powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1055 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: 260568e7ec
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '260568e7ec'
${ noResults }
base/SOURCES/0562-fips-split-loading-the...

86 lines
2.5 KiB
Raw Blame History

From 65623826c102b0cbcd04774d55dc28388e9c942c Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Tue, 14 May 2019 09:23:55 +0200
Subject: [PATCH] fips: split loading the crypto modules and checking the
kernel
In e54ab383 we moved the fips script to a later pahse of boot, since
the /boot might not be available early on.
The problem is that systemd-cryptsetup* services could be run now
started before the do_fips is executed and need the crypto modules
to decrypted the devices.
So let's split the do_fips and load the module before udev does the
trigger.
---
modules.d/01fips/fips-load-crypto.sh | 8 ++++++++
modules.d/01fips/fips.sh | 19 +++++++++++--------
modules.d/01fips/module-setup.sh | 1 +
3 files changed, 20 insertions(+), 8 deletions(-)
create mode 100644 modules.d/01fips/fips-load-crypto.sh
diff --git a/modules.d/01fips/fips-load-crypto.sh b/modules.d/01fips/fips-load-crypto.sh
new file mode 100644
index 00000000..82cbeee4
--- /dev/null
+++ b/modules.d/01fips/fips-load-crypto.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if ! fipsmode=$(getarg fips) || [ $fipsmode = "0" ]; then
+ rm -f -- /etc/modprobe.d/fips.conf >/dev/null 2>&1
+else
+ . /sbin/fips.sh
+ fips_load_crypto || die "FIPS integrity test failed"
+fi
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 7ba1ab27..642fafbe 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -71,15 +71,8 @@ do_rhevh_check()
return 0
}
-do_fips()
+fips_load_crypto()
{
- local _v
- local _s
- local _v
- local _module
-
- KERNEL=$(uname -r)
-
FIPSMODULES=$(cat /etc/fipsmodules)
info "Loading and integrity checking all crypto modules"
@@ -104,6 +97,16 @@ do_fips()
info "Self testing crypto algorithms"
modprobe tcrypt || return 1
rmmod tcrypt
+}
+
+do_fips()
+{
+ local _v
+ local _s
+ local _v
+ local _module
+
+ KERNEL=$(uname -r)
info "Checking integrity of kernel"
if [ -e "/run/initramfs/live/vmlinuz0" ]; then
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 834e7d7d..306f3ada 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -52,6 +52,7 @@ install() {
local _dir
inst_hook pre-mount 01 "$moddir/fips-boot.sh"
inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
+ inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
inst_script "$moddir/fips.sh" /sbin/fips.sh
inst_multiple sha512hmac rmmod insmod mount uname umount fipscheck