shaba/dracut
1
0
Fork 0
mirror of https://github.com/dracutdevs/dracut.git synced 2024-10-27 09:25:21 +03:00
Code Issues Projects Releases Wiki Activity

fixed fips mode

Browse Source 
- preserve timestamps
- copy /lib*/hmaccalc files
- run sha512hmac after kernel module loading
- add more fips kernel modules
This commit is contained in:
Harald Hoyer 2013-04-25 19:44:01 +02:00
parent ab42fe38fd
commit 6f4c2dada4
5 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dracut.sh
View File

@ -1179,6 +1179,8 @@ if [[ $do_strip = yes ]] ; then
-executable -not -path '*/lib/modules/*.ko' -print0 \
| while read -r -d $'\0' f; do
if ! [[ -e "${f%/*}/.${f##*/}.hmac" ]] \
&& ! [[ -e "/lib/hmaccalc/${f##*/}.hmac" ]] \
&& ! [[ -e "/lib64/hmaccalc/${f##*/}.hmac" ]] \
&& ! [[ -e "/lib/fipscheck/${f##*/}.hmac" ]] \
&& ! [[ -e "/lib64/fipscheck/${f##*/}.hmac" ]]; then
echo -n "$f"; echo -n -e "\000"

10
install/dracut-install.c
View File

@ -214,8 +214,14 @@ static int cp(const char *src, const char *dst)
ret = clone_file(dest_desc, source_desc);
close(source_desc);
if (ret == 0) {
struct timeval tv[2];
if (fchown(dest_desc, sb.st_uid, sb.st_gid) != 0)
fchown(dest_desc, -1, sb.st_gid);
tv[0].tv_sec = sb.st_atime;
tv[0].tv_usec = 0;
tv[1].tv_sec = sb.st_mtime;
tv[1].tv_usec = 0;
futimes(dest_desc, tv);
close(dest_desc);
return ret;
}
@ -230,7 +236,7 @@ static int cp(const char *src, const char *dst)
normal_copy:
pid = fork();
if (pid == 0) {
execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode", "-fL", src, dst, NULL);
execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode,timestamps", "-fL", src, dst, NULL);
_exit(EXIT_FAILURE);
}
@ -350,6 +356,8 @@ static int hmac_install(const char *src, const char *dst, const char *hmacpath)
if (!hmacpath) {
hmac_install(src, dst, "/lib/fipscheck");
hmac_install(src, dst, "/lib64/fipscheck");
hmac_install(src, dst, "/lib/hmaccalc");
hmac_install(src, dst, "/lib64/hmaccalc");
}
srcpath[dlen] = '\0';

7
modules.d/01fips/fips.sh
View File

@ -51,7 +51,6 @@ mount_boot()
do_fips()
{
info "Checking integrity of kernel"
KERNEL=$(uname -r)
if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
@ -59,8 +58,6 @@ do_fips()
return 1
fi
sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
FIPSMODULES=$(cat /etc/fipsmodules)
info "Loading and integrity checking all crypto modules"
@ -72,6 +69,10 @@ do_fips()
info "Self testing crypto algorithms"
modprobe tcrypt || return 1
rmmod tcrypt
info "Checking integrity of kernel"
sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
info "All initrd crypto checks done"
> /tmp/fipsdone

8
modules.d/01fips/module-setup.sh
View File

@ -12,9 +12,11 @@ depends() {
installkernel() {
local _fipsmodules _mod
_fipsmodules="aead aes_generic xts aes-x86_64 ansi_cprng cbc ccm chainiv ctr gcm ghash_generic"
_fipsmodules+=" des deflate ecb eseqiv hmac seqiv sha256 sha256_generic sha512 sha512_generic"
_fipsmodules+=" cryptomgr crypto_null tcrypt dm-mod dm-crypt lzo"
_fipsmodules="aead aes_generic aes-x86_64 ansi_cprng arc4 blowfish camellia cast6 cbc ccm "
_fipsmodules+="chainiv crc32c cryptomgr crypto_null ctr cts deflate des des3_ede dm-crypt dm-mod "
_fipsmodules+="ecb eseqiv fcrypt gcm ghash_generic hmac khazad lzo md4 md5 michael_mic rmd128 "
_fipsmodules+="rmd160 rmd256 rmd320 rot13 salsa20 seed seqiv serpent sha1 sha224 sha256 sha256_generic "
_fipsmodules+="sha384 sha512 sha512_generic tcrypt tea tnepres twofish wp256 wp384 wp512 xeta xtea xts zlib"
mkdir -m 0755 -p "${initdir}/etc/modprobe.d"

2
modules.d/99base/dracut-lib.sh
View File

@ -384,7 +384,7 @@ die() {
echo "warn dracut: FATAL: \"$*\"";
echo "warn dracut: Refusing to continue";
} >> $hookdir/emergency/01-die.sh
[ -d /run/initramfs ] || mkdir -p /run/initramfs
> /run/initramfs/.die
emergency_shell
exit 1