Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

initramfs: Add RPMOSTREE_SKIP_DRACUT_RANDOM_EXTENSION #4704

Closed
wants to merge 1 commit into from
Closed

initramfs: Add RPMOSTREE_SKIP_DRACUT_RANDOM_EXTENSION #4704

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 12 additions & 7 deletions rust/src/cliwrap/kernel_install.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,13 +95,18 @@ fn run_dracut(kernel_dir: &str) -> Result<()> {
res
));
}
let mut f = std::fs::OpenOptions::new()
.write(true)
.append(true)
.open(&tmp_initramfs_path)?;
// Also append the dev/urandom bits here, see the duplicate bits in rpmostree-kernel.cxx
f.write(crate::initramfs::get_dracut_random_cpio())?;
drop(f);
// In container environments without capabilities to create device files, the dracut
// FIPS module will fail to create /dev/random, which will break booting in FIPS mode.
//
if let Some(blob) = crate::initramfs::get_dracut_random_cpio_impl() {
let mut f = std::fs::OpenOptions::new()
.write(true)
.append(true)
.open(&tmp_initramfs_path)?;
// Also append the dev/urandom bits here, see the duplicate bits in rpmostree-kernel.cxx
f.write(blob)?;
drop(f);
}
let utf8_tmp_dir_path = Utf8Path::from_path(tmp_dir.path().strip_prefix("/")?)
.context("Error turning Path to Utf8Path")?;
root_fs.rename(
Expand Down
24 changes: 22 additions & 2 deletions rust/src/initramfs.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,9 +134,29 @@ fn generate_initramfs_overlay_etc<P: glib::IsA<gio::Cancellable>>(
generate_initramfs_overlay(root, files, cancellable)
}

pub(crate) fn get_dracut_random_cpio() -> &'static [u8] {
/// In some cases we may return a pre-generated CPIO blob with /dev/{u,}random embedded.
/// This is necessary when running dracut in a restricted container, where the current FIPS
/// plugin may fail.
///
/// For FIPS mode we need /dev/urandom pre-created because the FIPS
/// standards authors require that randomness is tested in a
/// *shared library constructor* (instead of first use as would be
/// the sane thing).
/// https://bugzilla.redhat.com/show_bug.cgi?id=1778940
/// https://bugzilla.redhat.com/show_bug.cgi?id=1401444
/// https://bugzilla.redhat.com/show_bug.cgi?id=1380866
pub(crate) fn get_dracut_random_cpio_impl() -> Option<&'static [u8]> {
// An opt-in environment variable to skip the embedding.
if std::env::var_os("RPMOSTREE_SKIP_DRACUT_RANDOM_EXTENSION").is_some() {
return None;
}
// Generated with: fakeroot /bin/sh -c 'cd dracut-urandom && find . -print0 | sort -z | (mknod dev/random c 1 8 && mknod dev/urandom c 1 9 && cpio -o --null -H newc -R 0:0 --reproducible --quiet -D . -O /tmp/dracut-urandom.cpio)'
include_bytes!("../../src/libpriv/dracut-random.cpio.gz")
Some(include_bytes!("../../src/libpriv/dracut-random.cpio.gz"))
}

/// C++ compatible wrapper that returns a zero-size slice instead of `None`.
pub(crate) fn get_dracut_random_cpio() -> &'static [u8] {
get_dracut_random_cpio_impl().unwrap_or(&[])
}

/// cxx-rs entrypoint; we can't use generics and need to return a raw integer for fd
Expand Down