In e54ab383 we moved the fips script to a later pahse of boot, since
the /boot might not be available early on.
The problem is that systemd-cryptsetup* services could be run now
started before the do_fips is executed and need the crypto modules
to decrypted the devices.
So let's split the do_fips and load the module before udev does the
trigger.
When using dracut with --hostonly and --no-hostonly-default-device,
/boot will be inaccessible as dracut will most fs modules unless
specified. But FIPS require /boot to be accessible, and it will try
to mount it on boot. It will fail if corresponding fs module is missing.
For most case /boot will be a simple partition, include the fs module
will be enough for FIPS to mount it. For other cases users have to pass
extra parameters by themselves.
Suggested-by: Kenneth Dsouza <kdsouza@redhat.com>
Signed-off-by: Kairui Song <kasong@redhat.com>
Since the kernel doesn't allow using any non-FIPS-compliant crypto
algorithms, it doesn't make sense to install them. Even if they are
installed, tcrypt will not test them anyway.
Tested on Fedora 28 x86_64 by booting with fips=1 (with hand-patched
module-setup.sh).
This patch cleans up the default list of kernel modules in the 01fips
dracut module. All the algorithms that are tested in tcrypt are listed
by their algorithm name so that all the generic implementations and
drivers are picked up automatically based on the module alias.
This drops several unneeded modules and even a bogus one (rot13 -- this
one was obviously copy-pasted from tcrypt.c where it was listed as an
easter egg :).
The patch adds also some algorithms that weren't included in the
original set. It turns out in FIPS mode we only need those algorithms
that are marked as FIPS-allowed in testmgr.c (failure to find a non-FIPS
algorithm is ignored). The non-FIPS algorithms are further removed in a
subsequent patch.
FIPS can work well in 1st kernel, but failed in kdump kernel. the
libssl.so.10 and related hmac file are needed. Now add it and it
works.
Signed-off-by: Baoquan He <bhe@redhat.com>
To properly perform verification in FIPS mode,
we need to install fipscheck and libssl explicitly.
(cryptsetup seems to be the first user of this verification in ramdisk...)
Signed-off-by: Milan Broz <mbroz@redhat.com>
If dracut is build only with fips/fips-aesni (no crypto module),
FIPS mode fails because of missing GCM modules.
Just add proper modules to list (kernel have both maker as FIPS compliant already).
Signed-off-by: Milan Broz <mbroz@redhat.com>
Another solution could be searching in directories found at
/etc/ld.so.conf.d/*.conf or adding a new parameter. Here is a patch
which adds a new --libdirs parameter, and also a new inst_libdir_file
function which will try to expand metacharacters on each lib
directory:
inst_libdir_file "libdevmapper-event-lvm*.so"
- also support FIPS on separate LVM partition
- use small settle loop to get /boot
- "set -e" has no effect, if we use "||"
- make fips work with encrypted root and seperate boot
- moved to pre-pivot to support /boot in /
Harald Hoyer