diff options
Diffstat (limited to '')
-rwxr-xr-x | modules.d/01fips/module-setup.sh | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh new file mode 100755 index 0000000..0e47c84 --- /dev/null +++ b/modules.d/01fips/module-setup.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# called by dracut +check() { + return 255 +} + +# called by dracut +depends() { + return 0 +} + +# called by dracut +installkernel() { + local _fipsmodules _mod _bootfstype + if [[ -f "${srcmods}/modules.fips" ]]; then + read -d '' -r _fipsmodules < "${srcmods}/modules.fips" + else + _fipsmodules="" + + # Hashes: + _fipsmodules+="sha1 sha224 sha256 sha384 sha512 " + _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 " + _fipsmodules+="crc32c crct10dif ghash " + + # Ciphers: + _fipsmodules+="cipher_null des3_ede aes cfb dh ecdh " + + # Modes/templates: + _fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac ofb cts " + + # Compression algs: + _fipsmodules+="deflate lzo zlib " + + # PRNG algs: + _fipsmodules+="ansi_cprng " + + # Misc: + _fipsmodules+="aead cryptomgr tcrypt crypto_user " + fi + + # shellcheck disable=SC2174 + mkdir -m 0755 -p "${initdir}/etc/modprobe.d" + + for _mod in $_fipsmodules; do + if hostonly='' instmods -c -s "$_mod"; then + echo "$_mod" >> "${initdir}/etc/fipsmodules" + echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf" + fi + done + + # with hostonly_default_device fs module for /boot is not installed by default + if [[ $hostonly ]] && [[ $hostonly_default_device == "no" ]]; then + _bootfstype=$(find_mp_fstype /boot) + if [[ -n $_bootfstype ]]; then + hostonly='' instmods "$_bootfstype" + else + dwarning "Can't determine fs type for /boot, FIPS check may fail." + fi + fi +} + +# called by dracut +install() { + inst_hook pre-pivot 00 "$moddir/fips-boot.sh" + inst_hook pre-pivot 01 "$moddir/fips-noboot.sh" + inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh" + inst_script "$moddir/fips.sh" /sbin/fips.sh + + inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort + + inst_simple /etc/system-fips + [ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \ + || { + dfatal "Cannot create /dev/random" + dfatal "To create an initramfs with fips support, dracut has to run as root" + return 1 + } + [ -c "${initdir}"/dev/urandom ] || mknod "${initdir}"/dev/urandom c 1 9 \ + || { + dfatal "Cannot create /dev/urandom" + dfatal "To create an initramfs with fips support, dracut has to run as root" + return 1 + } +} |