diff options
| author | Jonathan Lebon <jonathan@jlebon.com> | 2019-10-29 16:45:29 -0400 |
|---|---|---|
| committer | Jonathan Lebon <jonathan@jlebon.com> | 2019-10-29 16:45:29 -0400 |
| commit | 7ae8da08b9f832bbaf6c9c50737e25116ec7ca9c (patch) | |
| tree | 2e2ac4fa5af1aaba6609d1f1aa015ca35b3ea265 /src/libostree/ostree-sysroot-deploy.c | |
| parent | 476f375cfcfe0b9a56db0703ffe68441a33b2ce2 (diff) | |
| download | ostree-7ae8da08b9f832bbaf6c9c50737e25116ec7ca9c.tar.gz | |
lib/deploy: Also install HMAC file into /boot
To allow for FIPS mode, we need to also install the HMAC file from
`/usr/lib/modules` to `/boot` alongside the kernel image where the
`fips` dracut module will find it. For details, see:
https://github.com/coreos/fedora-coreos-tracker/issues/302
Note I didn't include the file in the boot checksum since it's itself a
checksum of the kernel, so we don't really gain much here other than
potentially causing an unnecessary bootcsum bump.
Diffstat (limited to 'src/libostree/ostree-sysroot-deploy.c')
| -rw-r--r-- | src/libostree/ostree-sysroot-deploy.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index 15db0bf1..a09c354b 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -878,6 +878,8 @@ typedef struct { int boot_dfd; char *kernel_srcpath; char *kernel_namever; + char *kernel_hmac_srcpath; + char *kernel_hmac_namever; char *initramfs_srcpath; char *initramfs_namever; char *devicetree_srcpath; @@ -890,6 +892,8 @@ _ostree_kernel_layout_free (OstreeKernelLayout *layout) glnx_close_fd (&layout->boot_dfd); g_free (layout->kernel_srcpath); g_free (layout->kernel_namever); + g_free (layout->kernel_hmac_srcpath); + g_free (layout->kernel_hmac_namever); g_free (layout->initramfs_srcpath); g_free (layout->initramfs_namever); g_free (layout->devicetree_srcpath); @@ -1032,6 +1036,16 @@ get_kernel_from_tree_usrlib_modules (int deployment_dfd, g_clear_object (&in); glnx_close_fd (&fd); + /* And finally, look for any HMAC file. This is needed for FIPS mode on some distros. */ + if (!glnx_fstatat_allow_noent (ret_layout->boot_dfd, ".vmlinuz.hmac", NULL, 0, error)) + return FALSE; + if (errno == 0) + { + ret_layout->kernel_hmac_srcpath = g_strdup (".vmlinuz.hmac"); + /* Name it as dracut expects it: https://github.com/dracutdevs/dracut/blob/225e4b94cbdb702cf512490dcd2ad9ca5f5b22c1/modules.d/01fips/fips.sh#L129 */ + ret_layout->kernel_hmac_namever = g_strdup_printf (".%s.hmac", ret_layout->kernel_namever); + } + char hexdigest[OSTREE_SHA256_STRING_LEN+1]; ot_checksum_get_hexdigest (&checksum, hexdigest, sizeof (hexdigest)); ret_layout->bootcsum = g_strdup (hexdigest); @@ -1686,6 +1700,20 @@ install_deployment_kernel (OstreeSysroot *sysroot, } } + if (kernel_layout->kernel_hmac_srcpath) + { + if (!glnx_fstatat_allow_noent (bootcsum_dfd, kernel_layout->kernel_hmac_namever, &stbuf, 0, error)) + return FALSE; + if (errno == ENOENT) + { + if (!install_into_boot (sepolicy, kernel_layout->boot_dfd, kernel_layout->kernel_hmac_srcpath, + bootcsum_dfd, kernel_layout->kernel_hmac_namever, + sysroot->debug_flags, + cancellable, error)) + return FALSE; + } + } + g_autofree char *contents = NULL; if (!glnx_fstatat_allow_noent (deployment_dfd, "usr/lib/os-release", &stbuf, 0, error)) return FALSE; |