powerel9
/
dracut
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
501 KiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
dracut/SOURCES/0021.patch

85 lines
3.5 KiB
Raw Permalink Blame History

From a0d8caa8090a78f627f26fcd9b47c4b099cbc1ba Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Thu, 17 Jun 2021 10:47:33 -0400
Subject: [PATCH] fix(fips): handle s390x OSTree systems
On s390x, the `BOOT_IMAGE` karg injected by the bootloader is not a path
to the kernel image, but rather an integer describing the index of the
menu entry selected. Because of the way the s390x bootloader works,
there is no information retained about e.g. the path of the kernel that
was loaded.
This causes issues for the FIPS code which assumes that `BOOT_IMAGE` is
a path to the kernel image to derive the HMAC path. In non-OSTree
systems, this ends up working anyway, because the kernel is located at
the root of the boot partition. In OSTree systems, this is not the
case. However, OSTree systems use BLS configs, and they are named in
reverse order of precedence (i.e. menu ordering). So from the
`BOOT_IMAGE` integer, we can figure out which BLS entry was selected.
Add some code to do just this on s390x. This isn't completely foolproof,
because it presumes that (1) BLS configs were used to populate the
bootloader (and that they were exactly in the same state they currently
are when `zipl` was run), and (2) there are no other menu entries
originating from outside the BLS configs. However, if these assumptions
are wrong we would simply fail the boot, which is currently what is
happening anyway.
See also:
https://github.com/openshift/os/pull/546
https://github.com/ibm-s390-linux/s390-tools/issues/78
Tested-by: Muhammad Adeel <muhammad.adeel@ibm.com>
Resolves: rhbz#2050567
---
modules.d/01fips/fips.sh | 21 +++++++++++++++++++++
modules.d/01fips/module-setup.sh | 2 +-
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 821c26a2..3297cb17 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -124,6 +124,27 @@ do_fips() {
else
BOOT_IMAGE="$(getarg BOOT_IMAGE)"
+ # On s390x, BOOT_IMAGE isn't a path but an integer representing the
+ # entry number selected. Let's try the root of /boot first, and
+ # otherwise fallback to trying to parse the BLS entries if it's a
+ # BLS-based system.
+ if [ "$(uname -m)" = s390x ]; then
+ if [ -e "/boot/vmlinuz-${KERNEL}" ]; then
+ BOOT_IMAGE="vmlinuz-${KERNEL}"
+ elif [ -d /boot/loader/entries ]; then
+ i=0
+ for bls in $(ls -d /boot/loader/entries/*.conf | sort -rV); do
+ ((i++))
+
+ if [ $i -eq ${BOOT_IMAGE:-0} ] && [ -r "$bls" ]; then
+ BOOT_IMAGE="$(grep -e '^linux' "$bls" | grep -o ' .*$')"
+ BOOT_IMAGE=${BOOT_IMAGE:1}
+ break
+ fi
+ done
+ fi
+ fi
+
# Trim off any leading GRUB boot device (e.g. ($root) )
BOOT_IMAGE="$(echo "${BOOT_IMAGE}" | sed 's/^(.*)//')"
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index a1e499af..913a660c 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -67,7 +67,7 @@ install() {
inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
inst_script "$moddir/fips.sh" /sbin/fips.sh
- inst_multiple sha512hmac rmmod insmod mount uname umount
+ inst_multiple sha512hmac rmmod insmod mount uname umount grep sort
inst_simple /etc/system-fips
[ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \