aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJonathan Lebon <jonathan@jlebon.com>2021-06-17 10:47:33 -0400
committerJóhann B. Guðmundsson <johannbg@gmail.com>2021-06-28 11:25:20 +0000
commit78557f05a69fe718a97df85d2ed741ce10d3f806 (patch)
treee95cbc9d7e99c5f3d25cf1b25a4478b73a532d23
parent2e3c5444d271cb8f05955858b8fdc367c4ea5c48 (diff)
downloaddracut-78557f05a69fe718a97df85d2ed741ce10d3f806.tar.gz
fix(fips): handle s390x OSTree systems
On s390x, the `BOOT_IMAGE` karg injected by the bootloader is not a path to the kernel image, but rather an integer describing the index of the menu entry selected. Because of the way the s390x bootloader works, there is no information retained about e.g. the path of the kernel that was loaded. This causes issues for the FIPS code which assumes that `BOOT_IMAGE` is a path to the kernel image to derive the HMAC path. In non-OSTree systems, this ends up working anyway, because the kernel is located at the root of the boot partition. In OSTree systems, this is not the case. However, OSTree systems use BLS configs, and they are named in reverse order of precedence (i.e. menu ordering). So from the `BOOT_IMAGE` integer, we can figure out which BLS entry was selected. Add some code to do just this on s390x. This isn't completely foolproof, because it presumes that (1) BLS configs were used to populate the bootloader (and that they were exactly in the same state they currently are when `zipl` was run), and (2) there are no other menu entries originating from outside the BLS configs. However, if these assumptions are wrong we would simply fail the boot, which is currently what is happening anyway. See also: https://github.com/openshift/os/pull/546 https://github.com/ibm-s390-linux/s390-tools/issues/78 Tested-by: Muhammad Adeel <muhammad.adeel@ibm.com>
-rwxr-xr-xmodules.d/01fips/fips.sh15
-rwxr-xr-xmodules.d/01fips/module-setup.sh2
2 files changed, 16 insertions, 1 deletions
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 821c26a2..dcb5c069 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -124,6 +124,21 @@ do_fips() {
else
BOOT_IMAGE="$(getarg BOOT_IMAGE)"
+ # On s390x, BOOT_IMAGE isn't a path but an integer representing the
+ # entry number selected. Let's try the root of /boot first, and
+ # otherwise fallback to trying to parse the BLS entries if it's a
+ # BLS-based system.
+ if [ "$(uname -m)" = s390x ]; then
+ if [ -e "/boot/vmlinuz-${KERNEL}" ]; then
+ BOOT_IMAGE="vmlinuz-${KERNEL}"
+ elif [ -d /boot/loader/entries ]; then
+ bls=$(find /boot/loader/entries -name '*.conf' | sort -rV | sed -n "$((BOOT_IMAGE + 1))p")
+ if [ -e "${bls}" ]; then
+ BOOT_IMAGE=$(grep ^linux "${bls}" | cut -d' ' -f2)
+ fi
+ fi
+ fi
+
# Trim off any leading GRUB boot device (e.g. ($root) )
BOOT_IMAGE="$(echo "${BOOT_IMAGE}" | sed 's/^(.*)//')"
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index a1e499af..37334b81 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -67,7 +67,7 @@ install() {
inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
inst_script "$moddir/fips.sh" /sbin/fips.sh
- inst_multiple sha512hmac rmmod insmod mount uname umount
+ inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort
inst_simple /etc/system-fips
[ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \