#!/bin/bash
umask 022
usage=0
enable_fips=
check=0
boot_config=1
err_if_disabled=0
fips_install_complete=0
output_text=1
is_ostree_system=0
if test -f /run/ostree-booted; then
is_ostree_system=1
fi
enable2txt () {
case "$1" in
0)
echo "disabled"
;;
1)
echo "enabled"
;;
esac
}
cond_echo () {
if test "$output_text" != 0;then
echo "$@"
fi
}
while test $# -ge 1 ; do
case "$1" in
--enable)
enable_fips=1
;;
--disable)
enable_fips=0
;;
--check)
check=1
enable_fips=2
;;
--is-enabled)
check=1
enable_fips=2
err_if_disabled=1
output_text=0
;;
--no-bootcfg)
boot_config=0
;;
*)
usage=1
;;
esac
shift
done
if test $usage = 1 -o x$enable_fips = x ; then
echo "Check, enable, or disable the system FIPS mode."
echo "usage: $0 --enable|--disable [--no-bootcfg]"
echo "usage: $0 --check"
echo "usage: $0 --is-enabled"
exit 2
fi
# We don't handle the boot config on OSTree systems for now; it is assumed to be
# handled at a higher level. E.g. in Fedora CoreOS and RHEL CoreOS, it is
# intrinsically tied to the firstboot procedure.
if test "$is_ostree_system" = 1 && test "$enable_fips" = 1 && test "$boot_config" = 1; then
cond_echo "Cannot perform boot config changes on OSTree systems (use --no-bootcfg)"
exit 1
fi
if test -f /etc/system-fips ; then
# On OSTree systems, /etc/system-fips in the real root marks completion.
if test ! -d /boot -o "$is_ostree_system" = 1 -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd -f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then
fips_install_complete=1
fi
fi
if test $check = 1 ; then
test $fips_install_complete = 0 && cond_echo "Installation of FIPS modules is not completed."
fips_enabled=$(cat /proc/sys/crypto/fips_enabled)
cond_echo "FIPS mode is $(enable2txt $fips_enabled)."
if test "$fips_enabled" = 1 ; then
if test $fips_install_complete = 0 ; then
cond_echo "Inconsistent state detected."
exit 1
fi
current="$(cat /etc/crypto-policies/state/current)"
if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then
cond_echo "The current crypto policy ($current) is not a FIPS policy."
fi
fi
if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1;then
exit 2
fi
exit 0
fi
if [ $(id -u) != 0 ]; then
echo "You must be root to run $(basename $0)"
exit 1
fi
if test $enable_fips = 1 ; then
if test $fips_install_complete = 0 ; then
fips-finish-install --complete
if test $? != 0 ; then
echo "Installation of FIPS modules could not be completed."
exit 1
fi
fi
update-crypto-policies --no-reload --set FIPS 2>/dev/null
else
update-crypto-policies --no-reload --set DEFAULT 2>/dev/null
fi
boot_device="$(df -P /boot | tail -1)"
echo "$boot_device" | grep -q ' /$' && boot_device='/' || boot_device=$(echo "$boot_device" | cut -d ' ' -f 1)
if test x"$boot_device" = x ; then
echo "Boot device not identified, you have to configure the bootloader manually."
boot_device_opt=" boot=UUID=<your-boot-device-uuid>"
boot_config=0
else
if test "$boot_device" = / ; then
boot_device_opt=""
else
boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)"
fi
fi
if test $boot_config=1 && test ! -x "$(command -v grubby)" ; then
echo "The grubby command is missing, please configure the bootloader manually."
boot_config=0
fi
echo "FIPS mode will be $(enable2txt $enable_fips)."
fipsopts="fips=$enable_fips$boot_device_opt"
if test $boot_config = 0 ; then
echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
echo "and reboot the system for the setting to take effect."
else
grubby --update-kernel=ALL --args="$fipsopts"
if test x"$(uname -m)" = xs390x; then
if command -v zipl >/dev/null; then
zipl >/dev/null 2>&1
else
echo -n '`zipl` execution has been skipped: '
echo '`zipl` not found.'
fi
fi
echo "Please reboot the system for the setting to take effect."
fi
exit 0