commit dracut for openSUSE:Factory

Mon, 17 Jul 2017 00:03:07 -0700 

Hello community,

here is the log from the commit of package dracut for openSUSE:Factory checked 
in at 2017-07-17 09:02:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dracut (Old)
 and      /work/SRC/openSUSE:Factory/.dracut.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "dracut"

Mon Jul 17 09:02:47 2017 rev:110 rq:510121 version:044.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/dracut/dracut.changes    2017-06-20 
09:33:48.327815641 +0200
+++ /work/SRC/openSUSE:Factory/.dracut.new/dracut.changes       2017-07-17 
09:02:49.814309450 +0200
@@ -1,0 +2,18 @@
+Thu Jul 13 15:15:29 UTC 2017 - [email protected]
+
+- switch fips checking to use the libkcapi based fipscheck toolset 
(bsc#1048565)
+ * adds 0527-switch-fips-checking-to-use-the-libkcapi-based-fipsc.patch
+
+-------------------------------------------------------------------
+Wed Jul 12 12:27:52 UTC 2017 - [email protected]
+
+- iscsiroot: call handle_firmware only for non-iface invocations (bsc#1032284)
+ * adds 0526-iscsiroot-call-handle_firmware-only-for-non-iface-in.patch
+
+-------------------------------------------------------------------
+Tue Jul 11 09:55:00 UTC 2017 - [email protected]
+
+- bail out if module directory does not exist (bsc#1043900)
+  * adds 0525-backport-bail-out-if-module-directory-does-not-exist.patch
+
+-------------------------------------------------------------------
@@ -5 +23 @@
-  adds 0524-Suppress-nonsensical-error-message-bsc-1032029.patch
+  * adds 0524-Suppress-nonsensical-error-message-bsc-1032029.patch

New:
----
  0525-backport-bail-out-if-module-directory-does-not-exist.patch
  0526-iscsiroot-call-handle_firmware-only-for-non-iface-in.patch
  0527-switch-fips-checking-to-use-the-libkcapi-based-fipsc.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ dracut.spec ++++++
--- /var/tmp/diff_new_pack.FKDQSf/_old  2017-07-17 09:02:52.365950132 +0200
+++ /var/tmp/diff_new_pack.FKDQSf/_new  2017-07-17 09:02:52.369949568 +0200
@@ -206,6 +206,9 @@
 Patch522:       0522-Fix-typo-from-commit-3f1cdb520.patch
 Patch523:       0523-98dracut-systemd-Fix-module-force-loading-with-syste.patch
 Patch524:       0524-Suppress-nonsensical-error-message-bsc-1032029.patch
+Patch525:       0525-backport-bail-out-if-module-directory-does-not-exist.patch
+Patch526:       0526-iscsiroot-call-handle_firmware-only-for-non-iface-in.patch
+Patch527:       0527-switch-fips-checking-to-use-the-libkcapi-based-fipsc.patch
 
 BuildRequires:  asciidoc
 BuildRequires:  bash
@@ -253,6 +256,7 @@
 Requires:       fipscheck
 Requires:       libcryptsetup4-hmac
 Requires:       libgcrypt20-hmac
+Requires:       libkcapi-tools
 
 %description fips
 This package requires everything which is needed to build an
@@ -436,6 +440,9 @@
 %patch522 -p1
 %patch523 -p1
 %patch524 -p1
+%patch525 -p1
+%patch526 -p1
+%patch527 -p1
 
 %build
 %configure\

++++++ 0524-Suppress-nonsensical-error-message-bsc-1032029.patch ++++++
--- /var/tmp/diff_new_pack.FKDQSf/_old  2017-07-17 09:02:52.785890996 +0200
+++ /var/tmp/diff_new_pack.FKDQSf/_new  2017-07-17 09:02:52.789890433 +0200
@@ -1,4 +1,4 @@
-From 33f374affcd65741dcef747c7cb57482d9ff3103 Mon Sep 17 00:00:00 2001
+From a651341debaf284101cb32c27373ed9a0dec7107 Mon Sep 17 00:00:00 2001
 From: Daniel Molkentin <[email protected]>
 Date: Mon, 19 Jun 2017 13:42:43 +0200
 Subject: [PATCH] Suppress nonsensical error message (bsc#1032029)

++++++ 0525-backport-bail-out-if-module-directory-does-not-exist.patch ++++++
>From cb1c81fc7f6bc72a72de1f87847924572aa39b54 Mon Sep 17 00:00:00 2001
From: Daniel Molkentin <[email protected]>
Date: Thu, 29 Jun 2017 17:18:37 +0200
Subject: [PATCH] backport: bail out if module directory does not exist

this basically reverts commit
05214a0bedc084a41c35a128609745ad04a0c6cf

if people want to build the initramfs without kernel modules,
then --no-kernel should be specified

Upstream-Commit: 106255afd46ea2be1d035aca0c5695186a3f2c41
---
 dracut.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/dracut.sh b/dracut.sh
index 1016d5ae..492ecbf7 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -632,12 +632,6 @@ if ! [[ $kernel ]]; then
     kernel=$(uname -r)
 fi
 
-if [[ $kernel ]]; then
-    if ! [[ -d /lib/modules/$kernel ]] && [[ $no_kernel != yes ]]; then
-        printf -- "Kernel version $kernel has no module directory 
/lib/modules/$kernel\n" >&2
-    fi
-fi
-
 if ! [[ $outfile ]]; then
     [[ -f /etc/machine-id ]] && read MACHINE_ID < /etc/machine-id
 
@@ -892,6 +886,12 @@ else
     exit 1
 fi
 
+if [[ $no_kernel != yes ]] && ! [[ -d $srcmods ]]; then
+    printf "%s\n" "dracut: Cannot find module directory $srcmods" >&2
+    printf "%s\n" "dracut: and --no-kernel was not specified" >&2
+    exit 1
+fi
+
 if ! [[ $print_cmdline ]]; then
     inst /bin/sh
     if ! $DRACUT_INSTALL ${initdir:+-D "$initdir"} -R "$initdir/bin/sh" 
&>/dev/null; then
-- 
2.12.3

++++++ 0526-iscsiroot-call-handle_firmware-only-for-non-iface-in.patch ++++++
>From d9e0e5682daeda83e5b1096d2fe570f2d38e65a5 Mon Sep 17 00:00:00 2001
From: Daniel Molkentin <[email protected]>
Date: Wed, 12 Jul 2017 11:46:50 +0200
Subject: [PATCH] iscsiroot: call handle_firmware only for non-iface
 invocations (bsc#1032284)

This partially reverts the "setup bnx2i offload connections properly"
patch to the original version from bsc#997598.

Patch-by: Martin Wilck <[email protected]>
---
 modules.d/95iscsi/iscsiroot.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/modules.d/95iscsi/iscsiroot.sh b/modules.d/95iscsi/iscsiroot.sh
index 6ad279f2..3a2463f5 100755
--- a/modules.d/95iscsi/iscsiroot.sh
+++ b/modules.d/95iscsi/iscsiroot.sh
@@ -264,9 +264,11 @@ if [ "$netif" = "timeout" ] && all_ifaces_setup; then
 fi
 
 if getargbool 0 rd.iscsi.firmware -d -y iscsi_firmware ; then
-    [ -f /tmp/session-retry ] || echo 1 > /tmp/session-retry
-    handle_firmware
-    ret=$?
+    if [ "$netif" = "timeout" ] || [ "$netif" = "online" ] || [ "$netif" = 
"dummy" ]; then
+        [ -f /tmp/session-retry ] || echo 1 > /tmp/session-retry
+        handle_firmware
+        ret=$?
+    fi
 fi
 
 if ! [ "$netif" = "online" ]; then
-- 
2.12.3

++++++ 0527-switch-fips-checking-to-use-the-libkcapi-based-fipsc.patch ++++++
>From 3a1abe58f68fbdee31f7370314432ff903954daa Mon Sep 17 00:00:00 2001
From: Marcus Meissner <[email protected]>
Date: Thu, 13 Jul 2017 16:56:14 +0200
Subject: [PATCH] switch fips checking to use the libkcapi based fipscheck
 toolset.

---
 modules.d/01fips/fips.sh         | 19 ++++++++++++++++---
 modules.d/01fips/module-setup.sh | 10 ++++++++++
 suse/dracut.spec                 |  1 +
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index ddf03994..081dba95 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -57,9 +57,15 @@ do_rhevh_check()
 {
     KERNEL=$(uname -r)
     kpath=${1}
-
+    FIPSCHECK=/usr/lib64/libkcapi/fipscheck
+    if [ ! -f $FIPSCHECK ]; then
+        FIPSCHECK=/usr/lib/libkcapi/fipscheck
+    fi
+    if [ ! -f $FIPSCHECK ]; then
+        FIPSCHECK=/usr/bin/fipscheck
+    fi
     # If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
-    if fipscheck $NEWROOT/boot/vmlinuz-${KERNEL} ; then
+    if $FIPSCHECK $NEWROOT/boot/vmlinuz-${KERNEL} ; then
         warn "HMAC sum mismatch"
         return 1
     fi
@@ -81,6 +87,13 @@ do_fips()
     fi
 
     KERNEL=$(uname -r)
+    FIPSCHECK=/usr/lib64/libkcapi/fipscheck
+    if [ ! -f $FIPSCHECK ]; then
+        FIPSCHECK=/usr/lib/libkcapi/fipscheck
+    fi
+    if [ ! -f $FIPSCHECK ]; then
+        FIPSCHECK=/usr/bin/fipscheck
+    fi
 
     if ! [ -e "/boot/.${_vmname}-${KERNEL}.hmac" ]; then
         warn "/boot/.${_vmname}-${KERNEL}.hmac does not exist"
@@ -134,7 +147,7 @@ do_fips()
     elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
         do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
     else
-        fipscheck "/boot/${_vmname}-${KERNEL}" || return 1
+        $FIPSCHECK "/boot/${_vmname}-${KERNEL}" || return 1
     fi
 
     info "All initrd crypto checks done"
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index beeb2f6d..9e5eca4f 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -24,6 +24,7 @@ installkernel() {
     _fipsmodules+="cast6_generic cast5_generic cast_common sha512_ssse3 
serpent_sse2_x86_64 serpent_generic twofish_generic "
     _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper 
twofish_x86_64 twofish_common blowfish_generic "
     _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc "
+    _fipsmodules+="algif_hash af_alg crypto_user "
 
     mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
 
@@ -54,9 +55,18 @@ install() {
         .libgcrypt.so.20.hmac \
         libfreeblpriv3.so libfreeblpriv3.chk
 
+    if [ -f /usr/lib64/libkcapi/.fipscheck.hmac ]; then
+        inst_simple /usr/lib64/libkcapi/.fipscheck.hmac
+        inst_simple /usr/lib64/libkcapi/fipscheck
+    else
+        inst_simple /usr/lib/libkcapi/.fipscheck.hmac
+        inst_simple /usr/lib/libkcapi/fipscheck
+    fi
+
     # we do not use prelink at SUSE
     #inst_multiple -o prelink
 
     inst_simple /etc/system-fips
+
 }
 
-- 
2.12.3

Reply via email to