File 0199-fips-moved-to-pre-pivot-to-support-boot-in.patch of Package dracut

From 592dabba90903b66c13f515d849782037cd8bfb4 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Fri, 8 Apr 2011 12:14:58 +0200
Subject: [PATCH] fips: moved to pre-pivot to support /boot in /

---
 dracut.8                 |  4 ---
 modules.d/01fips/fips.sh | 79 +++++++++++++++++++++++++-----------------------
 modules.d/01fips/install |  2 +-
 3 files changed, 42 insertions(+), 43 deletions(-)

diff --git a/dracut.8 b/dracut.8
index 2af4dba..0b53c85 100644
--- a/dracut.8
+++ b/dracut.8
@@ -257,10 +257,6 @@ specify the device, where /boot is located
   boot=/dev/disk/by-path/pci-0000:00:1f.1-scsi-0:0:1:0-part1
   boot=UUID=<uuid>
   boot=LABEL=<label>
-.TP
-.BR rd.fips.skipkernel
-skip checksum check of the kernel image. 
-Useful, if the kernel image is not in a separate boot partition.
 
 .SS Network
 .TP
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 66bb28e..2969398 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -1,60 +1,65 @@
 #!/bin/sh
-
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
 do_fipskernel()
 {
     boot=$(getarg boot=)
-    KERNEL=$(uname -r)
-    case "$boot" in
-    LABEL=*)
-        boot="$(echo $boot | sed 's,/,\\x2f,g')"
-        boot="/dev/disk/by-label/${boot#LABEL=}"
-        ;;
-    UUID=*)
-        boot="/dev/disk/by-uuid/${boot#UUID=}"
-        ;;
-    /dev/*)
-        ;;
-    *)
-        die "You have to specify boot=<boot device> as a boot option for fips=1" ;;
-    esac
+    newroot=$NEWROOT
 
-    if ! [ -e "$boot" ]; then
-        udevadm trigger --action=add >/dev/null 2>&1
-        [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version)
+    if [ -n "$boot" ]; then
+        KERNEL=$(uname -r)
+        case "$boot" in
+        LABEL=*)
+            boot="$(echo $boot | sed 's,/,\\x2f,g')"
+            boot="/dev/disk/by-label/${boot#LABEL=}"
+            ;;
+        UUID=*)
+            boot="/dev/disk/by-uuid/${boot#UUID=}"
+            ;;
+        /dev/*)
+            ;;
+        *)
+            die "You have to specify boot=<boot device> as a boot option for fips=1" ;;
+        esac
 
-        if [ $UDEVVERSION -ge 143 ]; then
-            udevadm settle --exit-if-exists=$boot
-        else
-            udevadm settle --timeout=30
+        if ! [ -e "$boot" ]; then
+            udevadm trigger --action=add >/dev/null 2>&1
+            [ -z "$UDEVVERSION" ] && UDEVVERSION=$(udevadm --version)
+            
+            if [ $UDEVVERSION -ge 143 ]; then
+                udevadm settle --exit-if-exists=$boot
+            else
+                udevadm settle --timeout=30
+            fi
         fi
-    fi
 
-    [ -e "$boot" ]
-
-    mkdir /boot
-    info "Mounting $boot as /boot"
-    mount -oro "$boot" /boot
+        [ -e "$boot" ]
+        
+        mkdir /boot
+        info "Mounting $boot as /boot"
+        mount -oro "$boot" /boot
+        unset newroot
+    fi
 
     info "Checking integrity of kernel"
 
-    if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
-        warn "/boot/.vmlinuz-${KERNEL}.hmac does not exist"
+    if ! [ -e "$newroot/boot/.vmlinuz-${KERNEL}.hmac" ]; then
+        warn "$newroot/boot/.vmlinuz-${KERNEL}.hmac does not exist"
         return 1
     fi
 
-    sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
+    sha512hmac -c "$newroot/boot/.vmlinuz-${KERNEL}.hmac" || return 1
 
-    info "Umounting /boot"
-    umount /boot
+    if [ -z "$newroot" ]; then
+        info "Umounting /boot"
+        umount /boot
+    fi
 }
 
 do_fips()
 {
     FIPSMODULES=$(cat /etc/fipsmodules)
 
-    if ! getarg rd.fips.skipkernel >/dev/null; then
-	do_fipskernel
-    fi
     info "Loading and integrity checking all crypto modules"
     for module in $FIPSMODULES; do
         if [ "$module" != "tcrypt" ]; then
@@ -76,5 +81,3 @@ else
     do_fips || die "FIPS integrity test failed"
     set +e
 fi
-
-# vim:ts=8:sw=4:sts=4:et
diff --git a/modules.d/01fips/install b/modules.d/01fips/install
index 8115706..22e6d0f 100755
--- a/modules.d/01fips/install
+++ b/modules.d/01fips/install
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-inst_hook pre-trigger 01 "$moddir/fips.sh"
+inst_hook pre-pivot 01 "$moddir/fips.sh"
 dracut_install sha512hmac rmmod insmod mount uname umount
 
 libdir="lib"
-- 
1.8.3.1