Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
dracut.12460
0527-switch-fips-checking-to-use-the-libkcapi-b...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0527-switch-fips-checking-to-use-the-libkcapi-based-fipsc.patch of Package dracut.12460
From 3a1abe58f68fbdee31f7370314432ff903954daa Mon Sep 17 00:00:00 2001 From: Marcus Meissner <meissner@suse.de> Date: Thu, 13 Jul 2017 16:56:14 +0200 Subject: [PATCH] switch fips checking to use the libkcapi based fipscheck toolset. --- modules.d/01fips/fips.sh | 19 ++++++++++++++++--- modules.d/01fips/module-setup.sh | 10 ++++++++++ suse/dracut.spec | 1 + 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh index ddf03994..081dba95 100755 --- a/modules.d/01fips/fips.sh +++ b/modules.d/01fips/fips.sh @@ -57,9 +57,15 @@ do_rhevh_check() { KERNEL=$(uname -r) kpath=${1} - + FIPSCHECK=/usr/lib64/libkcapi/fipscheck + if [ ! -f $FIPSCHECK ]; then + FIPSCHECK=/usr/lib/libkcapi/fipscheck + fi + if [ ! -f $FIPSCHECK ]; then + FIPSCHECK=/usr/bin/fipscheck + fi # If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0 - if fipscheck $NEWROOT/boot/vmlinuz-${KERNEL} ; then + if $FIPSCHECK $NEWROOT/boot/vmlinuz-${KERNEL} ; then warn "HMAC sum mismatch" return 1 fi @@ -81,6 +87,13 @@ do_fips() fi KERNEL=$(uname -r) + FIPSCHECK=/usr/lib64/libkcapi/fipscheck + if [ ! -f $FIPSCHECK ]; then + FIPSCHECK=/usr/lib/libkcapi/fipscheck + fi + if [ ! -f $FIPSCHECK ]; then + FIPSCHECK=/usr/bin/fipscheck + fi if ! [ -e "/boot/.${_vmname}-${KERNEL}.hmac" ]; then warn "/boot/.${_vmname}-${KERNEL}.hmac does not exist" @@ -134,7 +147,7 @@ do_fips() elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1 else - fipscheck "/boot/${_vmname}-${KERNEL}" || return 1 + $FIPSCHECK "/boot/${_vmname}-${KERNEL}" || return 1 fi info "All initrd crypto checks done" diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh index beeb2f6d..9e5eca4f 100755 --- a/modules.d/01fips/module-setup.sh +++ b/modules.d/01fips/module-setup.sh @@ -24,6 +24,7 @@ installkernel() { _fipsmodules+="cast6_generic cast5_generic cast_common sha512_ssse3 serpent_sse2_x86_64 serpent_generic twofish_generic " _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper twofish_x86_64 twofish_common blowfish_generic " _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc " + _fipsmodules+="algif_hash af_alg crypto_user " mkdir -m 0755 -p "${initdir}/etc/modprobe.d" @@ -54,9 +55,18 @@ install() { .libgcrypt.so.20.hmac \ libfreeblpriv3.so libfreeblpriv3.chk + if [ -f /usr/lib64/libkcapi/.fipscheck.hmac ]; then + inst_simple /usr/lib64/libkcapi/.fipscheck.hmac + inst_simple /usr/lib64/libkcapi/fipscheck + else + inst_simple /usr/lib/libkcapi/.fipscheck.hmac + inst_simple /usr/lib/libkcapi/fipscheck + fi + # we do not use prelink at SUSE #inst_multiple -o prelink inst_simple /etc/system-fips + } -- 2.12.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor