summaryrefslogtreecommitdiffstats
path: root/modules.d/01fips
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xmodules.d/01fips/fips-boot.sh2
-rwxr-xr-xmodules.d/01fips/fips-load-crypto.sh2
-rwxr-xr-xmodules.d/01fips/fips-noboot.sh2
-rwxr-xr-xmodules.d/01fips/fips.sh6
-rwxr-xr-xmodules.d/01fips/module-setup.sh17
5 files changed, 8 insertions, 21 deletions
diff --git a/modules.d/01fips/fips-boot.sh b/modules.d/01fips/fips-boot.sh
index 34760e0..d703a10 100755
--- a/modules.d/01fips/fips-boot.sh
+++ b/modules.d/01fips/fips-boot.sh
@@ -3,7 +3,7 @@
type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then
- rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1
+ :
elif [ -z "$fipsmode" ]; then
die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
elif getarg boot= > /dev/null; then
diff --git a/modules.d/01fips/fips-load-crypto.sh b/modules.d/01fips/fips-load-crypto.sh
index 6ef42b9..d1d90c8 100755
--- a/modules.d/01fips/fips-load-crypto.sh
+++ b/modules.d/01fips/fips-load-crypto.sh
@@ -3,7 +3,7 @@
type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then
- rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1
+ :
elif [ -z "$fipsmode" ]; then
die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
else
diff --git a/modules.d/01fips/fips-noboot.sh b/modules.d/01fips/fips-noboot.sh
index 963a034..319da90 100755
--- a/modules.d/01fips/fips-noboot.sh
+++ b/modules.d/01fips/fips-noboot.sh
@@ -3,7 +3,7 @@
type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then
- rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1
+ :
elif [ -z "$fipsmode" ]; then
die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
elif ! [ -f /tmp/fipsdone ]; then
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 2e7b7cb..c81c2a6 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -97,7 +97,6 @@ fips_load_crypto() {
read -d '' -r FIPSMODULES < /etc/fipsmodules
fips_info "Loading and integrity checking all crypto modules"
- mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak
for _module in $FIPSMODULES; do
if [ "$_module" != "tcrypt" ]; then
if ! nonfatal_modprobe "${_module}" 2> /tmp/fips.modprobe_err; then
@@ -113,7 +112,10 @@ fips_load_crypto() {
fi
fi
done
- mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf
+ if [ -f /etc/fips.conf ]; then
+ mkdir -p /run/modprobe.d
+ cp /etc/fips.conf /run/modprobe.d/fips.conf
+ fi
fips_info "Self testing crypto algorithms"
modprobe tcrypt || return 1
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 0e47c84..83fcd56 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -39,13 +39,10 @@ installkernel() {
_fipsmodules+="aead cryptomgr tcrypt crypto_user "
fi
- # shellcheck disable=SC2174
- mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
-
for _mod in $_fipsmodules; do
if hostonly='' instmods -c -s "$_mod"; then
echo "$_mod" >> "${initdir}/etc/fipsmodules"
- echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf"
+ echo "blacklist $_mod" >> "${initdir}/etc/fips.conf"
fi
done
@@ -70,16 +67,4 @@ install() {
inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort
inst_simple /etc/system-fips
- [ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \
- || {
- dfatal "Cannot create /dev/random"
- dfatal "To create an initramfs with fips support, dracut has to run as root"
- return 1
- }
- [ -c "${initdir}"/dev/urandom ] || mknod "${initdir}"/dev/urandom c 1 9 \
- || {
- dfatal "Cannot create /dev/urandom"
- dfatal "To create an initramfs with fips support, dracut has to run as root"
- return 1
- }
}