summaryrefslogtreecommitdiffstats
path: root/modules.d/01fips
diff options
context:
space:
mode:
Diffstat (limited to 'modules.d/01fips')
-rwxr-xr-xmodules.d/01fips/fips-boot.sh16
-rwxr-xr-xmodules.d/01fips/fips-load-crypto.sh14
-rwxr-xr-xmodules.d/01fips/fips-noboot.sh15
-rwxr-xr-xmodules.d/01fips/fips.sh195
-rwxr-xr-xmodules.d/01fips/module-setup.sh85
5 files changed, 325 insertions, 0 deletions
diff --git a/modules.d/01fips/fips-boot.sh b/modules.d/01fips/fips-boot.sh
new file mode 100755
index 0000000..34760e0
--- /dev/null
+++ b/modules.d/01fips/fips-boot.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
+if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then
+ rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1
+elif [ -z "$fipsmode" ]; then
+ die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
+elif getarg boot= > /dev/null; then
+ . /sbin/fips.sh
+ fips_info "fips-boot: start"
+ if mount_boot; then
+ do_fips || die "FIPS integrity test failed"
+ fi
+ fips_info "fips-boot: done!"
+fi
diff --git a/modules.d/01fips/fips-load-crypto.sh b/modules.d/01fips/fips-load-crypto.sh
new file mode 100755
index 0000000..6ef42b9
--- /dev/null
+++ b/modules.d/01fips/fips-load-crypto.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
+if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then
+ rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1
+elif [ -z "$fipsmode" ]; then
+ die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
+else
+ . /sbin/fips.sh
+ fips_info "fips-load-crypto: start"
+ fips_load_crypto || die "FIPS integrity test failed"
+ fips_info "fips-load-crypto: done!"
+fi
diff --git a/modules.d/01fips/fips-noboot.sh b/modules.d/01fips/fips-noboot.sh
new file mode 100755
index 0000000..963a034
--- /dev/null
+++ b/modules.d/01fips/fips-noboot.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
+if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then
+ rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1
+elif [ -z "$fipsmode" ]; then
+ die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
+elif ! [ -f /tmp/fipsdone ]; then
+ . /sbin/fips.sh
+ fips_info "fips-noboot: start"
+ mount_boot
+ do_fips || die "FIPS integrity test failed"
+ fips_info "fips-noboot: done!"
+fi
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
new file mode 100755
index 0000000..2e7b7cb
--- /dev/null
+++ b/modules.d/01fips/fips.sh
@@ -0,0 +1,195 @@
+#!/bin/sh
+
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
+# systemd lets stdout go to journal only, but the system
+# has to halt when the integrity check fails to satisfy FIPS.
+if [ -z "$DRACUT_SYSTEMD" ]; then
+ fips_info() {
+ info "$*"
+ }
+else
+ fips_info() {
+ echo "$*" >&2
+ }
+fi
+
+mount_boot() {
+ boot=$(getarg boot=)
+
+ if [ -n "$boot" ]; then
+ if [ -d /boot ] && ismounted /boot; then
+ boot_dev=
+ if command -v findmnt > /dev/null; then
+ boot_dev=$(findmnt -n -o SOURCE /boot)
+ fi
+ fips_info "Ignoring 'boot=$boot' as /boot is already mounted ${boot_dev:+"from '$boot_dev'"}"
+ return 0
+ fi
+
+ case "$boot" in
+ LABEL=* | UUID=* | PARTUUID=* | PARTLABEL=*)
+ boot="$(label_uuid_to_dev "$boot")"
+ ;;
+ /dev/*) ;;
+
+ *)
+ die "You have to specify boot=<boot device> as a boot option for fips=1"
+ ;;
+ esac
+
+ if ! [ -e "$boot" ]; then
+ udevadm trigger --action=add > /dev/null 2>&1
+
+ i=0
+ while ! [ -e "$boot" ]; do
+ udevadm settle --exit-if-exists="$boot"
+ [ -e "$boot" ] && break
+ sleep 0.5
+ i=$((i + 1))
+ [ $i -gt 40 ] && break
+ done
+ fi
+
+ [ -e "$boot" ] || return 1
+
+ mkdir -p /boot
+ fips_info "Mounting $boot as /boot"
+ mount -oro "$boot" /boot || return 1
+ FIPS_MOUNTED_BOOT=1
+ elif ! ismounted /boot && [ -d "$NEWROOT/boot" ]; then
+ # shellcheck disable=SC2114
+ rm -fr -- /boot
+ ln -sf "$NEWROOT/boot" /boot
+ else
+ die "You have to specify boot=<boot device> as a boot option for fips=1"
+ fi
+}
+
+do_rhevh_check() {
+ KERNEL=$(uname -r)
+ kpath=${1}
+
+ # If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
+ HMAC_SUM_ORIG=$(while read -r a _ || [ -n "$a" ]; do printf "%s\n" "$a"; done < "$NEWROOT/boot/.vmlinuz-${KERNEL}.hmac")
+ HMAC_SUM_CALC=$(sha512hmac "$kpath" | while read -r a _ || [ -n "$a" ]; do printf "%s\n" "$a"; done || return 1)
+ if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
+ warn "HMAC sum mismatch"
+ return 1
+ fi
+ fips_info "rhevh_check OK"
+ return 0
+}
+
+nonfatal_modprobe() {
+ modprobe "$1" 2>&1 > /dev/stdout \
+ | while read -r line || [ -n "$line" ]; do
+ echo "${line#modprobe: FATAL: }" >&2
+ done
+}
+
+fips_load_crypto() {
+ local _k
+ local _v
+ local _module
+ local _found
+
+ read -d '' -r FIPSMODULES < /etc/fipsmodules
+
+ fips_info "Loading and integrity checking all crypto modules"
+ mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak
+ for _module in $FIPSMODULES; do
+ if [ "$_module" != "tcrypt" ]; then
+ if ! nonfatal_modprobe "${_module}" 2> /tmp/fips.modprobe_err; then
+ # check if kernel provides generic algo
+ _found=0
+ while read -r _k _ _v || [ -n "$_k" ]; do
+ [ "$_k" != "name" -a "$_k" != "driver" ] && continue
+ [ "$_v" != "$_module" ] && continue
+ _found=1
+ break
+ done < /proc/crypto
+ [ "$_found" = "0" ] && cat /tmp/fips.modprobe_err >&2 && return 1
+ fi
+ fi
+ done
+ mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf
+
+ fips_info "Self testing crypto algorithms"
+ modprobe tcrypt || return 1
+ rmmod tcrypt
+}
+
+do_fips() {
+ KERNEL=$(uname -r)
+
+ if ! getarg rd.fips.skipkernel > /dev/null; then
+
+ fips_info "Checking integrity of kernel"
+ if [ -e "/run/initramfs/live/vmlinuz0" ]; then
+ do_rhevh_check /run/initramfs/live/vmlinuz0 || return 1
+ elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
+ do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
+ elif [ -e "/run/install/repo/images/pxeboot/vmlinuz" ]; then
+ # This is a boot.iso with the .hmac inside the install.img
+ do_rhevh_check /run/install/repo/images/pxeboot/vmlinuz || return 1
+ else
+ BOOT_IMAGE="$(getarg BOOT_IMAGE)"
+
+ # On s390x, BOOT_IMAGE isn't a path but an integer representing the
+ # entry number selected. Let's try the root of /boot first, and
+ # otherwise fallback to trying to parse the BLS entries if it's a
+ # BLS-based system.
+ if [ "$(uname -m)" = s390x ]; then
+ if [ -e "/boot/vmlinuz-${KERNEL}" ]; then
+ BOOT_IMAGE="vmlinuz-${KERNEL}"
+ elif [ -d /boot/loader/entries ]; then
+ bls=$(find /boot/loader/entries -name '*.conf' | sort -rV | sed -n "$((BOOT_IMAGE + 1))p")
+ if [ -e "${bls}" ]; then
+ BOOT_IMAGE=$(grep ^linux "${bls}" | cut -d' ' -f2)
+ fi
+ fi
+ fi
+
+ # Trim off any leading GRUB boot device (e.g. ($root) )
+ BOOT_IMAGE="$(echo "${BOOT_IMAGE}" | sed 's/^(.*)//')"
+
+ BOOT_IMAGE_NAME="${BOOT_IMAGE##*/}"
+ BOOT_IMAGE_PATH="${BOOT_IMAGE%"${BOOT_IMAGE_NAME}"}"
+
+ if [ -z "$BOOT_IMAGE_NAME" ]; then
+ BOOT_IMAGE_NAME="vmlinuz-${KERNEL}"
+ elif ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then
+ #if /boot is not a separate partition BOOT_IMAGE might start with /boot
+ BOOT_IMAGE_PATH=${BOOT_IMAGE_PATH#"/boot"}
+ #on some architectures BOOT_IMAGE does not contain path to kernel
+ #so if we can't find anything, let's treat it in the same way as if it was empty
+ if ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then
+ BOOT_IMAGE_NAME="vmlinuz-${KERNEL}"
+ BOOT_IMAGE_PATH=""
+ fi
+ fi
+
+ BOOT_IMAGE_HMAC="/boot/${BOOT_IMAGE_PATH}/.${BOOT_IMAGE_NAME}.hmac"
+ if ! [ -e "${BOOT_IMAGE_HMAC}" ]; then
+ warn "${BOOT_IMAGE_HMAC} does not exist"
+ return 1
+ fi
+
+ (cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1
+ fi
+ fi
+
+ fips_info "All initrd crypto checks done"
+
+ : > /tmp/fipsdone
+
+ if [ "$FIPS_MOUNTED_BOOT" = 1 ]; then
+ fips_info "Unmounting /boot"
+ umount /boot > /dev/null 2>&1
+ else
+ fips_info "Not unmounting /boot"
+ fi
+
+ return 0
+}
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
new file mode 100755
index 0000000..0e47c84
--- /dev/null
+++ b/modules.d/01fips/module-setup.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# called by dracut
+check() {
+ return 255
+}
+
+# called by dracut
+depends() {
+ return 0
+}
+
+# called by dracut
+installkernel() {
+ local _fipsmodules _mod _bootfstype
+ if [[ -f "${srcmods}/modules.fips" ]]; then
+ read -d '' -r _fipsmodules < "${srcmods}/modules.fips"
+ else
+ _fipsmodules=""
+
+ # Hashes:
+ _fipsmodules+="sha1 sha224 sha256 sha384 sha512 "
+ _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 "
+ _fipsmodules+="crc32c crct10dif ghash "
+
+ # Ciphers:
+ _fipsmodules+="cipher_null des3_ede aes cfb dh ecdh "
+
+ # Modes/templates:
+ _fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac ofb cts "
+
+ # Compression algs:
+ _fipsmodules+="deflate lzo zlib "
+
+ # PRNG algs:
+ _fipsmodules+="ansi_cprng "
+
+ # Misc:
+ _fipsmodules+="aead cryptomgr tcrypt crypto_user "
+ fi
+
+ # shellcheck disable=SC2174
+ mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
+
+ for _mod in $_fipsmodules; do
+ if hostonly='' instmods -c -s "$_mod"; then
+ echo "$_mod" >> "${initdir}/etc/fipsmodules"
+ echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf"
+ fi
+ done
+
+ # with hostonly_default_device fs module for /boot is not installed by default
+ if [[ $hostonly ]] && [[ $hostonly_default_device == "no" ]]; then
+ _bootfstype=$(find_mp_fstype /boot)
+ if [[ -n $_bootfstype ]]; then
+ hostonly='' instmods "$_bootfstype"
+ else
+ dwarning "Can't determine fs type for /boot, FIPS check may fail."
+ fi
+ fi
+}
+
+# called by dracut
+install() {
+ inst_hook pre-pivot 00 "$moddir/fips-boot.sh"
+ inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
+ inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
+ inst_script "$moddir/fips.sh" /sbin/fips.sh
+
+ inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort
+
+ inst_simple /etc/system-fips
+ [ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \
+ || {
+ dfatal "Cannot create /dev/random"
+ dfatal "To create an initramfs with fips support, dracut has to run as root"
+ return 1
+ }
+ [ -c "${initdir}"/dev/urandom ] || mknod "${initdir}"/dev/urandom c 1 9 \
+ || {
+ dfatal "Cannot create /dev/urandom"
+ dfatal "To create an initramfs with fips support, dracut has to run as root"
+ return 1
+ }
+}