Hi All,
This patch adds kernel integrity checking to the generated initrd. As
you can see it tries to do this as early as possible, this must be this
way as the kernel must be checked before crypto related kernel functions
(or modules) are used (or loaded).
Regards,
Hans
diff -up mkinitrd-5.1.19.6/mkinitrd.fips mkinitrd-5.1.19.6/mkinitrd
--- mkinitrd-5.1.19.6/mkinitrd.fips 2009-04-17 13:40:54.000000000 +0200
+++ mkinitrd-5.1.19.6/mkinitrd 2009-04-19 13:42:03.000000000 +0200
@@ -41,6 +41,7 @@ VERSION=5.1.19.6
PROBE="yes"
MODULES=""
+BOOTMODULES=""
MODLOOPS=""
PREMODS=""
PREINTERFACES=""
@@ -74,6 +75,7 @@ modulefile=/etc/modules.conf
[ "$ARCH" == "s390" ] && withusb=0 || withusb=1
[ "$MULTIPATH" == "no" ] && withmpath=0 || withmpath=1
[ "$DMRAID" == "no" ] && withdmraid=0 || withdmraid=1
+withfips=$(cat /proc/sys/crypto/fips_enabled)
rc=0
IMAGESIZE=8000
@@ -114,7 +116,7 @@ usage () {
$cmd " [--force-ide-probe] [--force-scsi-probe | --omit-scsi-modules]"
$cmd " [--image-version] [--force-raid-probe | --omit-raid-modules]"
$cmd " [--with=<module>] [--force-lvm-probe | --omit-lvm-modules]"
- $cmd " [--builtin=<module>] [--net-dev=<interface>]"
+ $cmd " [--builtin=<module>] [--net-dev=<interface>] [--with-fips]"
$cmd " [--without-usb] [--without-multipath] [--without-dmraid]"
$cmd " [--fstab=<fstab>] [--nocompress] <initrd-image> <kernel-version>"
$cmd ""
@@ -263,6 +265,10 @@ findmodule() {
*"/$modName.ko "*) return ;;
esac
+ case "$BOOTMODULES " in
+ *"/$modName.ko "*) return ;;
+ esac
+
if echo $builtins | egrep -q '(^| )'$modName'( |$)' ; then
vecho "module $modName assumed to be built in"
return
@@ -908,6 +914,10 @@ while [ $# -gt 0 ]; do
fi
;;
+ --with-fips)
+ withfips=1
+ ;;
+
--with-usb*)
if [ "$1" != "${1##--with-usb=}" ]; then
usbmodule=${1##--with-usb=}
@@ -1159,6 +1169,30 @@ if [ $TMPDIR = "/root" -o $TMPDIR = "${P
error "WARNING: using $TMPDIR for temporary files"
fi
+if [ "$withfips" -eq 1 ]; then
+ if ! grep -q /boot $fstab; then
+ error "ERROR: fips without a separate /boot partition is not supported!"
+ exit 1
+ fi
+
+ bootfs=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "/boot") { print $3; }}' $fstab)
+ bootdev=$(awk '/^[ \t]*[^#]/ { if ($2 == "/boot") { print $1; }}' $fstab)
+
+ # in case the boot filesystem is modular
+ findmodule -${bootfs}
+
+ if [[ "$bootdev" =~ ^(LABEL=|UUID=) ]]; then
+ devname=$(resolve_device_name $bootdev)
+ findstoragedriver ${devname##/dev/}
+ else
+ findstoragedriver ${bootdev##/dev/}
+ fi
+
+ BOOTMODULES="$MODULES"
+ MODULES=""
+ vecho "Using /boot modules: $BOOTMODULES"
+fi
+
for n in $PREMODS; do
findmodule $n
done
@@ -1438,7 +1472,7 @@ inst /sbin/nash "$MNTIMAGE/bin/nash"
inst /sbin/insmod.static "$MNTIMAGE/bin/insmod"
ln -s /sbin/nash $MNTIMAGE/sbin/modprobe
-for MODULE in $MODULES; do
+for MODULE in $BOOTMODULES $MODULES; do
if [[ "$MODULE" =~ "^iscsi_device_" ]]; then
continue
fi
@@ -1615,6 +1649,38 @@ if [ $ncryptodevs -ne 0 ]; then
fi
fi
+if [ "$withfips" -eq 1 ]; then
+ set -e
+ inst /usr/bin/sha512hmac $MNTIMAGE/bin/sha512hmac
+ # sha512mac is dynamically linked and uses dlopen-ed .so files,
+ # this must be this way for libnss fips cert.
+ libs=$(ldd /usr/bin/sha512hmac | cut -d ' ' -f 3)
+ ld_linux=$(ldd /usr/bin/sha512hmac | cut -d ' ' -f 1 | grep ld-linux)
+ if echo "$libs" | grep -q lib64; then
+ libdir="lib64"
+ else
+ libdir="lib"
+ fi
+ libs="$libs $ld_linux"
+ libs="$libs /usr/$libdir/libsoftokn3.so /usr/$libdir/libsoftokn3.chk"
+ libs="$libs /usr/$libdir/libfreebl3.so /usr/$libdir/libfreebl3.chk"
+
+ for lib in $libs; do
+ basename=$(basename $lib)
+ while [ -L $lib ]; do
+ lib=$(readlink $lib)
+ done
+ inst $lib $MNTIMAGE/$libdir/$basename
+ done
+
+ inst /usr/$libdir/hmaccalc/sha512hmac.hmac $MNTIMAGE/usr/$libdir/hmaccalc/sha512hmac.hmac
+
+ # sha512hmac needs prelink to unprelink itself for verification
+ inst /usr/sbin/prelink $MNTIMAGE/sbin/prelink
+ inst /etc/prelink.conf $MNTIMAGE/etc/prelink.conf
+ set +e
+fi
+
echo -n >| $RCFILE
cemit << EOF
#!/bin/nash
@@ -1633,6 +1699,7 @@ mkdir /dev/mapper
echo Creating initial device nodes
mknod /dev/null c 1 3
mknod /dev/zero c 1 5
+mknod /dev/urandom c 1 9
mknod /dev/systty c 4 0
mknod /dev/tty c 5 0
mknod /dev/console c 5 1
@@ -1662,6 +1729,16 @@ emit "hotplug"
emit "echo Creating block device nodes."
emit "mkblkdevs"
+if [ "$withfips" -eq 1 ]; then
+ emit_modules $BOOTMODULES
+ emit "echo Mounting /boot and integrity checking the kernel"
+ emit "mkdir /boot"
+ emit "mount -t $bootfs -o ro $bootdev /boot"
+ emit "sha512hmac -c /boot/.vmlinuz-$kernel.hmac"
+ emit "cond -ne 0 nash-exit 1"
+ emit "umount /boot"
+fi
+
emit_modules $MODULES
#if [ -n "$vg_list" ]; then
diff -up mkinitrd-5.1.19.6/mkinitrd.8.fips mkinitrd-5.1.19.6/mkinitrd.8
--- mkinitrd-5.1.19.6/mkinitrd.8.fips 2009-04-20 11:41:45.000000000 +0200
+++ mkinitrd-5.1.19.6/mkinitrd.8 2009-04-20 11:41:09.000000000 +0200
@@ -8,6 +8,7 @@ mkinitrd \- creates initial ramdisk imag
[--with=\fImodule\fR] [--image-version]
[--fstab=\fIfstab\fR] [--nocompress]
[--builtin=\fImodule\fR] [--nopivot]
+ [--with-fips]
\fIimage\fR \fIkernel-version\fR
.SH DESCRIPTION
@@ -28,6 +29,19 @@ specification is allowed. If a label is
the initrd will search all available devices for an ext2 or ext3 filesystem
with the appropriate label, and mount that device as the root filesystem.
+.SH FIPS
+\fBmkinitrd\fR will add kernel integrity checking to the created initrd
+if the system is running in fips mode. You can force adding kernel integrity
+checking to the created initrd, with the \fB-\-with-fips\fR commandline option.
+
+There are a number of limitations to \fBmkinitrd\fR's fips support:
+.TP
+\fB/boot\fR
+Must be on a separate partition
+.TP
+\fB/boot\fR
+Must \fBnot\fR be on \fInfs\fR, \fIdmraid\fR or \fImdraid\fR
+
.SH OPTIONS
.TP
\fB-\-builtin=\fR\fImodule\fR
@@ -99,6 +113,10 @@ gets loaded after any SCSI modules which
\fI/etc/modprobe.conf\fR. This option may be used as many times as
necessary.
+.TP
+\fB-\--with-fips\fR
+Force adding kernel integrity checking to the created initrd.
+
.SH FILES
.PD 0
.TP 20
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
