?????????? ?????????

?????????? ????????? - ??????????????? - /home/agenciai/public_html/cd38d8/01fips.tar

???????
fips-load-crypto.sh��0000644��00000000673�15125674720�0010313 0��ustar�00��#!/bin/sh type getarg > /dev/null 2>&1 \|\| . /lib/dracut-lib.sh if ! fipsmode=$(getarg fips) \|\| [ "$fipsmode" = "0" ]; then rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1 elif [ -z "$fipsmode" ]; then die "FIPS mode have to be enabled by 'fips=1' not just 'fips'" else . /sbin/fips.sh fips_info "fips-load-crypto: start" fips_load_crypto \|\| die "FIPS integrity test failed" fips_info "fips-load-crypto: done!" fi ��openssl.cnf��0000644��00000000210�15125674720�0006721 0��ustar�00��openssl_conf = openssl_init [openssl_init] providers = provider_sect [provider_sect] default = default_sect [default_sect] activate = 1 ��fips-noboot.sh��0000755��00000000730�15125674720�0007353 0��ustar�00��#!/usr/bin/sh type getarg > /dev/null 2>&1 \|\| . /lib/dracut-lib.sh if ! fipsmode=$(getarg fips) \|\| [ "$fipsmode" = "0" ]; then rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1 elif [ -z "$fipsmode" ]; then die "FIPS mode have to be enabled by 'fips=1' not just 'fips'" elif ! [ -f /tmp/fipsdone ]; then . /sbin/fips.sh fips_info "fips-noboot: start" mount_boot do_fips \|\| die "FIPS integrity test failed" fips_info "fips-noboot: done!" fi ��fips-boot.sh��0000755��00000000752�15125674720�0007022 0��ustar�00��#!/usr/bin/sh type getarg > /dev/null 2>&1 \|\| . /lib/dracut-lib.sh if ! fipsmode=$(getarg fips) \|\| [ "$fipsmode" = "0" ]; then rm -f -- /etc/modprobe.d/fips.conf > /dev/null 2>&1 elif [ -z "$fipsmode" ]; then die "FIPS mode have to be enabled by 'fips=1' not just 'fips'" elif getarg boot= > /dev/null; then . /sbin/fips.sh fips_info "fips-boot: start" if mount_boot; then do_fips \|\| die "FIPS integrity test failed" fi fips_info "fips-boot: done!" fi ��module-setup.sh��0000755��00000003676�15125674720�0007553 0��ustar�00��#!/usr/bin/bash # called by dracut check() { return 0 } depends() { echo openssl } # called by dracut installkernel() { local _fipsmodules _mod _bootfstype if [[ -f "${srcmods}/modules.fips" ]]; then _fipsmodules="$(cat "${srcmods}/modules.fips")" else _fipsmodules="" # Hashes: _fipsmodules+="sha1 sha224 sha256 sha384 sha512 " _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 " _fipsmodules+="crc32c crct10dif ghash " # Ciphers: _fipsmodules+="cipher_null des3_ede aes cfb dh ecdh " # Modes/templates: _fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac ofb cts " # Compression algs: _fipsmodules+="deflate lzo zlib " # PRNG algs: _fipsmodules+="ansi_cprng " # Misc: _fipsmodules+="aead cryptomgr tcrypt crypto_user " fi # shellcheck disable=SC2174 mkdir -m 0755 -p "${initdir}/etc/modprobe.d" for _mod in $_fipsmodules; do if hostonly='' instmods -c -s "$_mod"; then echo "$_mod" >> "${initdir}/etc/fipsmodules" echo "blacklist $_mod" >> "${initdir}/etc/modprobe.d/fips.conf" fi done # with hostonly_default_device fs module for /boot is not installed by default if [[ $hostonly ]] && [[ $hostonly_default_device == "no" ]]; then _bootfstype=$(find_mp_fstype /boot) if [[ -n $_bootfstype ]]; then hostonly='' instmods "$_bootfstype" else dwarning "Can't determine fs type for /boot, FIPS check may fail." fi fi } # called by dracut install() { inst_hook pre-pivot 00 "$moddir/fips-boot.sh" inst_hook pre-pivot 01 "$moddir/fips-noboot.sh" inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh" inst_script "$moddir/fips.sh" /sbin/fips.sh inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort cat tail tr inst_simple /etc/system-fips } ��fips.sh��0000755��00000021160�15125674720�0006055 0��ustar�00��#!/usr/bin/sh type getarg > /dev/null 2>&1 \|\| . /lib/dracut-lib.sh # systemd lets stdout go to journal only, but the system # has to halt when the integrity check fails to satisfy FIPS. if [ -z "$DRACUT_SYSTEMD" ]; then fips_info() { info "$" } else fips_info() { echo "$" >&2 } fi # Checks if a systemd-based UKI is running and ESP UUID is set is_uki() { [ -f /sys/firmware/efi/efivars/StubFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ] \ && [ -f /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ] } mount_boot() { boot=$(getarg boot=) if is_uki && [ -z "$boot" ]; then # efivar file has 4 bytes header and contain UCS-2 data. Note, 'cat' is required # as sys/firmware/efi/efivars/ files are 'special' and don't allow 'seeking'. # shellcheck disable=SC2002 boot="PARTUUID=$(cat /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f \| tail -c +5 \| tr -d '\0' \| tr 'A-F' 'a-f')" fi if [ -n "$boot" ]; then if [ -d /boot ] && ismounted /boot; then boot_dev= if command -v findmnt > /dev/null; then boot_dev=$(findmnt -n -o SOURCE /boot) fi fips_info "Ignoring 'boot=$boot' as /boot is already mounted ${boot_dev:+"from '$boot_dev'"}" return 0 fi case "$boot" in LABEL=* \| UUID=* \| PARTUUID=* \| PARTLABEL=) boot="$(label_uuid_to_dev "$boot")" ;; /dev/) ;; ) die "You have to specify boot=<boot device> as a boot option for fips=1" ;; esac if ! [ -e "$boot" ]; then udevadm trigger --action=add > /dev/null 2>&1 i=0 while ! [ -e "$boot" ]; do udevadm settle --exit-if-exists="$boot" [ -e "$boot" ] && break sleep 0.5 i=$((i + 1)) [ $i -gt 40 ] && break done fi [ -e "$boot" ] \|\| return 1 mkdir -p /boot fips_info "Mounting $boot as /boot" mount -oro "$boot" /boot \|\| return 1 FIPS_MOUNTED_BOOT=1 elif ! ismounted /boot && [ -d "$NEWROOT/boot" ]; then # shellcheck disable=SC2114 rm -fr -- /boot ln -sf "$NEWROOT/boot" /boot else die "You have to specify boot=<boot device> as a boot option for fips=1" fi } do_rhevh_check() { KERNEL=$(uname -r) kpath=${1} # If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0 HMAC_SUM_ORIG=$(while read -r a _ \|\| [ -n "$a" ]; do printf "%s\n" "$a"; done < "$NEWROOT/boot/.vmlinuz-${KERNEL}.hmac") HMAC_SUM_CALC=$(sha512hmac "$kpath" \| while read -r a _ \|\| [ -n "$a" ]; do printf "%s\n" "$a"; done \|\| return 1) if [ -z "$HMAC_SUM_ORIG" ] \|\| [ -z "$HMAC_SUM_CALC" ] \|\| [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then warn "HMAC sum mismatch" return 1 fi fips_info "rhevh_check OK" return 0 } do_uki_check() { local KVER local uki_checked=0 KVER="$(uname -r)" # UKI are placed in $ESP\EFI\Linux\<intall-tag>-<uname-r>.efi if ! [ "$FIPS_MOUNTED_BOOT" = 1 ]; then warn "Failed to mount ESP for doing UKI integrity check" return 1 fi for UKIpath in /boot/EFI/Linux/-"$KVER".efi; do # UKIs are installed to $ESP/EFI/Linux/<entry-token-or-machine-id>-<uname-r>.efi # and in some cases (e.g. when the image is used as a template for creating new # VMs) entry-token-or-machine-id can change. To make sure the running UKI is # always checked, check all UKIs which match the 'uname -r' of the running kernel # and fail the whole check if any of the matching UKIs are corrupted. [ -r "$UKIpath" ] \|\| break local UKI="${UKIpath##/}" local UKIHMAC=."$UKI".hmac fips_info "checking $UKIHMAC" (cd /boot/EFI/Linux/ && sha512hmac -c "$UKIHMAC") \|\| return 1 uki_checked=1 done if [ "$uki_checked" = 0 ]; then warn "Failed for find UKI for checking" return 1 fi return 0 } nonfatal_modprobe() { modprobe "$1" 2>&1 > /dev/stdout \ \| while read -r line \|\| [ -n "$line" ]; do echo "${line#modprobe: FATAL: }" >&2 done } fips_load_crypto() { local _k local _v local _module local _found FIPSMODULES=$(cat /etc/fipsmodules) fips_info "Loading and integrity checking all crypto modules" mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak for _module in $FIPSMODULES; do if [ "$_module" != "tcrypt" ]; then if ! nonfatal_modprobe "${_module}" 2> /tmp/fips.modprobe_err; then # check if kernel provides generic algo _found=0 while read -r _k _ _v \|\| [ -n "$_k" ]; do [ "$_k" != "name" -a "$_k" != "driver" ] && continue [ "$_v" != "$_module" ] && continue _found=1 break done < /proc/crypto [ "$_found" = "0" ] && cat /tmp/fips.modprobe_err >&2 && return 1 fi fi done mv /etc/modprobe.d/fips.conf.bak /etc/modprobe.d/fips.conf fips_info "Self testing crypto algorithms" modprobe tcrypt \|\| return 1 rmmod tcrypt } do_fips() { KERNEL=$(uname -r) if ! getarg rd.fips.skipkernel > /dev/null; then fips_info "Checking integrity of kernel" if [ -e "/run/initramfs/live/vmlinuz0" ]; then do_rhevh_check /run/initramfs/live/vmlinuz0 \|\| return 1 elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 \|\| return 1 elif [ -e "/run/install/repo/images/pxeboot/vmlinuz" ]; then # This is a boot.iso with the .hmac inside the install.img do_rhevh_check /run/install/repo/images/pxeboot/vmlinuz \|\| return 1 elif is_uki; then # This is a UKI do_uki_check \|\| return 1 else BOOT_IMAGE="$(getarg BOOT_IMAGE)" # On s390x, BOOT_IMAGE isn't a path but an integer representing the # entry number selected. Let's try the root of /boot first, and # otherwise fallback to trying to parse the BLS entries if it's a # BLS-based system. if [ "$(uname -m)" = s390x ]; then if [ -e "/boot/vmlinuz-${KERNEL}" ]; then BOOT_IMAGE="vmlinuz-${KERNEL}" elif [ -d /boot/loader/entries ]; then i=0 # shellcheck disable=SC2012 for bls in $(ls -d /boot/loader/entries/.conf \| sort -rV); do if [ "$i" -eq "${BOOT_IMAGE:-0}" ] && [ -r "$bls" ]; then BOOT_IMAGE="$(grep -e '^linux' "$bls" \| grep -o ' .$')" BOOT_IMAGE=${BOOT_IMAGE## } break fi i=$((i + 1)) done fi fi # Trim off any leading GRUB boot device (e.g. ($root) ) BOOT_IMAGE="$(echo "${BOOT_IMAGE}" \| sed 's/^(.)//')" BOOT_IMAGE_NAME="${BOOT_IMAGE##/}" BOOT_IMAGE_PATH="${BOOT_IMAGE%${BOOT_IMAGE_NAME}}" if [ -z "$BOOT_IMAGE_NAME" ]; then BOOT_IMAGE_NAME="vmlinuz-${KERNEL}" elif ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then #if /boot is not a separate partition BOOT_IMAGE might start with /boot BOOT_IMAGE_PATH=${BOOT_IMAGE_PATH#"/boot"} #on some achitectures BOOT_IMAGE does not contain path to kernel #so if we can't find anything, let's treat it in the same way as if it was empty if ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then BOOT_IMAGE_NAME="vmlinuz-${KERNEL}" BOOT_IMAGE_PATH="" fi fi BOOT_IMAGE_HMAC="/boot/${BOOT_IMAGE_PATH}/.${BOOT_IMAGE_NAME}.hmac" if ! [ -e "${BOOT_IMAGE_HMAC}" ]; then warn "${BOOT_IMAGE_HMAC} does not exist" return 1 fi (cd "${BOOT_IMAGE_HMAC%/}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") \|\| return 1 fi fi fips_info "All initrd crypto checks done" : > /tmp/fipsdone if [ "$FIPS_MOUNTED_BOOT" = 1 ]; then fips_info "Unmounting /boot" umount /boot > /dev/null 2>&1 else fips_info "Not unmounting /boot" fi return 0 } ��

| ver. 1.6 | Github | . | PHP 8.2.30 | ??????????? ?????????: 0 | proxy | phpinfo | ???????????