diff options
| author | Harald Hoyer <harald@redhat.com> | 2009-11-12 14:58:27 +0100 |
|---|---|---|
| committer | Harald Hoyer <harald@redhat.com> | 2009-11-12 14:59:28 +0100 |
| commit | 03d8ec26017effea8afd111f1ef5dc2c25142b74 (patch) | |
| tree | 2d28a4fbec4da327664e4d22e3f67e1f04bd49ba | |
| parent | b941e8fb9f984eb2e0dfe8fbff7a7e334cdb6ca6 (diff) | |
add module fips
| -rwxr-xr-x | modules.d/01fips/fips.sh | 69 | ||||
| -rwxr-xr-x | modules.d/01fips/install | 14 | ||||
| -rwxr-xr-x | modules.d/01fips/installkernel | 14 |
3 files changed, 97 insertions, 0 deletions
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh new file mode 100755 index 0000000..ac385f8 --- /dev/null +++ b/modules.d/01fips/fips.sh @@ -0,0 +1,69 @@ +do_fips() +{ + FIPSMODULES=$(cat /etc/fipsmodules) + BOOT=$(getarg boot=) + KERNEL=$(uname -r) + udevadm trigger >/dev/null 2>&1 + case "$boot" in + block:LABEL=*|LABEL=*) + boot="${boot#block:}" + boot="$(echo $boot | sed 's,/,\\x2f,g')" + boot="/dev/disk/by-label/${boot#LABEL=}" + bootok=1 ;; + block:UUID=*|UUID=*) + boot="${boot#block:}" + boot="/dev/disk/by-uuid/${root#UUID=}" + bootok=1 ;; + /dev/*) + bootok=1 ;; + esac + + [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version) + + if [ $UDEVVERSION -ge 143 ]; then + udevadm settle --exit-if-exists=$boot + else + udevadm settle --timeout=30 + fi + + [ -e "$boot" ] + + mkdir /boot + info "Mounting $boot as /boot" + mount -oro "$boot" /boot + + info "Checking integrity of kernel" + + if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then + warn "/boot/.vmlinuz-${KERNEL}.hmac does not exist" + return 1 + fi + + sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1 + + info "Umounting /boot" + umount /boot + + info "Loading and integrity checking all crypto modules" + for module in $FIPSMODULES; do + if [ "$module" != "tcrypt" ]; then + modprobe ${module} || return 1 + fi + done + info "Self testing crypto algorithms" + modprobe tcrypt noexit=1 || return 1 + rmmod tcrypt + info "All initrd crypto checks done" + + return 0 +} + +if ! fipsmode=$(getarg fips) || [ $fipsmode == "0" ]; then + rm -f /etc/modprobe.d/fips.conf >/dev/null 2>&1 +else + set -e + do_fips || die "FIPS integrity test failed" + set +e +fi + +# vim:ts=8:sw=4:sts=4:et diff --git a/modules.d/01fips/install b/modules.d/01fips/install new file mode 100755 index 0000000..5fa35dd --- /dev/null +++ b/modules.d/01fips/install @@ -0,0 +1,14 @@ +inst_hook pre-trigger 01 "$moddir/fips.sh" +dracut_install sha512hmac rmmod insmod mount uname + +libdir="lib" +if ldd $(find_binary sha512hmac) |grep -q /lib64/libc; then + libdir="lib64" +fi + +dracut_install \ + /usr/$libdir/libsoftokn3.so /usr/$libdir/libsoftokn3.chk \ + /usr/$libdir/libfreebl3.so /usr/$libdir/libfreebl3.chk \ + /usr/$libdir/hmaccalc/sha512hmac.hmac + +# vim:ts=8:sw=4:sts=4:et diff --git a/modules.d/01fips/installkernel b/modules.d/01fips/installkernel new file mode 100755 index 0000000..ccdf17f --- /dev/null +++ b/modules.d/01fips/installkernel @@ -0,0 +1,14 @@ +FIPSMODULES="aead aes_generic aes-x86_64 ansi_cprng cbc ccm chainiv ctr" +FIPSMODULES="$FIPSMODULES des deflate ecb eseqiv hmac seqiv sha256 sha512" +FIPSMODULES="$FIPSMODULES cryptomgr crypto_null tcrypt" + +mkdir -p "${initdir}/etc/modprobe.d" + +for mod in $FIPSMODULES; do + if instmods $mod; then + echo $mod >> "${initdir}/etc/fipsmodules" + echo "blacklist $mod" >> "${initdir}/etc/modprobe.d/fips.conf" + fi +done + +# vim:ts=8:sw=4:sts=4:et |