Re: [PATCH mkinitrd 5.4 fips] Fix kernel integrity check on ia64 (#505111)

Peter Jones <pjones@xxxxxxxxxx> · Wed, 17 Jun 2009 11:02:38 -0400

On 06/16/2009 01:53 PM, Hans de Goede wrote:
> 
> diff -up mkinitrd-5.1.19.6/mkinitrd.rh505111 mkinitrd-5.1.19.6/mkinitrd
> --- mkinitrd-5.1.19.6/mkinitrd.rh505111	2009-06-12 09:30:55.000000000 +0200
> +++ mkinitrd-5.1.19.6/mkinitrd	2009-06-12 09:58:59.000000000 +0200
> @@ -1173,11 +1173,18 @@ if [ $TMPDIR = "/root" -o $TMPDIR = "${P
>  fi
>  
>  if [ "$withfips" -eq 1 ]; then
> -    bootfs=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "/boot") { print $3; }}' $fstab)
> -    bootdev=$(awk '/^[ \t]*[^#]/ { if ($2 == "/boot") { print $1; }}' $fstab)
> +    if [ "$(uname -m)" == "ia64" ]; then
> +        BOOT=/boot/efi
> +        HMAC_PATH=/boot/efi/efi/redhat
> +    else
> +        BOOT=/boot
> +        HMAC_PATH=/boot
> +    fi
> +    bootfs=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "'$BOOT'") { print $3; }}' $fstab)
> +    bootdev=$(awk '/^[ \t]*[^#]/ { if ($2 == "'$BOOT'") { print $1; }}' $fstab)
>  
>      if [ -z "$bootfs" ]; then
> -        error "ERROR: fips without a separate /boot partition is not supported!"
> +        error "ERROR: fips without a separate $BOOT partition is not supported!"
>          exit 1
>      fi
>  
> @@ -1193,7 +1200,7 @@ if [ "$withfips" -eq 1 ]; then
>  
>      BOOTMODULES="$MODULES"
>      MODULES=""
> -    vecho "Using /boot modules: $BOOTMODULES"
> +    vecho "Using $BOOT modules: $BOOTMODULES"
>  
>      FIPSMODULES="aead aes_generic -aes-x86_64 ansi_cprng cbc ccm chainiv ctr"
>      FIPSMODULES="$FIPSMODULES des deflate ecb eseqiv hmac seqiv sha256 sha512"
> @@ -1751,12 +1758,15 @@ emit "mkblkdevs"
>  
>  if [ "$withfips" -eq 1 ]; then
>      emit_modules $BOOTMODULES
> -    emit "echo Mounting /boot and integrity checking the kernel"
> +    emit "echo Mounting $BOOT and integrity checking the kernel"
>      emit "mkdir /boot"
> -    emit "mount -t $bootfs -o ro $bootdev /boot"
> -    emit "sha512hmac -c /boot/.vmlinuz-$kernel.hmac"
> +    if [ "$(uname -m)" == "ia64" ]; then
> +        emit "mkdir /boot/efi"
> +    fi
> +    emit "mount -t $bootfs -o ro $bootdev $BOOT"
> +    emit "sha512hmac -c $HMAC_PATH/.vmlinuz-$kernel.hmac"
>      emit "cond -ne 0 nash-exit 1"
> -    emit "umount /boot"
> +    emit "umount $BOOT"
>  
>      # We need to load all crypt modules here, as they *all* need to
>      # have their signature checked before *any* of them may be used

Looks good.

-- 
        Peter

I'd like to start a religion. That's where the money is.
		-- L. Ron Hubbard to Lloyd Eshbach, in 1949;
			quoted by Eshbach in _Over My Shoulder_.

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list