boot="$(echo $boot | sed 's,/,\\x2f,g')"
boot="/dev/disk/by-label/${boot#LABEL=}"
boot="/dev/disk/by-uuid/${boot#UUID=}"
boot="/dev/disk/by-partuuid/${boot#PARTUUID=}"
boot="/dev/disk/by-partlabel/${boot#PARTLABEL=}"
die "You have to specify boot=<boot device> as a boot option for fips=1" ;;
if ! [ -e "$boot" ]; then
udevadm trigger --action=add >/dev/null 2>&1
[ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version | { read v _ ; echo $v ; })
if [ $UDEVVERSION -ge 143 ]; then
udevadm settle --exit-if-exists=$boot
udevadm settle --timeout=30
[ -e "$boot" ] || return 1
info "Mounting $boot as /boot"
mount -oro "$boot" /boot || return 1
elif [ -d "$NEWROOT/boot" ]; then
ln -sf "$NEWROOT/boot" /boot
# If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
HMAC_SUM_ORIG=$(cat $NEWROOT/boot/.vmlinuz-${KERNEL}.hmac | while read a b || [ -n "$a" ]; do printf "%s\n" $a; done)
HMAC_SUM_CALC=$(sha512hmac $kpath | while read a b || [ -n "$a" ]; do printf "%s\n" $a; done || return 1)
if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
FIPSMODULES=$(cat /etc/fipsmodules)
info "Loading and integrity checking all crypto modules"
mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak
for _module in $FIPSMODULES; do
if [ "$_module" != "tcrypt" ]; then
if ! modprobe "${_module}" 2>/tmp/fips.modprobe_err; then
# check if kernel provides generic algo
while read _k _s _v || [ -n "$_k" ]; do
[ "$_k" != "name" -a "$_k" != "driver" ] && continue
[ "$_v" != "$_module" ] && continue
[ "$_found" = "0" ] && cat /tmp/fips.modprobe_err >&2 && return 1
mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf
info "Self testing crypto algorithms"
modprobe tcrypt || return 1
info "Checking integrity of kernel"
if [ -e "/run/initramfs/live/vmlinuz0" ]; then
do_rhevh_check /run/initramfs/live/vmlinuz0 || return 1
elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
BOOT_IMAGE="$(getarg BOOT_IMAGE)"
# On s390x, BOOT_IMAGE isn't a path but an integer representing the
# entry number selected. Let's try the root of /boot first, and
# otherwise fallback to trying to parse the BLS entries if it's a
if [ "$(uname -m)" = s390x ]; then
if [ -e "/boot/vmlinuz-${KERNEL}" ]; then
BOOT_IMAGE="vmlinuz-${KERNEL}"
elif [ -d /boot/loader/entries ]; then
for bls in $(ls -d /boot/loader/entries/*.conf | sort -rV); do
if [ $i -eq ${BOOT_IMAGE:-0} ] && [ -r "$bls" ]; then
BOOT_IMAGE="$(grep -e '^linux' "$bls" | grep -o ' .*$')"
BOOT_IMAGE=${BOOT_IMAGE:1}
# Trim off any leading GRUB boot device (e.g. ($root) )
BOOT_IMAGE="$(echo "${BOOT_IMAGE}" | sed 's/^(.*)//')"
BOOT_IMAGE_NAME="${BOOT_IMAGE##*/}"
BOOT_IMAGE_PATH="${BOOT_IMAGE%${BOOT_IMAGE_NAME}}"
if [ -z "$BOOT_IMAGE_NAME" ]; then
BOOT_IMAGE_NAME="vmlinuz-${KERNEL}"
elif ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then
#if /boot is not a separate partition BOOT_IMAGE might start with /boot
BOOT_IMAGE_PATH=${BOOT_IMAGE_PATH#"/boot"}
#on some achitectures BOOT_IMAGE does not contain path to kernel
#so if we can't find anything, let's treat it in the same way as if it was empty
if ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then
BOOT_IMAGE_NAME="vmlinuz-${KERNEL}"
BOOT_IMAGE_HMAC="/boot/${BOOT_IMAGE_PATH}/.${BOOT_IMAGE_NAME}.hmac"
if ! [ -e "${BOOT_IMAGE_HMAC}" ]; then
warn "${BOOT_IMAGE_HMAC} does not exist"
(cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1
info "All initrd crypto checks done"
umount /boot >/dev/null 2>&1
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
