Skip to content

Commit

Permalink
Merge pull request openSUSE#263 from aafeijoo-suse/055-bsc1204478
Browse files Browse the repository at this point in the history
fix(fips): `fips=1` and separate `/boot` break s390x (bsc#1204478) (055)
  • Loading branch information
aafeijoo-suse authored Apr 26, 2023
2 parents ccf7fbc + 706e7f5 commit 9bf52df
Show file tree
Hide file tree
Showing 5 changed files with 26 additions and 3 deletions.
2 changes: 2 additions & 0 deletions modules.d/01fips/fips-boot.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ elif [ -z "$fipsmode" ]; then
die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
elif getarg boot= > /dev/null; then
. /sbin/fips.sh
fips_info "fips-boot: start"
if mount_boot; then
do_fips || die "FIPS integrity test failed"
fi
fips_info "fips-boot: done!"
fi
2 changes: 2 additions & 0 deletions modules.d/01fips/fips-load-crypto.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,7 @@ elif [ -z "$fipsmode" ]; then
die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
else
. /sbin/fips.sh
fips_info "fips-load-crypto: start"
fips_load_crypto || die "FIPS integrity test failed"
fips_info "fips-load-crypto: done!"
fi
2 changes: 2 additions & 0 deletions modules.d/01fips/fips-noboot.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ elif [ -z "$fipsmode" ]; then
die "FIPS mode have to be enabled by 'fips=1' not just 'fips'"
elif ! [ -f /tmp/fipsdone ]; then
. /sbin/fips.sh
fips_info "fips-noboot: start"
mount_boot
do_fips || die "FIPS integrity test failed"
fips_info "fips-noboot: done!"
fi
21 changes: 19 additions & 2 deletions modules.d/01fips/fips.sh
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,15 @@ mount_boot() {
boot=$(getarg boot=)

if [ -n "$boot" ]; then
if [ -d /boot ] && ismounted /boot; then
boot_dev=
if command -v findmnt > /dev/null; then
boot_dev=$(findmnt -n -o SOURCE /boot)
fi
fips_info "Ignoring 'boot=$boot' as /boot is already mounted ${boot_dev:+"from '$boot_dev'"}"
return 0
fi

case "$boot" in
LABEL=* | UUID=* | PARTUUID=* | PARTLABEL=*)
boot="$(label_uuid_to_dev "$boot")"
Expand Down Expand Up @@ -60,10 +69,13 @@ mount_boot() {
mkdir -p /boot
fips_info "Mounting $boot as /boot"
mount -oro "$boot" /boot || return 1
elif [ -d "$NEWROOT/boot" ]; then
FIPS_MOUNTED_BOOT=1
elif ! ismounted /boot && [ -d "$NEWROOT/boot" ]; then
# shellcheck disable=SC2114
rm -fr -- /boot
ln -sf "$NEWROOT/boot" /boot
else
die "You have to specify boot=<boot device> as a boot option for fips=1"
fi
}

Expand Down Expand Up @@ -228,7 +240,12 @@ do_fips() {

: > /tmp/fipsdone

umount /boot > /dev/null 2>&1
if [ "$FIPS_MOUNTED_BOOT" = 1 ]; then
fips_info "Unmounting /boot"
umount /boot > /dev/null 2>&1
else
fips_info "Not unmounting /boot"
fi

return 0
}
2 changes: 1 addition & 1 deletion modules.d/01fips/module-setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ installkernel() {

# called by dracut
install() {
inst_hook pre-mount 01 "$moddir/fips-boot.sh"
inst_hook pre-pivot 00 "$moddir/fips-boot.sh"
inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
inst_script "$moddir/fips.sh" /sbin/fips.sh
Expand Down

0 comments on commit 9bf52df

Please sign in to comment.