Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package crypto-policies for openSUSE:Factory
checked in at 2023-09-07 21:12:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/crypto-policies (Old)
and /work/SRC/openSUSE:Factory/.crypto-policies.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crypto-policies"
Thu Sep 7 21:12:02 2023 rev:5 rq:1108785 version:20230614.5f3458e
Changes:
--------
--- /work/SRC/openSUSE:Factory/crypto-policies/crypto-policies.changes
2023-07-27 16:50:54.573848527 +0200
+++
/work/SRC/openSUSE:Factory/.crypto-policies.new.1766/crypto-policies.changes
2023-09-07 21:12:04.791887233 +0200
@@ -1,0 +2,16 @@
+Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal <[email protected]>
+
+- Tests: Fix pylint versioning for TW and fix the parsing of the
+ policygenerators to account for the commented lines correctly.
+ * Add crypto-policies-pylint.patch
+ * Rebase crypto-policies-policygenerators.patch
+
+-------------------------------------------------------------------
+Tue Aug 1 12:23:33 UTC 2023 - Pedro Monreal <[email protected]>
+
+- FIPS: Adapt the fips-mode-setup script to use the pbl command
+ from the perl-Bootloader package to replace grubby. Add a note
+ for transactional systems [jsc#PED-4578].
+ * Rebase crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
New:
----
crypto-policies-pylint.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ crypto-policies.spec ++++++
--- /var/tmp/diff_new_pack.0PC6iw/_old 2023-09-07 21:12:06.975965309 +0200
+++ /var/tmp/diff_new_pack.0PC6iw/_new 2023-09-07 21:12:06.979965452 +0200
@@ -51,8 +51,10 @@
Patch3: crypto-policies-supported.patch
#PATCH-FIX-OPENSUSE Revert a breaking change that introduces
rh-allow-sha1-signatures
Patch4: crypto-policies-revert-rh-allow-sha1-signatures.patch
-#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for TW
-Patch5: crypto-policies-FIPS.patch
+#PATCH-FIX-OPENSUSE Remove version for pylint from Makefile
+Patch5: crypto-policies-pylint.patch
+#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE
[jsc#PED-4578]
+Patch6: crypto-policies-FIPS.patch
BuildRequires: python3-base >= 3.6
# The sequoia stuff needs python3-toml, removed until needed
# BuildRequires: python3-toml
@@ -62,10 +64,12 @@
%if %{with testsuite}
# The following packages are needed for the testsuite
BuildRequires: bind
+BuildRequires: codespell
BuildRequires: gnutls >= 3.6.0
BuildRequires: java-devel
BuildRequires: krb5-devel
BuildRequires: libxslt
+#BuildRequires: mozilla-nss-tools
BuildRequires: openssl
BuildRequires: perl
BuildRequires: python3-coverage
@@ -79,9 +83,9 @@
BuildRequires: perl(File::pushd)
%endif
Recommends: crypto-policies-scripts
-Conflicts: gnutls < 3.7.0
+Conflicts: gnutls < 3.7.3
#Conflicts: libreswan < 3.28
-Conflicts: nss < 3.44.0
+Conflicts: nss < 3.90.0
#Conflicts: openssh < 8.2p1
#!BuildIgnore: crypto-policies
BuildArch: noarch
@@ -94,7 +98,7 @@
%package scripts
Summary: Tool to switch between crypto policies
Requires: %{name} = %{version}-%{release}
-Recommends: grubby
+Recommends: perl-Bootloader
%description scripts
This package provides a tool update-crypto-policies, which applies
@@ -141,11 +145,11 @@
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
-%if %{without manbuild}
-# Install the manpages from defined sources
mkdir -p -m 755 %{buildroot}%{_mandir}/
mkdir -p -m 755 %{buildroot}%{_mandir}/man7/
mkdir -p -m 755 %{buildroot}%{_mandir}/man8/
+%if %{without manbuild}
+# Install the manpages from defined sources
cp %{SOURCE2} %{buildroot}%{_mandir}/man7/
cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/
%endif
@@ -181,7 +185,8 @@
%check
%if %{with testsuite}
export OPENSSL_CONF=''
-%make_build test test-install test-fips-setup || :
+%make_build test
+%make_build test-install test-fips-setup || :
%endif
%post -p <lua>
++++++ crypto-policies-FIPS.patch ++++++
--- /var/tmp/diff_new_pack.0PC6iw/_old 2023-09-07 21:12:07.039967598 +0200
+++ /var/tmp/diff_new_pack.0PC6iw/_new 2023-09-07 21:12:07.043967740 +0200
@@ -1,207 +1,174 @@
-Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup
+Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
===================================================================
---- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup
-+++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup
-@@ -7,6 +7,7 @@ enable_fips=
- check=0
- boot_config=1
- err_if_disabled=0
-+fips_install_complete=0
- output_text=1
-
- is_ostree_system=0
-@@ -75,109 +76,74 @@ if test "$is_ostree_system" = 1 && test
- exit 1
+--- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup
++++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
+@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then
+ exit 1
fi
--
--if [ "$(id -u)" != 0 ]; then
-- echo "You must be root to run $(basename $0)"
-- exit 1
--fi
--
--
--# Detect 1: kernel FIPS flag
--fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
--
--# Detect 2: initramfs fips module presence; not always can be done
--initramfs_fips_module=0
--initramfs_inspectable=0
--if test -d /boot -a -x /usr/bin/lsinitrd; then
-- initramfs_inspectable=1
-- if lsinitrd -m 2>/dev/null | grep -Fxq fips; then
-- initramfs_fips_module=1
-+if test "$enable_fips" = 1 ; then
-+ # Check the required FIPS modules are installed
-+ if test ! -x "$(command -v grubby)" -o ! -f
/usr/share/doc/packages/patterns/fips.txt -o ! -f
/etc/dracut.conf.d/40-fips.conf; then
-+ cond_echo "Installation of FIPS modules is not complete."
-+ cond_echo "Please, install grubby and the fips pattern."
-+ exit 1
- fi
++# This check must be done as root, otherwise it will fail.
++is_transactional_system=0
++if test ! -w /usr ; then
++ is_transactional_system=1
++fi
++
++# We don't handle the setup on transactional systems as the process is
++# quite different and involves several reboots.
++if test "$is_transactional_system" = 1 && test "$check" = 0 ; then
++ cond_echo -n "Cannot handle transactional systems. "
++ cond_echo "Please, refer to the fips-mode-setup man pages for more
information."
++ exit 1
++fi
+
+ # Detect 1: kernel FIPS flag
+ fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
+@@ -203,9 +216,22 @@ else
+ fi
fi
--# Detect 3: crypto-policy base policy
--current_policy="$(cat /etc/crypto-policies/state/current)"
--base_policy="$(echo $current_policy| cut -f 1 -d :)"
--if test "$base_policy" == "FIPS" ; then
-- base_policy_is_fips=1
--else
-- base_policy_is_fips=0
-+if test "$enable_fips" = 1 ; then
-+ if test ! -d /boot -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd
-f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then
-+ fips_install_complete=1
+-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
+- echo "The grubby command is missing, please configure the bootloader
manually."
+- boot_config=0
++if test "$boot_config" = 1 ; then
++ # Install required packages: patterns-base-fips and perl-Bootloader
++ if test ! -f /etc/dracut.conf.d/40-fips.conf && \
++ test ! -x "$(command -v pbl)" && \
++ test "$enable_fips" = 1; then
++ zypper -n install patterns-base-fips perl-Bootloader
++ elif test ! -f /etc/dracut.conf.d/40-fips.conf && \
++ test "$enable_fips" = 1 ; then
++ zypper -n install patterns-base-fips
++ elif test ! -x "$(command -v pbl)" ; then
++ zypper -n install perl-Bootloader
++ fi
++ if test $? != 0 ; then
++ echo "The pbl command or the fips pattern are missing, please
configure the bootloader manually."
++ boot_config=0
+ fi
fi
--
- if test $check = 1 ; then
-- # Look for signs for both enabling and disabling FIPS mode
-- fips_positive=0
-- fips_negative=0
--
-- # Display 1: kernel FIPS flag
-- cond_echo "FIPS mode is $(enable2txt $fips_kernel_enabled)."
--
-- # Display 2: initramfs fips module
-- if test "$initramfs_inspectable" = 1 ; then
-- cond_echo -n "Initramfs fips module is "
-- cond_echo "$(enable2txt $initramfs_fips_module)."
-- fi
--
-- # Display 3: active crypto-policy
-- cond_echo -n "The current crypto policy ($current_policy) "
-- if test "$base_policy_is_fips" == 1 ; then
-- cond_echo 'is based on the FIPS policy.'
-- else
-- cond_echo -n 'neither is the FIPS policy '
-- cond_echo 'nor is based on the FIPS policy.'
-- fi
--
-- # Decide 1: kernel FIPS flag
-- if test "$fips_kernel_enabled" = 1 ; then
-- fips_positive=1
-- else
-- fips_negative=1
-- fi
--
-- # Decide 2: initramfs module presence
-- if test "$initramfs_inspectable" = 1 ; then
-- if test "$initramfs_fips_module" = 1 ; then
-- fips_positive=1
+ echo "FIPS mode will be $(enable2txt $enable_fips)."
+@@ -216,15 +242,19 @@ if test $boot_config = 0 ; then
+ echo "Now you need to configure the bootloader to add kernel options
\"$fipsopts\""
+ echo "and reboot the system for the setting to take effect."
+ else
+- grubby --update-kernel=ALL --args="$fipsopts"
+- if test x"$(uname -m)" = xs390x; then
+- if command -v zipl >/dev/null; then
+- zipl
- else
-- fips_negative=1
-+ test $fips_install_complete = 0 && cond_echo "Installation of FIPS
modules is not complete."
-+ fips_enabled=$(cat /proc/sys/crypto/fips_enabled)
-+ cond_echo "FIPS mode is $(enable2txt $fips_enabled)."
-+ if test "$fips_enabled" = 1 ; then
-+ if test $fips_install_complete = 0 ; then
-+ cond_echo "Inconsistent state detected."
-+ exit 1
-+ fi
-+ current="$(cat /etc/crypto-policies/state/current)"
-+ if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then
-+ cond_echo -n "The current crypto policy ($current) "
-+ cond_echo -n 'neither is the FIPS policy '
-+ cond_echo 'nor is based on the FIPS policy.'
-+ cond_echo 'Inconsistent state detected.'
-+ exit 1
- fi
-- fi
--
-- # Decide 3: active crypto-policy
-- if test "$base_policy_is_fips" = 1 ; then
-- fips_positive=1
- else
-- fips_negative=1
+- echo -n '`zipl` execution has been skipped: '
+- echo '`zipl` not found.'
+- fi
- fi
--
-- # Make the FIPS mode consistency decision
-- if test "$fips_positive" = 1 -a "$fips_negative" = 1 ; then
-- cond_echo 'Inconsistent state detected.'
-- exit 1
-+ if test $fips_install_complete = 1 ; then
-+ cond_echo "Inconsistent state detected."
-+ exit 1
-+ fi
-+ current="$(cat /etc/crypto-policies/state/current)"
-+ if test "$(echo $current | cut -f 1 -d :)" == "FIPS" ; then
-+ cond_echo -n "The current crypto policy ($current) "
-+ cond_echo -n 'is based on the FIPS policy, '
-+ cond_echo 'but FIPS mode is not enabled.'
-+ cond_echo 'Inconsistent state detected.'
-+ exit 1
-+ fi
- fi
--
-- # Error out if `--is-enabled` was passed and FIPS mode is not enabled
-- if test "$fips_positive" = 0 -a "$err_if_disabled" = 1 ; then
-- cond_echo 'FIPS mode is not enabled.'
-+ if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1; then
- exit 2
- fi
--
- exit 0
++ pbl --add-option "$fipsopts"
++ grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all
++
++ # grubby --update-kernel=ALL --args="$fipsopts"
++ # if test x"$(uname -m)" = xs390x; then
++ # if command -v zipl >/dev/null; then
++ # zipl
++ # else
++ # echo -n '`zipl` execution has been skipped: '
++ # echo '`zipl` not found.'
++ # fi
++ # fi
++
+ echo "Please reboot the system for the setting to take effect."
fi
-+if [ "$(id -u)" != 0 ]; then
-+ echo "You must be root to run $(basename $0)"
-+ exit 1
+Index: fedora-crypto-policies-20230614.5f3458e/fips-finish-install
+===================================================================
+--- fedora-crypto-policies-20230614.5f3458e.orig/fips-finish-install
++++ fedora-crypto-policies-20230614.5f3458e/fips-finish-install
+@@ -23,7 +23,16 @@ fi
+
+ umask 022
+
+-trap "rm -f $dracut_cfg" ERR
++# trap "rm -f $dracut_cfg" ERR
++
++# Install required packages: patterns-base-fips and perl-Bootloader
++if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then
++ zypper -n install patterns-base-fips perl-Bootloader
++elif test ! -f $dracut_cfg ; then
++ zypper -n install patterns-base-fips
++elif test ! -x "$(command -v pbl)" ; then
++ zypper -n install perl-Bootloader
+fi
- if test $enable_fips = 1 ; then
-- if test "$initramfs_fips_module" = 0 ; then
-+ if test $fips_install_complete = 1 ; then
- fips-finish-install --complete
- if test $? != 0 ; then
-- echo "Installation of FIPS modules could not be
completed."
-+ echo "Installation of FIPS modules could not be
completed."
- exit 1
- fi
- fi
-- if test "$base_policy_is_fips" == 1 ; then
-- cond_echo -n 'Preserving current FIPS-based policy '
-- cond_echo "${current_policy}."
-+ target="$(cat /etc/crypto-policies/state/current)"
-+ if test "$(echo $target | cut -f 1 -d :)" == "FIPS" ; then
-+ cond_echo "Preserving current FIPS-based policy ${target}."
- cond_echo -n 'Please review the subpolicies to ensure they '
- cond_echo 'only restrict, not relax the FIPS policy.'
- else
-@@ -196,11 +162,11 @@ if test x"$boot_device" = x ; then
- boot_device_opt=" boot=UUID=<your-boot-device-uuid>"
- boot_config=0
- else
-- if test "$boot_device" = / ; then
-- boot_device_opt=""
-- else
-- boot_device_opt=" boot=UUID=$(blkid -s UUID -o value
$boot_device)"
-- fi
-+ if test "$boot_device" = / ; then
-+ boot_device_opt=""
-+ else
-+ boot_device_opt=" boot=UUID=$(blkid -s UUID -o value
$boot_device)"
-+ fi
+ if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then
+ # No dracut configuration or boot directory present, do not try to
modify it.
+@@ -32,23 +41,23 @@ if test ! -d $dracut_cfg_d -o ! -d /boot
+ exit 0
fi
- if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
-Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt
+-cat >$dracut_cfg <<EOF
+-# turn on fips module
+-
+-add_dracutmodules+=" fips "
+-EOF
+-
+-echo "Kernel initramdisks are being regenerated. This might take some time."
+-
+-dracut -f --regenerate-all
+-
+-# This is supposed to be a fast and safe operation that's always good to run.
+-# Regenerating an initrd and skipping it might render the system unbootable
+-# (RHBZ#2013195).
+-if test x"$(uname -m)" = xs390x; then
+- if command -v zipl >/dev/null; then
+- zipl
+- else
+- echo '`zipl` execution has been skipped: `zipl` not found.'
+- fi
+-fi
++# cat >$dracut_cfg <<EOF
++# # turn on fips module
++#
++# add_dracutmodules+=" fips "
++# EOF
++#
++# echo "Kernel initramdisks are being regenerated. This might take some time."
++#
++# dracut -f --regenerate-all
++#
++# # This is supposed to be a fast and safe operation that's always good to
run.
++# # Regenerating an initrd and skipping it might render the system unbootable
++# # (RHBZ#2013195).
++# if test x"$(uname -m)" = xs390x; then
++# if command -v zipl >/dev/null; then
++# zipl
++# else
++# echo '`zipl` execution has been skipped: `zipl` not found.'
++# fi
++# fi
+Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup.8.txt
===================================================================
---- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup.8.txt
-+++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt
-@@ -39,8 +39,15 @@ system crypto policy to FIPS
- (unless the policy has already been set to FIPS plus subpolicies on top,
- in which case the currently active subpolicies is retained).
-
-+Some required FIPS modules (grubby, fips pattern) might not be
-+installed by default. These can be installed in SUSE/openSUSE with
-+the following command:
-+
-+ zypper in -y grubby && zypper in -y -t pattern fips
-+
- Then the command modifies the boot loader configuration to add
- 'fips=1' and 'boot=<boot-device>' options to the kernel command line.
-+Note that, grubby could show a harmless warning about leaked file descriptors.
-
+--- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup.8.txt
++++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup.8.txt
+@@ -45,6 +45,23 @@ Then the command modifies the boot loade
When disabling the system FIPS mode the system crypto policy is switched
to DEFAULT and the kernel command line option 'fips=0' is set.
+
++On transactional systems, enabling the system in FIPS mode with the
++fips-mode-setup tool is not implemented. To enable the FIPS mode in these
++systems requires the following steps:
++
++ 1.- Install the FIPS pattern on a running system:
++ # transactional-update pkg install -t pattern microos-fips
++
++ 2.- Reboot your system.
++
++ 3.- Add the kernel command line parameter fips=1 to the boot loader
++ configuration. To do so, edit the file /etc/default/grub and add
++ fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable.
++
++ 4.- After logging in to the system, run:
++ # transactional-update grub.cfg
++
++ 5.- Reboot your system.
+
+ [[options]]
+ OPTIONS
++++++ crypto-policies-policygenerators.patch ++++++
--- /var/tmp/diff_new_pack.0PC6iw/_old 2023-09-07 21:12:07.055968169 +0200
+++ /var/tmp/diff_new_pack.0PC6iw/_new 2023-09-07 21:12:07.059968312 +0200
@@ -1,13 +1,13 @@
-Index:
fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
+Index:
fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/__init__.py
-+++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
+---
fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/__init__.py
++++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py
@@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator
from .java import JavaGenerator
from .java import JavaSystemGenerator
from .krb5 import KRB5Generator
-from .libreswan import LibreswanGenerator
-+#from .libreswan import LibreswanGenerator
++# from .libreswan import LibreswanGenerator
from .libssh import LibsshGenerator
from .nss import NSSGenerator
from .openssh import OpenSSHClientGenerator
@@ -16,17 +16,16 @@
from .openssl import OpenSSLGenerator
-from .sequoia import SequoiaGenerator
-from .sequoia import RPMSequoiaGenerator
-+#from .sequoia import SequoiaGenerator
-+#from .sequoia import RPMSequoiaGenerator
++# from .sequoia import SequoiaGenerator
++# from .sequoia import RPMSequoiaGenerator
__all__ = [
'BindGenerator',
-@@ -24,13 +24,13 @@ __all__ = [
+@@ -24,13 +24,14 @@ __all__ = [
'JavaGenerator',
'JavaSystemGenerator',
'KRB5Generator',
- 'LibreswanGenerator',
-+# 'LibreswanGenerator',
'LibsshGenerator',
'NSSGenerator',
'OpenSSHClientGenerator',
@@ -35,7 +34,9 @@
'OpenSSLGenerator',
- 'SequoiaGenerator',
- 'RPMSequoiaGenerator',
+ ]
++
++# 'LibreswanGenerator',
+# 'SequoiaGenerator',
+# 'RPMSequoiaGenerator',
- ]
++++++ crypto-policies-pylint.patch ++++++
Index: fedora-crypto-policies-20230614.5f3458e/Makefile
===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/Makefile
+++ fedora-crypto-policies-20230614.5f3458e/Makefile
@@ -44,8 +44,8 @@ runflake8:
@find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8
runpylint:
- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc python
- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc tests
+ PYTHONPATH=. pylint --rcfile=pylintrc python
+ PYTHONPATH=. pylint --rcfile=pylintrc tests
@echo "[ OK ]"
runcodespell:
++++++ crypto-policies.7.gz ++++++
--- /var/tmp/diff_new_pack.0PC6iw/_old 2023-09-07 21:12:07.099969742 +0200
+++ /var/tmp/diff_new_pack.0PC6iw/_new 2023-09-07 21:12:07.107970029 +0200
@@ -2,12 +2,12 @@
.\" Title: crypto-policies
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 07/13/2023
+.\" Date: 08/31/2023
.\" Manual: \ \&
.\" Source: crypto-policies
.\" Language: English
.\"
-.TH "CRYPTO\-POLICIES" "7" "07/13/2023" "crypto\-policies" "\ \&"
+.TH "CRYPTO\-POLICIES" "7" "08/31/2023" "crypto\-policies" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
++++++ fips-finish-install.8.gz ++++++
--- /var/tmp/diff_new_pack.0PC6iw/_old 2023-09-07 21:12:07.127970743 +0200
+++ /var/tmp/diff_new_pack.0PC6iw/_new 2023-09-07 21:12:07.131970886 +0200
@@ -2,12 +2,12 @@
.\" Title: fips-finish-install
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 07/13/2023
+.\" Date: 08/31/2023
.\" Manual: \ \&
.\" Source: fips-finish-install
.\" Language: English
.\"
-.TH "FIPS\-FINISH\-INSTAL" "8" "07/13/2023" "fips\-finish\-install" "\ \&"
+.TH "FIPS\-FINISH\-INSTAL" "8" "08/31/2023" "fips\-finish\-install" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
++++++ fips-mode-setup.8.gz ++++++
--- /var/tmp/diff_new_pack.0PC6iw/_old 2023-09-07 21:12:07.147971458 +0200
+++ /var/tmp/diff_new_pack.0PC6iw/_new 2023-09-07 21:12:07.155971744 +0200
@@ -2,12 +2,12 @@
.\" Title: fips-mode-setup
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 07/13/2023
+.\" Date: 08/31/2023
.\" Manual: \ \&
.\" Source: fips-mode-setup
.\" Language: English
.\"
-.TH "FIPS\-MODE\-SETUP" "8" "07/13/2023" "fips\-mode\-setup" "\ \&"
+.TH "FIPS\-MODE\-SETUP" "8" "08/31/2023" "fips\-mode\-setup" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -38,21 +38,65 @@
.sp
When enabling the system FIPS mode, the command completes the installation of
FIPS modules if needed by calling \fIfips\-finish\-install\fR and changes the
system crypto policy to FIPS (unless the policy has already been set to FIPS
plus subpolicies on top, in which case the currently active subpolicies is
retained)\&.
.sp
-Some required FIPS modules (grubby, fips pattern) might not be installed by
default\&. These can be installed in SUSE/openSUSE with the following command:
+Then the command modifies the boot loader configuration to add \fIfips=1\fR
and \fIboot=<boot\-device>\fR options to the kernel command line\&.
+.sp
+When disabling the system FIPS mode the system crypto policy is switched to
DEFAULT and the kernel command line option \fIfips=0\fR is set\&.
+.sp
+On transactional systems, enabling the system in FIPS mode with the
fips\-mode\-setup tool is not implemented\&. To enable the FIPS mode in these
systems requires the following steps:
.sp
.if n \{\
.RS 4
.\}
.nf
-zypper in \-y grubby && zypper in \-y \-t pattern fips
+1\&.\- Install the FIPS pattern on a running system:
+ # transactional\-update pkg install \-t pattern microos\-fips
.fi
.if n \{\
.RE
.\}
.sp
-Then the command modifies the boot loader configuration to add \fIfips=1\fR
and \fIboot=<boot\-device>\fR options to the kernel command line\&. Note that,
grubby could show a harmless warning about leaked file descriptors\&.
+.if n \{\
+.RS 4
+.\}
+.nf
+2\&.\- Reboot your system\&.
+.fi
+.if n \{\
+.RE
+.\}
.sp
-When disabling the system FIPS mode the system crypto policy is switched to
DEFAULT and the kernel command line option \fIfips=0\fR is set\&.
+.if n \{\
+.RS 4
+.\}
+.nf
+3\&.\- Add the kernel command line parameter fips=1 to the boot loader
+ configuration\&. To do so, edit the file /etc/default/grub and add
+ fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable\&.
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+4\&.\- After logging in to the system, run:
+ # transactional\-update grub\&.cfg
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+5\&.\- Reboot your system\&.
+.fi
+.if n \{\
+.RE
+.\}
.SH "OPTIONS"
.sp
The following options are available in fips\-mode\-setup tool\&.
++++++ update-crypto-policies.8.gz ++++++
--- /var/tmp/diff_new_pack.0PC6iw/_old 2023-09-07 21:12:07.171972316 +0200
+++ /var/tmp/diff_new_pack.0PC6iw/_new 2023-09-07 21:12:07.175972459 +0200
@@ -2,12 +2,12 @@
.\" Title: update-crypto-policies
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 07/13/2023
+.\" Date: 08/31/2023
.\" Manual: \ \&
.\" Source: update-crypto-policies
.\" Language: English
.\"
-.TH "UPDATE\-CRYPTO\-POLI" "8" "07/13/2023" "update\-crypto\-policies" "\ \&"
+.TH "UPDATE\-CRYPTO\-POLI" "8" "08/31/2023" "update\-crypto\-policies" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
