#!/bin/bash

[0] Fix | Delete

[1] Fix | Delete

# called by dracut

[2] Fix | Delete

check() {

[3] Fix | Delete

return 255

[4] Fix | Delete

}

[5] Fix | Delete

[6] Fix | Delete

# called by dracut

[7] Fix | Delete

depends() {

[8] Fix | Delete

return 0

[9] Fix | Delete

}

[10] Fix | Delete

[11] Fix | Delete

# called by dracut

[12] Fix | Delete

installkernel() {

[13] Fix | Delete

local _fipsmodules _mod _bootfstype

[14] Fix | Delete

if [[ -f "${srcmods}/modules.fips" ]]; then

[15] Fix | Delete

_fipsmodules="$(cat "${srcmods}/modules.fips")"

[16] Fix | Delete

else

[17] Fix | Delete

_fipsmodules=""

[18] Fix | Delete

[19] Fix | Delete

# Hashes:

[20] Fix | Delete

_fipsmodules+="sha1 sha224 sha256 sha384 sha512 "

[21] Fix | Delete

_fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 "

[22] Fix | Delete

_fipsmodules+="crc32c crct10dif ghash "

[23] Fix | Delete

[24] Fix | Delete

# Ciphers:

[25] Fix | Delete

_fipsmodules+="cipher_null des3_ede aes cfb dh ecdh "

[26] Fix | Delete

[27] Fix | Delete

# Modes/templates:

[28] Fix | Delete

_fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac "

[29] Fix | Delete

[30] Fix | Delete

# Compression algs:

[31] Fix | Delete

_fipsmodules+="deflate lzo zlib "

[32] Fix | Delete

[33] Fix | Delete

# PRNG algs:

[34] Fix | Delete

_fipsmodules+="ansi_cprng "

[35] Fix | Delete

[36] Fix | Delete

# Misc:

[37] Fix | Delete

_fipsmodules+="aead cryptomgr tcrypt crypto_user "

[38] Fix | Delete

fi

[39] Fix | Delete

[40] Fix | Delete

mkdir -m 0755 -p "${initdir}/etc/modprobe.d"

[41] Fix | Delete

[42] Fix | Delete

for _mod in $_fipsmodules; do

[43] Fix | Delete

if hostonly='' instmods -c -s $_mod; then

[44] Fix | Delete

echo $_mod >> "${initdir}/etc/fipsmodules"

[45] Fix | Delete

echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf"

[46] Fix | Delete

fi

[47] Fix | Delete

done

[48] Fix | Delete

[49] Fix | Delete

# with hostonly_default_device fs module for /boot is not installed by default

[50] Fix | Delete

if [[ $hostonly ]] && [[ "$hostonly_default_device" == "no" ]]; then

[51] Fix | Delete

_bootfstype=$(find_mp_fstype /boot)

[52] Fix | Delete

if [[ -n "$_bootfstype" ]]; then

[53] Fix | Delete

hostonly='' instmods $_bootfstype

[54] Fix | Delete

else

[55] Fix | Delete

dwarning "Can't determine fs type for /boot, FIPS check may fail."

[56] Fix | Delete

fi

[57] Fix | Delete

fi

[58] Fix | Delete

}

[59] Fix | Delete

[60] Fix | Delete

# called by dracut

[61] Fix | Delete

install() {

[62] Fix | Delete

local _dir

[63] Fix | Delete

inst_hook pre-trigger 01 "$moddir/fips-boot.sh"

[64] Fix | Delete

inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"

[65] Fix | Delete

inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"

[66] Fix | Delete

inst_script "$moddir/fips.sh" /sbin/fips.sh

[67] Fix | Delete

[68] Fix | Delete

inst_multiple sha512hmac rmmod insmod mount uname umount grep sort

[69] Fix | Delete

[70] Fix | Delete

inst_simple /etc/system-fips

[71] Fix | Delete

[ -c ${initdir}/dev/random ] || mknod ${initdir}/dev/random c 1 8 \

[72] Fix | Delete

|| {

[73] Fix | Delete

dfatal "Cannot create /dev/random"

[74] Fix | Delete

dfatal "To create an initramfs with fips support, dracut has to run as root"

[75] Fix | Delete

return 1

[76] Fix | Delete

}

[77] Fix | Delete

[ -c ${initdir}/dev/urandom ] || mknod ${initdir}/dev/urandom c 1 9 \

[78] Fix | Delete

|| {

[79] Fix | Delete

dfatal "Cannot create /dev/random"

[80] Fix | Delete

dfatal "To create an initramfs with fips support, dracut has to run as root"

[81] Fix | Delete

return 1

[82] Fix | Delete

}

[83] Fix | Delete

}

[84] Fix | Delete

[85] Fix | Delete