diff options
| author | Harald Hoyer <harald@redhat.com> | 2013-07-31 11:26:46 +0200 |
|---|---|---|
| committer | Harald Hoyer <harald@redhat.com> | 2013-07-31 11:26:46 +0200 |
| commit | 748867d17723ac0e4d3884a9ff5d6e287428e378 (patch) | |
| tree | 5b6428ae14083025b5887350fee4c273f877d1dc | |
| parent | b806625d4147090d6b553e957b256c59305545f2 (diff) | |
| download | dracut-748867d17723ac0e4d3884a9ff5d6e287428e378.tar.gz dracut-748867d17723ac0e4d3884a9ff5d6e287428e378.tar.bz2 dracut-748867d17723ac0e4d3884a9ff5d6e287428e378.zip | |
fips: cope with module aliases, when checking modules
Also do not fail, if module aliases try to load CPU specific modules
like crc32c_intel.
| -rwxr-xr-x | modules.d/01fips/fips.sh | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh index f3cab31c..73a0c8b8 100755 --- a/modules.d/01fips/fips.sh +++ b/modules.d/01fips/fips.sh @@ -57,6 +57,11 @@ mount_boot() do_fips() { + local _v + local _s + local _v + local _module + KERNEL=$(uname -r) if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then @@ -67,11 +72,25 @@ do_fips() FIPSMODULES=$(cat /etc/fipsmodules) info "Loading and integrity checking all crypto modules" - for module in $FIPSMODULES; do - if [ "$module" != "tcrypt" ]; then - modprobe ${module} + mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak + for _module in $FIPSMODULES; do + if [ "$_module" != "tcrypt" ]; then + if ! modprobe "${_module}"; then + # check if kernel provides generic algo + _found=0 + while read _k _s _v; do + [ "$_k" != "name" -a "$_k" != "driver" ] && continue + [ "$_k" = "driver" ] && _v=$(str_replace "$_v" "_" "-") + [ "$_v" != "$_module" ] && continue + _found=1 + break + done </proc/crypto + [ "$_found" = "0" ] && return 1 + fi fi done + mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf + info "Self testing crypto algorithms" modprobe tcrypt || return 1 rmmod tcrypt |