KOKINIO - MANAGER
Edit File: fips-crypto-policy-overlay
#!/usr/bin/bash # SPDX-License-Identifier: LGPL-2.1-or-later set -u policyfile=/etc/crypto-policies/config fipspolicyfile=/usr/share/crypto-policies/default-fips-config backends=/etc/crypto-policies/back-ends fipsbackends=/usr/share/crypto-policies/back-ends/FIPS if ! mountpoint -q /proc; then echo "/proc is not mounted" 1>&2 exit 1 fi if ! [[ $(cat /proc/sys/crypto/fips_enabled) == 1 ]]; then echo "FIPS mode is not enabled." 1>&2 exit 1 fi if mountpoint -q "${policyfile}"; then if grep -qF " ${fipspolicyfile} ${policyfile} " /proc/self/mountinfo then echo "${fipspolicyfile} is already mounted over ${policyfile}" \ 1>&2 exit 0 fi echo "Warning: ${policyfile} is already mounted over." 1>&2 fi if mountpoint -q "${backends}"; then if grep -qF " ${fipsbackends} ${backends} " /proc/self/mountinfo; then echo "${fipsbackends} is already mounted over ${backends}" \ 1>&2 exit 0 fi echo "Warning: ${backends} is already mounted over." 1>&2 fi # When in FIPS mode, check the active crypto policy by reading the # /etc/crypto-policies/config file. If it is not "FIPS", or does not start # with "FIPS:", automatically switch to the FIPS policy by creating # bind-mounts. if ! [ -f "${policyfile}" ]; then echo "${policyfile} is missing." 1>&2 exit 1 fi policy=$(cat "${policyfile}") if [[ "${policy}" == "FIPS" || "${policy}" =~ ^FIPS: ]]; then echo "System-wide crypto-policy is already set to ${policy}." 1>&2 exit 0 fi # Current crypto policy is not FIPS or FIPS-based, but the system is in FIPS # mode; this is an inconsistent configuration. Automatically bind-mount a FIPS # configuration over this. if ! mount -o bind,ro "${fipsbackends}" "${backends}"; then echo -n "Failed to bind-mount FIPS policy over ${backends} " 1>&2 echo "(the system is in FIPS mode, but the crypto-policy is not)." 1>&2 exit 1 fi # Also mount a file containing `FIPS\n` over /etc/crypto-policies/config. if [ ! -f "${fipspolicyfile}" ]; then echo -n "${fipspolicyfile} is missing." 1>&2 exit 1 fi if ! mount -o bind,ro "${fipspolicyfile}" "${policyfile}" then echo -n "Failed to bind-mount FIPS crypto-policy state file " 1>&2 echo -n "over ${policyfile} " 1>&2 echo "(the system is in FIPS mode, but the crypto-policy is not)." 1>&2 exit 1 fi