File 0527-switch-fips-checking-to-use-the-libkcapi-based-fipsc.patch of Package dracut.15766
From 3a1abe58f68fbdee31f7370314432ff903954daa Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.de>
Date: Thu, 13 Jul 2017 16:56:14 +0200
Subject: [PATCH] switch fips checking to use the libkcapi based fipscheck
toolset.
---
modules.d/01fips/fips.sh | 19 ++++++++++++++++---
modules.d/01fips/module-setup.sh | 10 ++++++++++
suse/dracut.spec | 1 +
3 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index ddf03994..081dba95 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -57,9 +57,15 @@ do_rhevh_check()
{
KERNEL=$(uname -r)
kpath=${1}
-
+ FIPSCHECK=/usr/lib64/libkcapi/fipscheck
+ if [ ! -f $FIPSCHECK ]; then
+ FIPSCHECK=/usr/lib/libkcapi/fipscheck
+ fi
+ if [ ! -f $FIPSCHECK ]; then
+ FIPSCHECK=/usr/bin/fipscheck
+ fi
# If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
- if fipscheck $NEWROOT/boot/vmlinuz-${KERNEL} ; then
+ if $FIPSCHECK $NEWROOT/boot/vmlinuz-${KERNEL} ; then
warn "HMAC sum mismatch"
return 1
fi
@@ -81,6 +87,13 @@ do_fips()
fi
KERNEL=$(uname -r)
+ FIPSCHECK=/usr/lib64/libkcapi/fipscheck
+ if [ ! -f $FIPSCHECK ]; then
+ FIPSCHECK=/usr/lib/libkcapi/fipscheck
+ fi
+ if [ ! -f $FIPSCHECK ]; then
+ FIPSCHECK=/usr/bin/fipscheck
+ fi
if ! [ -e "/boot/.${_vmname}-${KERNEL}.hmac" ]; then
warn "/boot/.${_vmname}-${KERNEL}.hmac does not exist"
@@ -134,7 +147,7 @@ do_fips()
elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
else
- fipscheck "/boot/${_vmname}-${KERNEL}" || return 1
+ $FIPSCHECK "/boot/${_vmname}-${KERNEL}" || return 1
fi
info "All initrd crypto checks done"
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index beeb2f6d..9e5eca4f 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -24,6 +24,7 @@ installkernel() {
_fipsmodules+="cast6_generic cast5_generic cast_common sha512_ssse3 serpent_sse2_x86_64 serpent_generic twofish_generic "
_fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper twofish_x86_64 twofish_common blowfish_generic "
_fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc "
+ _fipsmodules+="algif_hash af_alg crypto_user "
mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
@@ -54,9 +55,18 @@ install() {
.libgcrypt.so.20.hmac \
libfreeblpriv3.so libfreeblpriv3.chk
+ if [ -f /usr/lib64/libkcapi/.fipscheck.hmac ]; then
+ inst_simple /usr/lib64/libkcapi/.fipscheck.hmac
+ inst_simple /usr/lib64/libkcapi/fipscheck
+ else
+ inst_simple /usr/lib/libkcapi/.fipscheck.hmac
+ inst_simple /usr/lib/libkcapi/fipscheck
+ fi
+
# we do not use prelink at SUSE
#inst_multiple -o prelink
inst_simple /etc/system-fips
+
}
--
2.12.3