Skip to content

Commit

Permalink
fix(fips): handle s390x OSTree systems
Browse files Browse the repository at this point in the history
On s390x, the `BOOT_IMAGE` karg injected by the bootloader is not a path
to the kernel image, but rather an integer describing the index of the
menu entry selected. Because of the way the s390x bootloader works,
there is no information retained about e.g. the path of the kernel that
was loaded.

This causes issues for the FIPS code which assumes that `BOOT_IMAGE` is
a path to the kernel image to derive the HMAC path. In non-OSTree
systems, this ends up working anyway, because the kernel is located at
the root of the boot partition.  In OSTree systems, this is not the
case. However, OSTree systems use BLS configs, and they are named in
reverse order of precedence (i.e. menu ordering). So from the
`BOOT_IMAGE` integer, we can figure out which BLS entry was selected.

Add some code to do just this on s390x. This isn't completely foolproof,
because it presumes that (1) BLS configs were used to populate the
bootloader (and that they were exactly in the same state they currently
are when `zipl` was run), and (2) there are no other menu entries
originating from outside the BLS configs. However, if these assumptions
are wrong we would simply fail the boot, which is currently what is
happening anyway.

See also:
openshift/os#546
ibm-s390-linux/s390-tools#78

Tested-by: Muhammad Adeel <[email protected]>

Resolves: rhbz#2050567
  • Loading branch information
jlebon authored and pvalena committed Jun 30, 2022
1 parent 1d2b9a0 commit afd71f8
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 5 deletions.
15 changes: 11 additions & 4 deletions modules.d/01fips/fips.sh
Original file line number Diff line number Diff line change
Expand Up @@ -132,10 +132,17 @@ do_fips() {
if [ -e "/boot/vmlinuz-${KERNEL}" ]; then
BOOT_IMAGE="vmlinuz-${KERNEL}"
elif [ -d /boot/loader/entries ]; then
bls=$(find /boot/loader/entries -name '*.conf' | sort -rV | sed -n "$((BOOT_IMAGE + 1))p")
if [ -e "${bls}" ]; then
BOOT_IMAGE=$(grep ^linux "${bls}" | cut -d' ' -f2)
fi
i=0
# shellcheck disable=SC2012
for bls in $(ls -d /boot/loader/entries/*.conf | sort -rV); do
if [ "$i" -eq "${BOOT_IMAGE:-0}" ] && [ -r "$bls" ]; then
BOOT_IMAGE="$(grep -e '^linux' "$bls" | grep -o ' .*$')"
BOOT_IMAGE=${BOOT_IMAGE## }
break
fi

i=$((i + 1))
done
fi
fi

Expand Down
2 changes: 1 addition & 1 deletion modules.d/01fips/module-setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ install() {
inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
inst_script "$moddir/fips.sh" /sbin/fips.sh

inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort
inst_multiple sha512hmac rmmod insmod mount uname umount grep sed sort

inst_simple /etc/system-fips
[ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \
Expand Down

0 comments on commit afd71f8

Please sign in to comment.