[PATCH RHEL-5.4 fips] mkinitrd: make sure all crypto modules are loaded before use

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We need to have verified *all* crypto modules before *any* of them
may be used in fips mode. Since module verification happen at load
time this patch simply loads them all early on in the initrd.

Regards,

Hans


diff -up mkinitrd-5.1.19.6/mkinitrd.fips2 mkinitrd-5.1.19.6/mkinitrd
--- mkinitrd-5.1.19.6/mkinitrd.fips2	2009-04-24 15:30:02.000000000 +0200
+++ mkinitrd-5.1.19.6/mkinitrd	2009-04-24 15:42:04.000000000 +0200
@@ -42,6 +42,7 @@ VERSION=5.1.19.6
 PROBE="yes"
 MODULES=""
 BOOTMODULES=""
+FIPSMODULES=""
 MODLOOPS=""
 PREMODS=""
 PREINTERFACES=""
@@ -261,11 +262,7 @@ findmodule() {
         modName="${modName##-}"
     fi
 
-    case "$MODULES " in
-        *"/$modName.ko "*) return ;;
-    esac
-
-    case "$BOOTMODULES " in
+    case "$MODULES $BOOTMODULES $FIPSMODULES " in
         *"/$modName.ko "*) return ;;
     esac
 
@@ -1191,6 +1188,17 @@ if [ "$withfips" -eq 1 ]; then
     BOOTMODULES="$MODULES"
     MODULES=""
     vecho "Using /boot modules: $BOOTMODULES"
+
+    FIPSMODULES="aes_generic ansi_cprng cbc ccm ctr des ecb hmac rng"
+    FIPSMODULES="$FIPSMODULES sha256 sha256 cryptomgr crypto_algapi crypto_api"
+    FIPSMODULES="$FIPSMODULES crypto_blkcipher crypto_hash crypto_null"
+    # To resolve deps
+    for n in $FIPSMODULES; do
+        findmodule $n
+    done
+    FIPSMODULES="$MODULES"
+    MODULES=""
+    vecho "Forcibly loading cryptmodules: $FIPSMODULES"
 fi
 
 for n in $PREMODS; do
@@ -1472,7 +1480,7 @@ inst /sbin/nash "$MNTIMAGE/bin/nash"
 inst /sbin/insmod.static "$MNTIMAGE/bin/insmod"
 ln -s /sbin/nash $MNTIMAGE/sbin/modprobe
 
-for MODULE in $BOOTMODULES $MODULES; do
+for MODULE in $BOOTMODULES $FIPSMODULES $MODULES; do
     if [[ "$MODULE" =~ "^iscsi_device_" ]]; then
         continue
     fi
@@ -1737,6 +1745,16 @@ if [ "$withfips" -eq 1 ]; then
     emit "sha512hmac -c /boot/.vmlinuz-$kernel.hmac"
     emit "cond -ne 0 nash-exit 1"
     emit "umount /boot"
+
+    # We need to load all crypt modules here, as they *all* need to
+    # have their signature checked before *any* of them may be used
+    # Also we need to stop booting if any of them fails to load.
+    emit "echo loading and integrity checking all crypto modules"
+    for module in $FIPSMODULES; do
+        emit "insmod /lib/${module##*/}"
+        emit "cond -ne 0 nash-exit 1"
+    done
+    emit "echo loading and integrity checking crypto modules done"
 fi
 
 emit_modules $MODULES

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
[Index of Archives]     [Kickstart]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]
  Powered by Linux