[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[PATCH mkinitrd 5.4 fips] Fix kernel integrity check on ia64 (#505111)

From: Hans de Goede <hdegoede redhat com>
To: Peter Jones <pjones redhat com>
Cc: Discussion of Development and Customization of the Red Hat Linux Installer <anaconda-devel-list redhat com>
Subject: [PATCH mkinitrd 5.4 fips] Fix kernel integrity check on ia64 (#505111)
Date: Tue, 16 Jun 2009 19:53:17 +0200

diff -up mkinitrd-5.1.19.6/mkinitrd.rh505111 mkinitrd-5.1.19.6/mkinitrd
--- mkinitrd-5.1.19.6/mkinitrd.rh505111	2009-06-12 09:30:55.000000000 +0200
+++ mkinitrd-5.1.19.6/mkinitrd	2009-06-12 09:58:59.000000000 +0200
@@ -1173,11 +1173,18 @@ if [ $TMPDIR = "/root" -o $TMPDIR = "${P
 fi
 
 if [ "$withfips" -eq 1 ]; then
-    bootfs=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "/boot") { print $3; }}' $fstab)
-    bootdev=$(awk '/^[ \t]*[^#]/ { if ($2 == "/boot") { print $1; }}' $fstab)
+    if [ "$(uname -m)" == "ia64" ]; then
+        BOOT=/boot/efi
+        HMAC_PATH=/boot/efi/efi/redhat
+    else
+        BOOT=/boot
+        HMAC_PATH=/boot
+    fi
+    bootfs=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "'$BOOT'") { print $3; }}' $fstab)
+    bootdev=$(awk '/^[ \t]*[^#]/ { if ($2 == "'$BOOT'") { print $1; }}' $fstab)
 
     if [ -z "$bootfs" ]; then
-        error "ERROR: fips without a separate /boot partition is not supported!"
+        error "ERROR: fips without a separate $BOOT partition is not supported!"
         exit 1
     fi
 
@@ -1193,7 +1200,7 @@ if [ "$withfips" -eq 1 ]; then
 
     BOOTMODULES="$MODULES"
     MODULES=""
-    vecho "Using /boot modules: $BOOTMODULES"
+    vecho "Using $BOOT modules: $BOOTMODULES"
 
     FIPSMODULES="aead aes_generic -aes-x86_64 ansi_cprng cbc ccm chainiv ctr"
     FIPSMODULES="$FIPSMODULES des deflate ecb eseqiv hmac seqiv sha256 sha512"
@@ -1751,12 +1758,15 @@ emit "mkblkdevs"
 
 if [ "$withfips" -eq 1 ]; then
     emit_modules $BOOTMODULES
-    emit "echo Mounting /boot and integrity checking the kernel"
+    emit "echo Mounting $BOOT and integrity checking the kernel"
     emit "mkdir /boot"
-    emit "mount -t $bootfs -o ro $bootdev /boot"
-    emit "sha512hmac -c /boot/.vmlinuz-$kernel.hmac"
+    if [ "$(uname -m)" == "ia64" ]; then
+        emit "mkdir /boot/efi"
+    fi
+    emit "mount -t $bootfs -o ro $bootdev $BOOT"
+    emit "sha512hmac -c $HMAC_PATH/.vmlinuz-$kernel.hmac"
     emit "cond -ne 0 nash-exit 1"
-    emit "umount /boot"
+    emit "umount $BOOT"
 
     # We need to load all crypt modules here, as they *all* need to
     # have their signature checked before *any* of them may be used

Follow-Ups:
- Re: [PATCH mkinitrd 5.4 fips] Fix kernel integrity check on ia64 (#505111)
  - From: Peter Jones

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]