diff options
Diffstat (limited to 'modules.d/01fips')
-rwxr-xr-x | modules.d/01fips/fips-boot.sh | 16 | ||||
-rwxr-xr-x | modules.d/01fips/fips-load-crypto.sh | 14 | ||||
-rwxr-xr-x | modules.d/01fips/fips-noboot.sh | 15 | ||||
-rwxr-xr-x | modules.d/01fips/fips.sh | 195 | ||||
-rwxr-xr-x | modules.d/01fips/module-setup.sh | 85 |
5 files changed, 325 insertions, 0 deletions
diff --git a/modules.d/01fips/fips-boot.sh b/modules.d/01fips/fips-boot.sh new file mode 100755 index 0000000..34760e0 --- /dev/null +++ b/modules.d/01fips/fips-boot.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh + +if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then + rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1 +elif [ -z "$fipsmode" ]; then + die "FIPS mode have to be enabled by 'fips=1' not just 'fips'" +elif getarg boot= > /dev/null; then + . /sbin/fips.sh + fips_info "fips-boot: start" + if mount_boot; then + do_fips || die "FIPS integrity test failed" + fi + fips_info "fips-boot: done!" +fi diff --git a/modules.d/01fips/fips-load-crypto.sh b/modules.d/01fips/fips-load-crypto.sh new file mode 100755 index 0000000..6ef42b9 --- /dev/null +++ b/modules.d/01fips/fips-load-crypto.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh + +if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then + rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1 +elif [ -z "$fipsmode" ]; then + die "FIPS mode have to be enabled by 'fips=1' not just 'fips'" +else + . /sbin/fips.sh + fips_info "fips-load-crypto: start" + fips_load_crypto || die "FIPS integrity test failed" + fips_info "fips-load-crypto: done!" +fi diff --git a/modules.d/01fips/fips-noboot.sh b/modules.d/01fips/fips-noboot.sh new file mode 100755 index 0000000..963a034 --- /dev/null +++ b/modules.d/01fips/fips-noboot.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh + +if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ]; then + rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1 +elif [ -z "$fipsmode" ]; then + die "FIPS mode have to be enabled by 'fips=1' not just 'fips'" +elif ! [ -f /tmp/fipsdone ]; then + . /sbin/fips.sh + fips_info "fips-noboot: start" + mount_boot + do_fips || die "FIPS integrity test failed" + fips_info "fips-noboot: done!" +fi diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh new file mode 100755 index 0000000..2e7b7cb --- /dev/null +++ b/modules.d/01fips/fips.sh @@ -0,0 +1,195 @@ +#!/bin/sh + +type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh + +# systemd lets stdout go to journal only, but the system +# has to halt when the integrity check fails to satisfy FIPS. +if [ -z "$DRACUT_SYSTEMD" ]; then + fips_info() { + info "$*" + } +else + fips_info() { + echo "$*" >&2 + } +fi + +mount_boot() { + boot=$(getarg boot=) + + if [ -n "$boot" ]; then + if [ -d /boot ] && ismounted /boot; then + boot_dev= + if command -v findmnt > /dev/null; then + boot_dev=$(findmnt -n -o SOURCE /boot) + fi + fips_info "Ignoring 'boot=$boot' as /boot is already mounted ${boot_dev:+"from '$boot_dev'"}" + return 0 + fi + + case "$boot" in + LABEL=* | UUID=* | PARTUUID=* | PARTLABEL=*) + boot="$(label_uuid_to_dev "$boot")" + ;; + /dev/*) ;; + + *) + die "You have to specify boot=<boot device> as a boot option for fips=1" + ;; + esac + + if ! [ -e "$boot" ]; then + udevadm trigger --action=add > /dev/null 2>&1 + + i=0 + while ! [ -e "$boot" ]; do + udevadm settle --exit-if-exists="$boot" + [ -e "$boot" ] && break + sleep 0.5 + i=$((i + 1)) + [ $i -gt 40 ] && break + done + fi + + [ -e "$boot" ] || return 1 + + mkdir -p /boot + fips_info "Mounting $boot as /boot" + mount -oro "$boot" /boot || return 1 + FIPS_MOUNTED_BOOT=1 + elif ! ismounted /boot && [ -d "$NEWROOT/boot" ]; then + # shellcheck disable=SC2114 + rm -fr -- /boot + ln -sf "$NEWROOT/boot" /boot + else + die "You have to specify boot=<boot device> as a boot option for fips=1" + fi +} + +do_rhevh_check() { + KERNEL=$(uname -r) + kpath=${1} + + # If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0 + HMAC_SUM_ORIG=$(while read -r a _ || [ -n "$a" ]; do printf "%s\n" "$a"; done < "$NEWROOT/boot/.vmlinuz-${KERNEL}.hmac") + HMAC_SUM_CALC=$(sha512hmac "$kpath" | while read -r a _ || [ -n "$a" ]; do printf "%s\n" "$a"; done || return 1) + if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then + warn "HMAC sum mismatch" + return 1 + fi + fips_info "rhevh_check OK" + return 0 +} + +nonfatal_modprobe() { + modprobe "$1" 2>&1 > /dev/stdout \ + | while read -r line || [ -n "$line" ]; do + echo "${line#modprobe: FATAL: }" >&2 + done +} + +fips_load_crypto() { + local _k + local _v + local _module + local _found + + read -d '' -r FIPSMODULES < /etc/fipsmodules + + fips_info "Loading and integrity checking all crypto modules" + mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak + for _module in $FIPSMODULES; do + if [ "$_module" != "tcrypt" ]; then + if ! nonfatal_modprobe "${_module}" 2> /tmp/fips.modprobe_err; then + # check if kernel provides generic algo + _found=0 + while read -r _k _ _v || [ -n "$_k" ]; do + [ "$_k" != "name" -a "$_k" != "driver" ] && continue + [ "$_v" != "$_module" ] && continue + _found=1 + break + done < /proc/crypto + [ "$_found" = "0" ] && cat /tmp/fips.modprobe_err >&2 && return 1 + fi + fi + done + mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf + + fips_info "Self testing crypto algorithms" + modprobe tcrypt || return 1 + rmmod tcrypt +} + +do_fips() { + KERNEL=$(uname -r) + + if ! getarg rd.fips.skipkernel > /dev/null; then + + fips_info "Checking integrity of kernel" + if [ -e "/run/initramfs/live/vmlinuz0" ]; then + do_rhevh_check /run/initramfs/live/vmlinuz0 || return 1 + elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then + do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1 + elif [ -e "/run/install/repo/images/pxeboot/vmlinuz" ]; then + # This is a boot.iso with the .hmac inside the install.img + do_rhevh_check /run/install/repo/images/pxeboot/vmlinuz || return 1 + else + BOOT_IMAGE="$(getarg BOOT_IMAGE)" + + # On s390x, BOOT_IMAGE isn't a path but an integer representing the + # entry number selected. Let's try the root of /boot first, and + # otherwise fallback to trying to parse the BLS entries if it's a + # BLS-based system. + if [ "$(uname -m)" = s390x ]; then + if [ -e "/boot/vmlinuz-${KERNEL}" ]; then + BOOT_IMAGE="vmlinuz-${KERNEL}" + elif [ -d /boot/loader/entries ]; then + bls=$(find /boot/loader/entries -name '*.conf' | sort -rV | sed -n "$((BOOT_IMAGE + 1))p") + if [ -e "${bls}" ]; then + BOOT_IMAGE=$(grep ^linux "${bls}" | cut -d' ' -f2) + fi + fi + fi + + # Trim off any leading GRUB boot device (e.g. ($root) ) + BOOT_IMAGE="$(echo "${BOOT_IMAGE}" | sed 's/^(.*)//')" + + BOOT_IMAGE_NAME="${BOOT_IMAGE##*/}" + BOOT_IMAGE_PATH="${BOOT_IMAGE%"${BOOT_IMAGE_NAME}"}" + + if [ -z "$BOOT_IMAGE_NAME" ]; then + BOOT_IMAGE_NAME="vmlinuz-${KERNEL}" + elif ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then + #if /boot is not a separate partition BOOT_IMAGE might start with /boot + BOOT_IMAGE_PATH=${BOOT_IMAGE_PATH#"/boot"} + #on some architectures BOOT_IMAGE does not contain path to kernel + #so if we can't find anything, let's treat it in the same way as if it was empty + if ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then + BOOT_IMAGE_NAME="vmlinuz-${KERNEL}" + BOOT_IMAGE_PATH="" + fi + fi + + BOOT_IMAGE_HMAC="/boot/${BOOT_IMAGE_PATH}/.${BOOT_IMAGE_NAME}.hmac" + if ! [ -e "${BOOT_IMAGE_HMAC}" ]; then + warn "${BOOT_IMAGE_HMAC} does not exist" + return 1 + fi + + (cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1 + fi + fi + + fips_info "All initrd crypto checks done" + + : > /tmp/fipsdone + + if [ "$FIPS_MOUNTED_BOOT" = 1 ]; then + fips_info "Unmounting /boot" + umount /boot > /dev/null 2>&1 + else + fips_info "Not unmounting /boot" + fi + + return 0 +} diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh new file mode 100755 index 0000000..0e47c84 --- /dev/null +++ b/modules.d/01fips/module-setup.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# called by dracut +check() { + return 255 +} + +# called by dracut +depends() { + return 0 +} + +# called by dracut +installkernel() { + local _fipsmodules _mod _bootfstype + if [[ -f "${srcmods}/modules.fips" ]]; then + read -d '' -r _fipsmodules < "${srcmods}/modules.fips" + else + _fipsmodules="" + + # Hashes: + _fipsmodules+="sha1 sha224 sha256 sha384 sha512 " + _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 " + _fipsmodules+="crc32c crct10dif ghash " + + # Ciphers: + _fipsmodules+="cipher_null des3_ede aes cfb dh ecdh " + + # Modes/templates: + _fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac ofb cts " + + # Compression algs: + _fipsmodules+="deflate lzo zlib " + + # PRNG algs: + _fipsmodules+="ansi_cprng " + + # Misc: + _fipsmodules+="aead cryptomgr tcrypt crypto_user " + fi + + # shellcheck disable=SC2174 + mkdir -m 0755 -p "${initdir}/etc/modprobe.d" + + for _mod in $_fipsmodules; do + if hostonly='' instmods -c -s "$_mod"; then + echo "$_mod" >> "${initdir}/etc/fipsmodules" + echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf" + fi + done + + # with hostonly_default_device fs module for /boot is not installed by default + if [[ $hostonly ]] && [[ $hostonly_default_device == "no" ]]; then + _bootfstype=$(find_mp_fstype /boot) + if [[ -n $_bootfstype ]]; then + hostonly='' instmods "$_bootfstype" + else + dwarning "Can't determine fs type for /boot, FIPS check may fail." + fi + fi +} + +# called by dracut +install() { + inst_hook pre-pivot 00 "$moddir/fips-boot.sh" + inst_hook pre-pivot 01 "$moddir/fips-noboot.sh" + inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh" + inst_script "$moddir/fips.sh" /sbin/fips.sh + + inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort + + inst_simple /etc/system-fips + [ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \ + || { + dfatal "Cannot create /dev/random" + dfatal "To create an initramfs with fips support, dracut has to run as root" + return 1 + } + [ -c "${initdir}"/dev/urandom ] || mknod "${initdir}"/dev/urandom c 1 9 \ + || { + dfatal "Cannot create /dev/urandom" + dfatal "To create an initramfs with fips support, dracut has to run as root" + return 1 + } +} |