[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

PATCH [mkinitrd, rhel-5, fips]: fips-self-test-crypto-algos.patch



Hi all,

This patch adds the tcrypt module to the initrd and loads
it after all other crypto modules have been loaded, so
that the crypto self checks get run.

Regards,

Hans
diff -up mkinitrd-5.1.19.6/mkinitrd~ mkinitrd-5.1.19.6/mkinitrd
--- mkinitrd-5.1.19.6/mkinitrd~	2009-05-11 09:48:10.000000000 +0200
+++ mkinitrd-5.1.19.6/mkinitrd	2009-05-11 11:08:57.000000000 +0200
@@ -1190,8 +1190,8 @@ if [ "$withfips" -eq 1 ]; then
     vecho "Using /boot modules: $BOOTMODULES"
 
     FIPSMODULES="aead aes_generic -aes-x86_64 ansi_cprng cbc ccm chainiv ctr"
-    FIPSMODULES="$FIPSMODULES des ecb eseqiv hmac seqiv sha256 sha512"
-    FIPSMODULES="$FIPSMODULES cryptomgr crypto_null"
+    FIPSMODULES="$FIPSMODULES des deflate ecb eseqiv hmac seqiv sha256 sha512"
+    FIPSMODULES="$FIPSMODULES cryptomgr crypto_null tcrypt"
     # To resolve deps (and in case of aes-x86_64 see if it exists)
     for n in $FIPSMODULES; do
         findmodule $n
@@ -1687,6 +1687,11 @@ if [ "$withfips" -eq 1 ]; then
     # sha512hmac needs prelink to unprelink itself for verification
     inst /usr/sbin/prelink $MNTIMAGE/sbin/prelink
     inst /etc/prelink.conf $MNTIMAGE/etc/prelink.conf
+
+    # rmmod to rmmod tcrypt when we're done with it. Note rmmod is also
+    # dynmically linked, but sha512hmac already brings in all needed libs
+    inst /sbin/rmmod $MNTIMAGE/bin/rmmod
+
     set +e
 fi
 
@@ -1750,12 +1755,18 @@ if [ "$withfips" -eq 1 ]; then
     # We need to load all crypt modules here, as they *all* need to
     # have their signature checked before *any* of them may be used
     # Also we need to stop booting if any of them fails to load.
-    emit "echo loading and integrity checking all crypto modules"
+    emit "echo Loading and integrity checking all crypto modules"
     for module in $FIPSMODULES; do
-        emit "insmod /lib/${module##*/}"
-        emit "cond -ne 0 nash-exit 1"
+        if [ "${module##*/}" != "tcrypt.ko" ]; then
+            emit "insmod /lib/${module##*/}"
+            emit "cond -ne 0 nash-exit 1"
+        fi
     done
-    emit "echo loading and integrity checking crypto modules done"
+    emit "echo Self testing crypto algorithms"
+    emit "insmod /lib/tcrypt.ko noexit=1"
+    emit "cond -ne 0 nash-exit 1"
+    emit "rmmod tcrypt"
+    emit "echo All initrd crypto checks done"
 fi
 
 emit_modules $MODULES
diff -up mkinitrd-5.1.19.6/mkinitrd.8~ mkinitrd-5.1.19.6/mkinitrd.8
--- mkinitrd-5.1.19.6/mkinitrd.8~	2009-05-11 11:34:52.000000000 +0200
+++ mkinitrd-5.1.19.6/mkinitrd.8	2009-05-11 11:35:10.000000000 +0200
@@ -30,11 +30,13 @@ the initrd will search all available dev
 with the appropriate label, and mount that device as the root filesystem.
 
 .SH FIPS
-\fBmkinitrd\fR will add kernel integrity checking to the created initrd
-if the system is running in fips mode. The integrity is checked by running
-"sha512hmac -c /boot/.vmlinuz-\fIkernel-version\fR.hmac" from the initrd. You
-can force adding kernel integrity checking to the created initrd with the
-\fB-\-with-fips\fR commandline option.
+\fBmkinitrd\fR will add a number of checks to the created initrd if the system
+is running in fips mode. First the kernel gets integrity checked by running
+"sha512hmac -c /boot/.vmlinuz-\fIkernel-version\fR.hmac" from the initrd. Then
+all the crypto algorithm modules get loaded using the embedded signature to
+integrity check them, and last the tcrypt module gets loaded which runs self
+tests on all approved crypto algorithms. You can force mkinitrd to add these
+checks to a created initrd with the \fB-\-with-fips\fR commandline option.
 
 There are a number of limitations to \fBmkinitrd\fR's fips support:
 .TP

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]