diff options
Diffstat (limited to '')
-rwxr-xr-x | modules.d/01fips/fips-boot.sh | 2 | ||||
-rwxr-xr-x | modules.d/01fips/fips-load-crypto.sh | 2 | ||||
-rwxr-xr-x | modules.d/01fips/fips-noboot.sh | 2 | ||||
-rwxr-xr-x | modules.d/01fips/fips.sh | 6 | ||||
-rwxr-xr-x | modules.d/01fips/module-setup.sh | 17 |
5 files changed, 8 insertions, 21 deletions
diff --git a/modules.d/01fips/fips-boot.sh b/modules.d/01fips/fips-boot.sh index 34760e0..d703a10 100755 --- a/modules.d/01fips/fips-boot.sh +++ b/modules.d/01fips/fips-boot.sh @@ -3,7 +3,7 @@ type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then - rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1 + : elif [ -z "$fipsmode" ]; then die "FIPS mode have to be enabled by 'fips=1' not just 'fips'" elif getarg boot= > /dev/null; then diff --git a/modules.d/01fips/fips-load-crypto.sh b/modules.d/01fips/fips-load-crypto.sh index 6ef42b9..d1d90c8 100755 --- a/modules.d/01fips/fips-load-crypto.sh +++ b/modules.d/01fips/fips-load-crypto.sh @@ -3,7 +3,7 @@ type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then - rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1 + : elif [ -z "$fipsmode" ]; then die "FIPS mode have to be enabled by 'fips=1' not just 'fips'" else diff --git a/modules.d/01fips/fips-noboot.sh b/modules.d/01fips/fips-noboot.sh index 963a034..319da90 100755 --- a/modules.d/01fips/fips-noboot.sh +++ b/modules.d/01fips/fips-noboot.sh @@ -3,7 +3,7 @@ type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then - rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1 + : elif [ -z "$fipsmode" ]; then die "FIPS mode have to be enabled by 'fips=1' not just 'fips'" elif ! [ -f /tmp/fipsdone ]; then diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh index 2e7b7cb..c81c2a6 100755 --- a/modules.d/01fips/fips.sh +++ b/modules.d/01fips/fips.sh @@ -97,7 +97,6 @@ fips_load_crypto() { read -d '' -r FIPSMODULES < /etc/fipsmodules fips_info "Loading and integrity checking all crypto modules" - mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak for _module in $FIPSMODULES; do if [ "$_module" != "tcrypt" ]; then if ! nonfatal_modprobe "${_module}" 2> /tmp/fips.modprobe_err; then @@ -113,7 +112,10 @@ fips_load_crypto() { fi fi done - mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf + if [ -f /etc/fips.conf ]; then + mkdir -p /run/modprobe.d + cp /etc/fips.conf /run/modprobe.d/fips.conf + fi fips_info "Self testing crypto algorithms" modprobe tcrypt || return 1 diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh index 0e47c84..83fcd56 100755 --- a/modules.d/01fips/module-setup.sh +++ b/modules.d/01fips/module-setup.sh @@ -39,13 +39,10 @@ installkernel() { _fipsmodules+="aead cryptomgr tcrypt crypto_user " fi - # shellcheck disable=SC2174 - mkdir -m 0755 -p "${initdir}/etc/modprobe.d" - for _mod in $_fipsmodules; do if hostonly='' instmods -c -s "$_mod"; then echo "$_mod" >> "${initdir}/etc/fipsmodules" - echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf" + echo "blacklist $_mod" >> "${initdir}/etc/fips.conf" fi done @@ -70,16 +67,4 @@ install() { inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort inst_simple /etc/system-fips - [ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \ - || { - dfatal "Cannot create /dev/random" - dfatal "To create an initramfs with fips support, dracut has to run as root" - return 1 - } - [ -c "${initdir}"/dev/urandom ] || mknod "${initdir}"/dev/urandom c 1 9 \ - || { - dfatal "Cannot create /dev/urandom" - dfatal "To create an initramfs with fips support, dracut has to run as root" - return 1 - } } |