99 lines
2.9 KiB
Diff
99 lines
2.9 KiB
Diff
From e096d861ed8d5956152aa0ba48ca17fb2de6efe0 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Molkentin <dmolkentin@suse.com>
|
|
Date: Mon, 6 Jul 2020 16:36:42 +0200
|
|
Subject: [PATCH] 01fips: turn info calls into fips_info calls
|
|
|
|
systemd lets stdout go to journal only. Usually, this is desired
|
|
behavior to ensure that plymouth does not get disrupted.
|
|
|
|
However in the 01fips case, the system has to halt when the integrity
|
|
check fails to satisfy FIPS requirements. So the user will not be able
|
|
to inspect the journal.
|
|
|
|
As this is special to the fips module, we introduce a fips_info() which
|
|
works like info(), but deviates the output to stderr when running with
|
|
systemd.
|
|
|
|
Reference: bsc#1164076
|
|
---
|
|
modules.d/01fips/fips.sh | 24 ++++++++++++++++++------
|
|
1 file changed, 18 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
|
|
index 37cde0c0..f46da5c6 100755
|
|
--- a/modules.d/01fips/fips.sh
|
|
+++ b/modules.d/01fips/fips.sh
|
|
@@ -1,5 +1,17 @@
|
|
#!/bin/sh
|
|
|
|
+# systemd lets stdout go to journal only, but the system
|
|
+# has to halt when the integrity check fails to satisfy FIPS.
|
|
+if [ -z "$DRACUT_SYSTEMD" ]; then
|
|
+ fips_info() {
|
|
+ info "$*"
|
|
+ }
|
|
+else
|
|
+ fips_info() {
|
|
+ echo "$*" >&2
|
|
+ }
|
|
+fi
|
|
+
|
|
mount_boot()
|
|
{
|
|
boot=$(getarg boot=)
|
|
@@ -45,7 +57,7 @@ mount_boot()
|
|
[ -e "$boot" ] || return 1
|
|
|
|
mkdir /boot
|
|
- info "Mounting $boot as /boot"
|
|
+ fips_info "Mounting $boot as /boot"
|
|
mount -oro "$boot" /boot || return 1
|
|
elif [ -d "$NEWROOT/boot" ]; then
|
|
rm -fr -- /boot
|
|
@@ -65,7 +77,7 @@ do_rhevh_check()
|
|
warn "HMAC sum mismatch"
|
|
return 1
|
|
fi
|
|
- info "rhevh_check OK"
|
|
+ fips_info "rhevh_check OK"
|
|
return 0
|
|
}
|
|
|
|
@@ -81,7 +93,7 @@ fips_load_crypto()
|
|
{
|
|
FIPSMODULES=$(cat /etc/fipsmodules)
|
|
|
|
- info "Loading and integrity checking all crypto modules"
|
|
+ fips_info "Loading and integrity checking all crypto modules"
|
|
mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak
|
|
for _module in $FIPSMODULES; do
|
|
if [ "$_module" != "tcrypt" ]; then
|
|
@@ -100,7 +112,7 @@ fips_load_crypto()
|
|
done
|
|
mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf
|
|
|
|
- info "Self testing crypto algorithms"
|
|
+ fips_info "Self testing crypto algorithms"
|
|
modprobe tcrypt || return 1
|
|
rmmod tcrypt
|
|
}
|
|
@@ -114,7 +126,7 @@ do_fips()
|
|
|
|
KERNEL=$(uname -r)
|
|
|
|
- info "Checking integrity of kernel"
|
|
+ fips_info "Checking integrity of kernel"
|
|
if [ -e "/run/initramfs/live/vmlinuz0" ]; then
|
|
do_rhevh_check /run/initramfs/live/vmlinuz0 || return 1
|
|
elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
|
|
@@ -153,7 +165,7 @@ do_fips()
|
|
(cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1
|
|
fi
|
|
|
|
- info "All initrd crypto checks done"
|
|
+ fips_info "All initrd crypto checks done"
|
|
|
|
> /tmp/fipsdone
|
|
|
|
|