#!/bin/sh
#set -x
#dmesg -n 7

. /usr/cisco/bin/ciscosetup.sh
. /usr/bin/parse_cmdline.sh


board_id="`cmdline_get_board_id`"

#
# For FIPS certification, we have pulled all of the crypto algorithms out of
# the kernel blob and built them as their own kernel modules.  The kernel
# crypto infrastructure code still remains inside the blob.  We just need the
# actual algorithms as standalone objects.
#
# When the kernel is in FIPS mode, as the algorithms register with the kernel
# crypto infrastructure, the integrity of the module is evaluated.  If that
# check fails then the system will reload.
#
# Note: We need to load all the crypto material BEFORE we enable any external
# interfaces.
#
# Module: aes_generic.ko          # Rijndael (AES) Cipher Algorithm
# Module: sha256_generic.ko       # SHA-224 and SHA-256 Secure Hash Algorithm
# Module: sha512_generic.ko       # SHA-512 and SHA-384 Secure Hash Algorithms
# Module: hmac.ko                 # HMAC hash algorithm
# Module: sha1_generic.ko         # SHA1 Secure Hash Algorithm
# Module: sha1-arm.ko             # SHA1 Hardware
# Module: gf128mul.ko             # Functions for multiplying elements of GF(2^128)
# Module: cbc.ko                  # CBC block cipher algorithm
# Module: ctr.ko                  # CTR Counter block mode
# Module: ghash-generic.ko        # GHASH Message Digest Algorithm (needs gf128mul)
# Module: seqiv.ko                # Sequence Number IV Generator
#
# WARNING:  We should not have this module in production systems.  It IS NOT FIPS
# compliant
#
# Module: md5.ko                  # MD5 Message Digest Algorithm

if [ "$MERAKI_BOARD" == "barbados" -o "$MERAKI_BOARD" == "axel-bcm" ]; then
    crypto_mods="aes_generic.ko sha256_generic.ko sha512_generic.ko hmac.ko sha1_generic.ko \
             sha1-arm.ko gf128mul.ko cbc.ko ctr.ko ghash-generic.ko seqiv.ko"
    crypto_mods=$crypto_mods" md5.ko"
    for mod in $crypto_mods; do
        [ -f /lib/modules/${mod} ] && modload /lib/modules/${mod} && modrm /lib/modules/${mod}
    done

    # Run our additional before we do anything else
    additional_fips_tests
fi

# set fips flag in file system in early init
is_fips_enabled

# For Data DTLS GCM Support we need the mbedtls module (and CiscoSSL DTLS support).
if [ "$MERAKI_BOARD" == "barbados" -o "$MERAKI_BOARD" == "corsica" -o \
     "$MERAKI_BOARD" == "mallorca" -o "$MERAKI_BOARD" == "axel-qca" -o \
     "$MERAKI_BOARD" == "axel-bcm" -o "$MERAKI_BOARD" == "entr17" ]; then
  if [ -f /lib/modules/mbedtls.ko ]; then
    modload /lib/modules/mbedtls.ko
    if [ $? -ne 0 ]; then
      is_fips_enabled
      if [ $? = 1 ]; then
        echo "GCM POST failed. Rebooting..."
        sleep 5; reboot -r $BOOT_REASON_DTLS_GCM_RESET;
      fi
    fi
    modrm /lib/modules/mbedtls.ko
  fi
fi

exit 0
