hoyer 53fe81e752 modules.d/*/module-setup.sh: combine and specify type for installs
To speedup image creation, combine dracut_install calls and specify the exact type.
E.g. inst_script instead of the generic inst.
2012-06-29 12:41:27 +02:00
Harald Hoyer d77540c8e4 get rid of libdir and usrlibdir 2012-06-04 15:23:15 +02:00
Harald Hoyer 51153fb18c removed scsi_wait_scan from standard install 2012-05-31 09:14:17 +02:00
Jon Ander Hernandez c9143a63fe Debian multiarch support
Another solution could be searching in directories found at
/etc/ld.so.conf.d/*.conf or adding a new parameter. Here is a patch
which adds a new --libdirs parameter, and also a new inst_libdir_file
function which will try to expand metacharacters on each lib
directory:

    inst_libdir_file "libdevmapper-event-lvm*.so"
2012-04-16 14:46:53 +02:00
Harald Hoyer 078acb598b fips: fixed aes_generic module typo 2012-04-02 09:01:49 +02:00
Harald Hoyer 814fa9a58f 01fips/installkernel: add dm-mod and dm-crypt to the fipsmodules
https://bugzilla.redhat.com/show_bug.cgi?id=707609
2011-08-11 14:27:25 +02:00
Harald Hoyer 29b10e65b1 dracut-functions: make local vars local and prefix with "_" 2011-05-12 11:06:47 +02:00
Harald Hoyer 3b403b32fc removed trailing whitespaces 2011-05-10 11:56:09 +02:00
Harald Hoyer 4257798f8a fips: forward port RHEL-6 fips changes
- also support FIPS on separate LVM partition
- use small settle loop to get /boot
- "set -e" has no effect, if we use "||"
- make fips work with encrypted root and seperate boot
- moved to pre-pivot to support /boot in /
2011-05-02 11:15:46 +02:00
Harald Hoyer d125a47061 mkdir always with -m 0755 2011-04-08 10:39:46 +02:00
Harald Hoyer 71df3c4329 renamed module-info.sh to module-setup.sh 2011-02-02 16:35:18 +01:00