fix(fips): do not blindly remove /boot #86
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `mount_boot` method called from fips-noboot.sh in the pre-pivot hook blindly executes `rm -rf /boot` if there is no `boot=` command line parameter, without first checking that /boot is not already mounted by other means. feat(fips): add progress messages This allows to better understand at what point a FIPS integrity test failed. Signed-off-by: Raymund Will <[email protected]> fix(fips): only unmount /boot if it was mounted by the fips module The `do_fips` method should only unmount /boot if it was mounted in the `mount_boot` method. In addition, now the `mount_boot` method checks if /boot is already mounted. Signed-off-by: Raymund Will <[email protected]> fix(fips): move fips-boot script to pre-pivot This is needed in s390x to be able to use the same `boot=` command line parameter in grub and zipl. Otherwise, `boot=` would need to be added only to `grub.cfg` (not `/etc/default/grub` and thereby not to `/boot/zipl/config`). Signed-off-by: Raymund Will <[email protected]> (Cherry-picked commits: 91974e8ff116c7fd9f99963780dba501535700f5 a71e518fa1f14a9b96ae62ce90714ccd7d307d97 1cdb4cb8b5fb7f74e5be6998f9b561fbf73909e0 cd2a1d4571b2f768f2b67d03fd77191795042402) Resolves: RHEL-45913
|
LGTM. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
mount_bootmethod called from fips-noboot.sh in the pre-pivot hook blindlyexecutes
rm -rf /bootif there is noboot=command line parameter, withoutfirst checking that /boot is not already mounted by other means.
feat(fips): add progress messages
This allows to better understand at what point a FIPS integrity test failed.
Signed-off-by: Raymund Will [email protected]
fix(fips): only unmount /boot if it was mounted by the fips module
The
do_fipsmethod should only unmount /boot if it was mounted in themount_bootmethod.In addition, now the
mount_bootmethod checks if /boot is already mounted.Signed-off-by: Raymund Will [email protected]
fix(fips): move fips-boot script to pre-pivot
This is needed in s390x to be able to use the same
boot=command lineparameter in grub and zipl. Otherwise,
boot=would need to be added only togrub.cfg(not/etc/default/gruband thereby not to/boot/zipl/config).Signed-off-by: Raymund Will [email protected]
(Cherry-picked commits:
91974e8ff116c7fd9f99963780dba501535700f5
a71e518fa1f14a9b96ae62ce90714ccd7d307d97
1cdb4cb8b5fb7f74e5be6998f9b561fbf73909e0
cd2a1d4571b2f768f2b67d03fd77191795042402)
Resolves: RHEL-45913