Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(fips): do not blindly remove /boot #86

Merged
merged 1 commit into from
Jul 16, 2024
+26 −3
Merged

fix(fips): do not blindly remove /boot #86

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions modules.d/01fips/fips-boot.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ elif [ -z "$fipsmode" ]; then
die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
elif getarg boot= > /dev/null; then
. /sbin/fips.sh
fips_info "fips-boot: start"
if mount_boot; then
do_fips || die "FIPS integrity test failed"
fi
fips_info "fips-boot: done!"
fi
2 changes: 2 additions & 0 deletions modules.d/01fips/fips-load-crypto.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,7 @@ elif [ -z "$fipsmode" ]; then
die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
else
. /sbin/fips.sh
fips_info "fips-load-crypto: start"
fips_load_crypto || die "FIPS integrity test failed"
fips_info "fips-load-crypto: done!"
fi
2 changes: 2 additions & 0 deletions modules.d/01fips/fips-noboot.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ elif [ -z "$fipsmode" ]; then
die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
elif ! [ -f /tmp/fipsdone ]; then
. /sbin/fips.sh
fips_info "fips-noboot: start"
mount_boot
do_fips || die "FIPS integrity test failed"
fips_info "fips-noboot: done!"
fi
21 changes: 19 additions & 2 deletions modules.d/01fips/fips.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,15 @@ mount_boot() {
boot=$(getarg boot=)

if [ -n "$boot" ]; then
if [ -d /boot ] && ismounted /boot; then
boot_dev=
if command -v findmnt > /dev/null; then
boot_dev=$(findmnt -n -o SOURCE /boot)
fi
fips_info "Ignoring 'boot=$boot' as /boot is already mounted ${boot_dev:+"from '$boot_dev'"}"
return 0
fi

case "$boot" in
LABEL=* | UUID=* | PARTUUID=* | PARTLABEL=*)
boot="$(label_uuid_to_dev "$boot")"
Expand Down Expand Up @@ -47,10 +56,13 @@ mount_boot() {
mkdir -p /boot
fips_info "Mounting $boot as /boot"
mount -oro "$boot" /boot || return 1
elif [ -d "$NEWROOT/boot" ]; then
FIPS_MOUNTED_BOOT=1
elif ! ismounted /boot && [ -d "$NEWROOT/boot" ]; then
# shellcheck disable=SC2114
rm -fr -- /boot
ln -sf "$NEWROOT/boot" /boot
else
die "You have to specify boot=<boot device> as a boot option for fips=1"
fi
}

Expand Down Expand Up @@ -179,7 +191,12 @@ do_fips() {

: > /tmp/fipsdone

umount /boot > /dev/null 2>&1
if [ "$FIPS_MOUNTED_BOOT" = 1 ]; then
fips_info "Unmounting /boot"
umount /boot > /dev/null 2>&1
else
fips_info "Not unmounting /boot"
fi

return 0
}
2 changes: 1 addition & 1 deletion modules.d/01fips/module-setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ installkernel() {

# called by dracut
install() {
inst_hook pre-mount 01 "$moddir/fips-boot.sh"
inst_hook pre-pivot 00 "$moddir/fips-boot.sh"
inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
inst_script "$moddir/fips.sh" /sbin/fips.sh
Expand Down
Loading