2014-08-15 11:38:18 +00:00
|
|
|
From 6a85f188d671723ad76bb729307c12e89199b7bd Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: Marcus Meissner <meissner@suse.com>
|
|
|
|
|
Date: Thu, 14 Aug 2014 16:13:55 +0200
|
|
|
|
|
Subject: Switch from Mozilla NSS sha256hmac checking to fipscheck as
|
|
|
|
|
recommended
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Thomas Renninger <trenn@suse.de>
|
|
|
|
|
---
|
|
|
|
|
modules.d/01fips/fips.sh | 6 ++----
|
|
|
|
|
modules.d/01fips/module-setup.sh | 13 +++++++------
|
|
|
|
|
2 files changed, 9 insertions(+), 10 deletions(-)
|
|
|
|
|
|
2015-03-31 14:12:12 +00:00
|
|
|
Index: dracut-041/modules.d/01fips/fips.sh
|
|
|
|
|
===================================================================
|
|
|
|
|
--- dracut-041.orig/modules.d/01fips/fips.sh 2015-03-18 13:56:05.453753422 +0100
|
|
|
|
|
+++ dracut-041/modules.d/01fips/fips.sh 2015-03-18 13:59:59.386939913 +0100
|
|
|
|
|
@@ -59,9 +59,7 @@
|
2014-08-15 11:38:18 +00:00
|
|
|
kpath=${1}
|
|
|
|
|
|
|
|
|
|
# If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
|
|
|
|
|
- HMAC_SUM_ORIG=$(cat $NEWROOT/boot/.vmlinuz-${KERNEL}.hmac | while read a b; do printf "%s\n" $a; done)
|
|
|
|
|
- HMAC_SUM_CALC=$(sha512hmac $kpath | while read a b; do printf "%s\n" $a; done || return 1)
|
|
|
|
|
- if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
|
|
|
|
|
+ if fipscheck $NEWROOT/boot/vmlinuz-${KERNEL} ; then
|
|
|
|
|
warn "HMAC sum mismatch"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
2015-03-31 14:12:12 +00:00
|
|
|
@@ -126,7 +124,7 @@
|
2014-08-15 11:38:18 +00:00
|
|
|
elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
|
|
|
|
|
do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
|
|
|
|
|
else
|
|
|
|
|
- sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
|
|
|
|
|
+ fipscheck "/boot/vmlinuz-${KERNEL}" || return 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
info "All initrd crypto checks done"
|
2015-03-31 14:12:12 +00:00
|
|
|
Index: dracut-041/modules.d/01fips/module-setup.sh
|
|
|
|
|
===================================================================
|
|
|
|
|
--- dracut-041.orig/modules.d/01fips/module-setup.sh 2015-03-18 13:56:05.457753647 +0100
|
|
|
|
|
+++ dracut-041/modules.d/01fips/module-setup.sh 2015-03-18 14:10:06.717187740 +0100
|
|
|
|
|
@@ -21,7 +21,7 @@
|
2014-08-15 11:38:18 +00:00
|
|
|
_fipsmodules+="sha512-ssse3 sha1-ssse3 sha256-ssse3 "
|
|
|
|
|
_fipsmodules+="ghash-clmulni-intel "
|
|
|
|
|
|
|
|
|
|
- _fipsmodules+="drbg "
|
|
|
|
|
+ _fipsmodules+="drbg"
|
|
|
|
|
|
|
|
|
|
mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
|
|
|
|
|
|
2015-03-31 14:12:12 +00:00
|
|
|
@@ -40,15 +40,16 @@
|
2014-08-15 11:38:18 +00:00
|
|
|
inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
|
|
|
|
|
inst_script "$moddir/fips.sh" /sbin/fips.sh
|
|
|
|
|
|
|
|
|
|
- inst_multiple sha512hmac rmmod insmod mount uname umount fipscheck
|
2015-03-31 14:12:12 +00:00
|
|
|
+ inst_multiple rmmod insmod mount uname umount fipscheck
|
2014-08-15 11:38:18 +00:00
|
|
|
|
|
|
|
|
- inst_libdir_file libsoftokn3.so libsoftokn3.so \
|
|
|
|
|
- libsoftokn3.chk libfreebl3.so libfreebl3.chk \
|
|
|
|
|
- libssl.so 'hmaccalc/sha512hmac.hmac' libssl.so.10 \
|
|
|
|
|
+ inst_libdir_file \
|
|
|
|
|
+ fipscheck .fipscheck.hmac \
|
|
|
|
|
+ libfipscheck.so.1 \
|
|
|
|
|
+ .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac \
|
|
|
|
|
+ libcrypto.so.1.0.0 libssl.so.1.0.0 \
|
|
|
|
|
.libcrypto.so.1.0.0.hmac .libssl.so.1.0.0.hmac \
|
|
|
|
|
.libcryptsetup.so.4.5.0.hmac .libcryptsetup.so.4.hmac \
|
|
|
|
|
.libgcrypt.so.20.hmac \
|
|
|
|
|
- .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac
|
2015-03-31 14:12:12 +00:00
|
|
|
libfreeblpriv3.so libfreeblpriv3.chk
|
2014-08-15 11:38:18 +00:00
|
|
|
|
|
|
|
|
# we do not use prelink at SUSE
|
