Hello community, here is the log from the commit of package dracut for openSUSE:Factory checked in at 2018-01-31 19:48:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dracut (Old) and /work/SRC/openSUSE:Factory/.dracut.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dracut" Wed Jan 31 19:48:28 2018 rev:119 rq:569525 version:044.1 Changes: -------- --- /work/SRC/openSUSE:Factory/dracut/dracut.changes 2017-12-16 20:47:36.034261514 +0100 +++ /work/SRC/openSUSE:Factory/.dracut.new/dracut.changes 2018-01-31 19:48:29.846946900 +0100 @@ -1,0 +2,34 @@ +Thu Jan 25 09:19:05 UTC 2018 - daniel.molken...@suse.com + +- support validating the IMA policy file signature, needed since Kernel 4.7 + * Adds 0552-98integrity-support-validating-the-IMA-policy-file-s.patch + +- IMA: improve support for evm key loading (bsc#1077359, fate#323906) + * Adds 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch + * Adds 0554-98integrity-support-X.509-only-EVM-configuration.patch + +- FIPS: Adjust dependencies to work for cryptsetup 2.0 (bsc#1077070) + +- Added a few more patch annotations + +------------------------------------------------------------------- +Fri Jan 19 15:29:15 UTC 2018 - daniel.molken...@suse.com + +- Fix typo for ima dependency (evmtcl vs evmctl) (bsc#1073466) + +- Updated Patch annotation regarding their upstream state + +------------------------------------------------------------------- +Wed Jan 10 11:25:13 UTC 2018 - daniel.molken...@suse.com + +- FIPS: Try to fetch list of fips modules from the kernel's modules dir (bsc#1074984) + * Adds 0551-fips-use-lib-modules-uname-r-modules.fips.patch + +- Annotated patches regarding their upstream state + +------------------------------------------------------------------- +Tue Jan 9 08:08:01 UTC 2018 - daniel.molken...@suse.com + +- dracut-ima requires evmctl and keyutils (bsc#1073466) + +------------------------------------------------------------------- New: ---- 0551-fips-use-lib-modules-uname-r-modules.fips.patch 0552-98integrity-support-validating-the-IMA-policy-file-s.patch 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch 0554-98integrity-support-X.509-only-EVM-configuration.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dracut.spec ++++++ --- /var/tmp/diff_new_pack.ksBnNX/_old 2018-01-31 19:48:32.550821180 +0100 +++ /var/tmp/diff_new_pack.ksBnNX/_new 2018-01-31 19:48:32.554820994 +0100 @@ -1,7 +1,7 @@ # # spec file for package dracut # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -36,7 +36,7 @@ Source7: 99-debug.conf Source8: s390x_persistent_device.conf -#Network: +# Network, none are upstream yet: Patch12: 0012-40network-Fix-race-condition-when-wait-for-networks.patch Patch13: 0013-40network-always-start-netroot-in-ifup.sh.patch Patch15: 0015-40network-replace-dhclient-with-wickedd-dhcp-supplic.patch @@ -59,33 +59,61 @@ Patch170: 0170-iscsi-skip-ibft-invalid-dhcp.patch #S390 +# Applied upstream as 55c763b1ff37405da390ab1ef5765683f3a7838e Patch16: 0016-Add-new-s390x-specific-rule-files.patch +# Submitted to upstream as d43cccf5885a84d688a3b526d5fc57865369da57 Patch21: 0021-95dcssblk-Add-new-module-for-DCSS-block-devices.patch +# Submitted to upstream as d0c97fdf4c33bb422f0a13a8752751d3054de143 Patch56: 0056-81cio_ignore-handle-cio_ignore-commandline.patch +# Applied upstream as 856d039ba4716ba080fc8d823b3329a4470a60ef Patch75: 0075-95dasd_rules-enable-parsing-of-rd.dasd-commandline-p.patch +# Applied upstream as 5d1ea2d72616ec7ed9cf5e1f3bc99d7d5bc4f003 Patch76: 0076-Correctly-set-cio_ignore-for-dynamic-s390-rules.patch +# Applied upstream as e5d21b80c054235114c4167e0bf7769aa698b4d4 Patch79: 0079-95dasd_rules-fixup-rd.dasd-parsing.patch +# Applied upstream as 13626413107b67ab493ccfc4f6a1c6bef228a74e Patch80: 0080-95dasd_rules-print-out-rd.dasd-commandline.patch +# Applied upstream as 6f1b5c0dabe57259d7e67ab9b643b11b70deb388 Patch81: 0081-95dasd_mod-do-not-set-module-parameters-if-dasd_cio_.patch +# Applied upstream as 9be4be7aa72af312c6b0588ddb008da7632612bc Patch83: 0083-95zfcp_rules-Fixup-rd.zfcp-parsing.patch +# Applied upstream as 624f173cbd49b7389577aac10a887f16d4f89b7a Patch85: 0085-95zfcp_rules-print-out-rd.zfcp-commandline-parameter.patch +# Applied upstream as c8e531239bf314ae532ca1bc820285250a3b35d7 Patch86: 0086-95zfcp_rules-Auto-generate-udev-rule-for-ipl-device.patch +# Applied upstream as bd355f8643555762acf02c6dd6179b683cd0a6aa Patch87: 0087-95dasd_rules-Auto-generate-udev-rule-for-ipl-device.patch +# Submitted to upstream as 73f89bbadbd61ffb4cb485e11b630571185b7ef2 Patch88: 0088-91zipl-Add-new-module-to-update-s390x-configuration.patch +# Applied upstream as 2600b54c187e5668f5b55d5d73f49e99c7b33212 Patch107: 0107-Fixup-typo-firmare-instead-of-firmware.patch +# Submitted to upstream as 73f89bbadbd61ffb4cb485e11b630571185b7ef2 Patch108: 0108-91zipl-Store-commandline-correctly.patch +# Applied upstream as 05bf32097201c24c56dc6bb7a59a428293247d61 Patch109: 0109-95dasd_rules-Store-all-devices-in-commandline.patch +# Applied upstream as 3a8ba440265696ce1279dc12eb5a7acda14c1712 Patch110: 0110-95zfcp_rules-Store-all-devices-in-commandline.patch +# Submitted to upstream as d118e9d94050ea65cb4514dda5fda10ef30275fe Patch113: 0113-91zipl-Install-script-as-executable.patch +# Submitted to upstream as 403f2c3e1dbb681c27b1279b9d023449cfc6d007 Patch114: 0114-91zipl-Translate-ext2-3-into-ext4.patch +# TODO: Apply upstream, already incorporated where original patches have been upstreamed Patch116: 0116-Mark-scripts-as-executable.patch +# Applied upstream as cf9c8c5fe3fdb899b57c25867bf54b74adc3272f Patch117: 0117-95dasd_rules-Enable-the-device-before-checking-devic.patch +# Applied upstream as 5e7bbe43a349a9d3ef0300c61f62a49a2e44c0a0 Patch118: 0118-95zfcp_rules-Enable-the-device-before-checking-devic.patch +# Applied upstream as 5f923256e33893bead8233852a741a4b0036f709 Patch123: 0123-95zfcp_rules-fix-typo-in-module_setup.patch +# Submitted to upstream as 33260dac6e0980da2d6577a29d83644b6637745c Patch157: 0157-Add-boot-zipl-to-host-devs-if-it-is-a-mount-point.patch +# Submitted to upstream as 8bae047a4e096e69a34c520dae15458e210eecdb Patch160: 0160-s390-update_active_devices_initrd.patch +# Applied upstream as c8aa1d949aecaf146b0a0e1ce269f69e6048dc5a Patch161: 0161-95zfcp_rules-simplified-rd.zfcp-commandline-for-NPIV.patch +# Applied upstream as e5bf1cecd635897e5f2c8ae373494d33af3b1996 Patch188: 0188-95dasd_rules-Install-collect-udev-helper-binary.patch +# TODO: Apply upstream (??) Patch506: 0506-Boot-on-s390x-with-fips-1-on-the-kernel-commnad-line.patch #FIPS @@ -99,25 +127,35 @@ Patch510: 0510-01fips-Some-modules-use-separators-other-than.patch Patch511: 0511-01fips-ensure-fips-initialization-succeeds-on-s390-x.patch -# Others +# Others, partly SUSE specific. Not submitted unless annotated otherwise + +# Submitted to upstream as 7ce2872be28a5463757651cc30049c3f4e81559a Patch20: 0020-00warpclock-Set-correct-timezone.patch Patch58: 0058-dracut-add-warning-when-including-unsupported-module.patch Patch59: 0059-99suse-Add-SUSE-specific-initrd-parsing.patch +# TODO: This should not be a patch, but be removed in the install section Patch90: 0090-dracut-caps-Remove-whole-caps-module.patch Patch91: 0091-dracut-biosdevname-In-SUSE-biosdevname-package-is-in.patch Patch121: 0121-Adjust-initramfs-kernel.img-to-SUSE-default-initrd-k.patch Patch130: 0130-nfs-Always-add-all-kernel-modules-for-kdump.patch +# Applied upstream as c3b6970394ad677f05a42bef420bf34b1d0652e0 Patch144: 0144-90crypt-Fixed-crypttab_contains-to-also-work-with-de.patch Patch150: 0150-Find-kernel-modules-in-extra-and-weak-updates-path-a.patch Patch158: 0158-Add-SUSE-kernel-module-dependencies-in-etc-modprobe.patch Patch163: 0163-Install-etc-sysconfig-console-to-see-specific-fonts.patch +# TODO: Verify: Should be obsolete due to fixes in systemd Patch164: 0164-Fix-initramfs-ver.img-vs-initrd-ver-in-dracut-initra.patch +# Submitted as a check to upstream as 446654703742e6c1d7b1134a7d73b2bf7ce20cda Patch168: 0168-remove_plymouth_logo_file.patch +# Applied upstream as 251afd36b2be35b7b27011b6f90b5ab3bbbbff84 Patch180: 0180-i18n_add_correct_fontmaps.patch +# Applied upstream as dcacd2b072c301a51c114256e8bb696346879a2b Patch182: 0182-fix-include-parsing.patch +# Applied upstream as d53bb5c01737270049fde82559ae72aae1943b81 Patch183: 0183-fix_add_drivers_hang.patch # iscsiadm +# TODO: Apply all patches in this section upstream Patch190: 0190-replace-iscsistart-with-systemd-service-files.patch Patch191: 0191-static_network_setup_return_zero.patch Patch192: 0192-iscsi_set_boot_protocol_from_ifcfg.patch @@ -128,31 +166,58 @@ Patch199: 0199-rd-iscsi-waitnet-default-false.patch # Submit mainline asap + +# Applied upstream as 5c84d51b3f258af9035a4031c6b482103adea4d9 Patch128: 0128-90lvm-Install-dm-snapshot-module.patch +# Applied upstream as d12ce1da8551c065616f81f158b6425b20ee191c Patch200: 0200-dracut_fix_multipath_without_config.patch +# Applied upstream as f5c10673de18d84f3b054df9a68ffa8d43f9571c Patch201: 0201-fix_nfs_with_ip_instead_of_hostname.patch +# TODO: Apply upstream Patch202: 0202-dracut_dmraid_use_udev.patch +# TODO: Check if still an issue with C-style insmod logic Patch203: 0203-no-fail-builtin-module.patch +# Applied upstream as 51d2436c22d64e45376c64ad3b6c90c48cc88d78 Patch204: 0204-mkinitrd-fix-monster.patch +# TODO: Apply upstream Patch205: 0205-mdraid_ignore_hostonly.patch +# Applied upstream as 8602e5986702f6118f8b30f1053a45af1df892bd Patch206: 0206-nfs_dns_alias.patch +# Applied upstream as 43819af68c7789ec932c25e699c56889fdf7276c Patch207: 0207-handle_module_aliases.patch +# TODO: Possibly made redundant by changes done by upstream Patch208: 0208-no_forced_virtnet.patch +# Applied upstream as 9fd3e045d5b41ba5cf9fb0c51db9750ce0e530d8 Patch209: 0209-fix_modules_load_d_hostonly.patch +# Applied upstream as 22836a092191c1abc0e04e4c6d68856f2603d6e8 Patch210: 0210-add_fcoe_uefi_check.patch +# Applied upstream as 6b96b50d2cd92d6598240e6061a81b29b889ecdd Patch212: 0212-fcoe_reorder_init_path.patch +# Applied upstream as 18729719a7091c35ffe377b21b860a60a352def8 Patch213: 0213-Fix-wrong-keymap-inclusion.patch +# Applied upstream as d066fcc3fb9080ffff412c8dc5177ca1dcc08e75 Patch214: 0214-95fcoe-Do-not-overwrite-FCoE-configuration.patch +# Applied upstream as 1279a9e1a0a28107e0a240ab344f700b465c96b3 by upstream Patch215: 0215-95fcoe-Do-not-complain-about-missing-etc-hba.conf.patch +# Applied upstream as d71c9ee286def5d1a5e90f549b65e21d0f18c9ac Patch216: 0216-95fcoe-silence-lldpad-warnings.patch +# Applied upstream as c75196e11ec4325fc76bb11aeb884ceade62df48 Patch217: 0217-95fcoe-Allow-to-specify-the-FCoE-mode-via-the-fcoe-p.patch +# Probably not upstreamable? Patch218: 0218-40network-allow-persistent-interface-names.patch +# Applied upstream as 164760f4b075ff564c349cb40d1fa308c139432d Patch219: 0219-95fcoe-use-interface-names-instead-of-MAC-addresses.patch +# Applied upstream as 2aac3194100b903740bb9057aed71a35ce92a2e3 Patch220: 0220-95fcoe-always-set-AUTO_VLAN-for-fcoemon.patch +# Applied upstream as a3f91db4768451a10fbbc3e28270c29e1368df6c Patch221: 0221-95fcoe-Add-shutdown-script.patch +# Applied upstream as 07e635748342aa70a76bc1a2237339f6a897d841 Patch222: 0222-90dm-Fixup-shutdown-script.patch +# Applied upstream as 870591acec41e854071129e7bf834cdfe43ae716 Patch223: 0223-90dm-fixup-dependency-cycle-between-MD-and-DM-shutdo.patch +# TODO: Apply upstream Patch224: 0224-95iscsi-setup-bnx2i-offload-connections-properly.patch +# Applied upstream as part of 36a8b2e3058518255dbd39e33bf2c72b7889cfae Patch225: 0225-95fcoe-do-not-start-fcoemon-twice.patch # SUSE-specific fixes @@ -173,68 +238,130 @@ Patch314: 0314-nfs_do_not_pass_ifname_for_bonding_devices.patch # New features/improvements +# TODO: Apply upstream Patch402: 0402-driver-fail-summary.patch +# Applied upstream as 10f06425a597ca797b8efbf45e8838c4d30651e9 Patch403: 0403-95lunmask-Add-module-to-handle-LUN-masking.patch +# Applied upstream as 1f8a7ae799effed1e57033167beca4281389391c Patch404: 0404-dracut-emergency-optionally-print-fs-help.patch # Workarounds/Patches no longer relevant in 045 Patch450: 0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch +# Patch from upstream: d4efc0aeeecc470d9a267b7f3c130f472488905c Patch451: 0451-systemd-initrd-add-initrd-root-device.target.patch +# Applied upstream as 9ffab3f3a5105691b4b640649c3a99e3cce39c1a Patch452: 0452-Always-try-to-add-pinctrl-cherryview.patch +# Applied upstream as 7957bd01b097507a601495ed7cd2c8480c2af67b Patch453: 0453-Resolve-symbolic-links-for-i-and-k-parameters-bsc-90.patch +# Applied upstream as e69da98de1a4175fb3c745570471fc3a7d567a33 Patch454: 0454-Add-md4-and-arc4-modules-for-ntlm.patch # On top patches/fixes which have to be applied late +# Applied upstream as 8b0791fa010cf7e5fde3a37a8c2bb6d6f1264f59 Patch500: 0500-Reset-IFS-variable.patch +# Applied upstream as e0c3b0793f92c24d442f543a755aed8cc218ab20 Patch501: 0501-dasd_fix_ssid_bigger_zero.patch +# TODO: Apply upstream Patch502: 0502-persistent_device_policy_param_enhance.patch +# Applied upstream as 0db98910a11c12a454eac4c8e86dc7a7bbc764a4 Patch503: 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch +# TODO: Apply upstream Patch504: 0504-ibft-fix-boot-flag-check.patch +# Applied upstream as f1c790495baa017ec48b266a33b0dd558e760dde Patch505: 0505-Allow-booting-from-degraded-MD-RAID-arrays.patch +# Applied upstream as 649619f6a5775d1c94d9c4f3fec627c747633275 Patch507: 0507-Set-TaskMax-inifinite-for-the-emergency-shell.patch +# Applied upstream as 8008d47fafcecd27c456215e910be33a23546519 Patch508: 0508-90multipath-start-before-local-fs-pre.target.patch +# Applied upstream as 8b6d136e625cb538f8845e858b37e9f6c67a5f1c Patch512: 0512-Make-binutils-optional-when-elfutils-are-available.patch +# TODO: Apply upstream Patch513: 0513-Fix-regression-caused-by-6f9bf2b8ac436259bdccb110545.patch +# Applied upstream as 4a739be99c409719e76078ece55e7ba3c817b054 Patch514: 0514-man-make-the-k-option-clear-using-mkinitrd.patch +# Reverted later. Do not submit! Patch515: 0515-90kernel-modules-also-add-block-device-driver-revers.patch +# Applied upstream as 7cf2c21798b537a5553ecc23df5ce8cfda631e9c Patch516: 0516-mkinitrd-suse.sh-Fix-prefix-calculation.patch +# Applied upstream as fd13d5d4d50dd837be393c4b7dc1859237f6daac Patch517: 0517-95fcoe-fixup-fcoe-genrules.sh-for-VN2VN-mode.patch +# Fixed more generically in upstream as feaaee4278077dd67fe24acebfbe47ba20738955 Patch518: 0518-90kernel-modules-Fix-backlight-on-Cherrytrail-device.patch +# TODO: Apply upstream if correct Patch519: 0519-90kernel-modules-Ensure-phy-drivers-are-loaded-in-in.patch +# TODO: Check if still relevant and apply upstream Patch520: 0520-Ignore-module-resolution-errors.patch +# TODO: Apply upstream Patch521: 0521-Ensure-udev-persistent-storage-compat-rules-get-crea.patch +# TODO: belongs with FIPS commits Patch522: 0522-Fix-typo-from-commit-3f1cdb520.patch +# Applied upstream as e3189ab1235748cda136b564668b697d1c87847b Patch523: 0523-98dracut-systemd-Fix-module-force-loading-with-syste.patch +# Fixes SUSE Patch Patch524: 0524-Suppress-nonsensical-error-message-bsc-1032029.patch +# Applied from upstream commit 106255afd46ea2be1d035aca0c5695186a3f2c41 Patch525: 0525-backport-bail-out-if-module-directory-does-not-exist.patch +# TODO: apply upstream Patch526: 0526-iscsiroot-call-handle_firmware-only-for-non-iface-in.patch +# TODO: belongs with FIPS commits Patch527: 0527-switch-fips-checking-to-use-the-libkcapi-based-fipsc.patch +# TODO: apply upstream Patch528: 0528-Ensure-dracut.sh-responds-properly-to-hostonly_cmdli.patch +# Applied from upstream commit 8261d2367ee673e24d03306b9623f4f3070dae5b Patch529: 0529-systemd-add-missing-.slice-unit.patch +# Applied from upstream commit eddca3c9c24e4cb9c5def0b98920e36b16fafaac Patch530: 0530-dracut-systemd-dracut-cmdline-ask-fix-dracut-kernel-.patch +# Applied from upstream commit c000a21c25bd436f2b3cc2076cb7025cc82d2807 Patch531: 0531-dracut-systemd-.service-conflict-with-shutdown-targe.patch +# Do not submit, reverts bogus patch Patch532: 0532-List-drivers-rather-than-looking-for-reverse-depende.patch +# TODO: check if still relevant Patch533: 0533-instmods-check-modules.builtin-in-srcmods.patch +# Applied upstream as 348935e3b65b5058e65f66682df6a5b184eaacb2 Patch534: 0534-ssh-client-Include-nss_-libraries.patch +# Applied upstream as e316ae0e4309726b2c067a70ac41f7b22011c063 Patch535: 0535-Sync-initramfs-after-creation.patch +# TODO: apply upstream Patch536: 0536-90multipath-drop-67-kpartx-compat.rules.patch +# TODO: check how to submit upstream Patch537: 0537-dracut-init.sh-ignore-crc32.ko-in-builtin-test.patch +# Applied upstream as afe4e2844ffa7c06160434430f0ce9e493c112e0 Patch538: 0538-Enable-core-dumps-with-systemd-from-initrd.patch +# Not eligable for submit, unless specfile gets submitted Patch539: 0539-Add-IMA-functionality-fate-323289.patch +# Applied from upstream commit 551cc3694e32be97084b1f198f76f4daf908d503 Patch540: 0540-Check-the-proper-variable-for-a-custom-IMA-keys-dire.patch # SLE and Leap have persistent net names, but not Factory/TW %if 0%{?suse_version} && ! 0%{?sle_version} +# TODO: Unsure if this can be sumbmitted Patch541: 0541-Make-sure-70-persistent-net.rules-is-included-in-ini.patch %endif +# Applied upstream as 9f2916cce13d584610295e001394274e823c3f15 Patch542: 0542-Include-crc32c-intel-module-when-using-btrfs.patch +# Applied upstream as b36d322bd2ccb6ef4eb31384c86a75572184bba1 Patch543: 0543-Remove-00systemd-bootchart.patch +# TODO: Check if still relevant Patch544: 0544-40network-Make-ip-dhcp-work.patch +# More generic fix upstream Patch545: 0545-Add-early-microcode-support-for-AMD-family-16h.patch +# More generic fix upstream Patch546: 0546-Support-Microcode-Updates-for-AMD-CPU-Family-0x17.patch +# Applied upstream as df96cccc8f562f8aeab7c09248c204f21ed42c4a Patch547: 0547-Fix-task-limit-in-emergency.service-the-same-change-.patch +# Applied upstream as 36a8b2e3058518255dbd39e33bf2c72b7889cfae Patch548: 0548-95fcoe-Switch-back-to-using-fipvlan-for-bnx2fc.patch +# Same patch applied by upstream: 3966a1e1ee0e3d27197258f446f54b683c415208 Patch549: 0549-fcoe-up-Increase-sleeptime-to-13s.patch +# Applied upstream as fd13d5d4d50dd837be393c4b7dc1859237f6daac Patch550: 0550-95fcoe-add-timeout-initqueue-entries.patch +# Patch adopted from upstream commit 7c29d205f4bfb465f1618fdb8984798522c8eb4a +Patch551: 0551-fips-use-lib-modules-uname-r-modules.fips.patch +# Patch adopted from upstream commit 479b5cd94f16052cf6ea28d0e8abba2b926fff83 +Patch552: 0552-98integrity-support-validating-the-IMA-policy-file-s.patch +# Patch submitted to upstream as 9e451d4770ec3a98816fcf97fdd745d6af135336 +Patch553: 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch +# Patch submitted to upstream as cb2c9a4338ddc15d55c6c524276a1807bec23485 +Patch554: 0554-98integrity-support-X.509-only-EVM-configuration.patch BuildRequires: asciidoc BuildRequires: bash @@ -282,7 +409,7 @@ Requires(post): coreutils Requires: %{name} = %{version}-%{release} Requires: fipscheck -Requires: libcryptsetup4-hmac +Requires: libcryptsetup12-hmac Requires: libgcrypt20-hmac Requires: libkcapi-tools @@ -295,6 +422,8 @@ Summary: Dracut modules to build a dracut initramfs with IMA Group: System/Base Requires: %{name} = %{version}-%{release} +Requires: evmctl +Requires: keyutils %description ima This package requires everything which is needed to build an @@ -505,6 +634,10 @@ %patch548 -p1 %patch549 -p1 %patch550 -p1 +%patch551 -p1 +%patch552 -p1 +%patch553 -p1 +%patch554 -p1 %build %configure\ ++++++ 0551-fips-use-lib-modules-uname-r-modules.fips.patch ++++++ >From 2a7f2be7475dfaf5090bbafbbf5b7eb3067eef46 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin <dmolken...@suse.com> Date: Wed, 10 Jan 2018 11:03:22 +0100 Subject: [PATCH] fips: use /lib/modules/$(uname -r)/modules.fips if /lib/modules/$(uname -r)/modules.fips exists, use that list instead of the hardcoded dracut module list. Backported from upstream's master branch diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh index 9e5eca4f..709cfc85 100755 --- a/modules.d/01fips/module-setup.sh +++ b/modules.d/01fips/module-setup.sh @@ -13,18 +13,22 @@ depends() { # called by dracut installkernel() { local _fipsmodules _mod - _fipsmodules="ansi_cprng arc4 authenc ccm " - _fipsmodules+="ctr cts deflate drbg " - _fipsmodules+="ecb fcrypt gcm ghash_generic khazad md4 michael_mic rmd128 " - _fipsmodules+="rmd160 rmd256 rmd320 seed " - _fipsmodules+="sha512_generic tcrypt tea wp512 xts " - _fipsmodules+="aes_s390 des_s390 sha256_s390 ghash_s390 sha1_s390 sha512_s390 " - _fipsmodules+="gf128mul " - _fipsmodules+="cmac vmac xcbc salsa20_generic salsa20_x86_64 camellia_generic camellia_x86_64 pcbc tgr192 anubis " - _fipsmodules+="cast6_generic cast5_generic cast_common sha512_ssse3 serpent_sse2_x86_64 serpent_generic twofish_generic " - _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper twofish_x86_64 twofish_common blowfish_generic " - _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc " - _fipsmodules+="algif_hash af_alg crypto_user " + if [[ -f "${srcmods}/modules.fips" ]]; then + _fipsmodules="$(cat "${srcmods}/modules.fips")" + else + _fipsmodules="ansi_cprng arc4 authenc ccm " + _fipsmodules+="ctr cts deflate drbg " + _fipsmodules+="ecb fcrypt gcm ghash_generic khazad md4 michael_mic rmd128 " + _fipsmodules+="rmd160 rmd256 rmd320 seed " + _fipsmodules+="sha512_generic tcrypt tea wp512 xts " + _fipsmodules+="aes_s390 des_s390 sha256_s390 ghash_s390 sha1_s390 sha512_s390 " + _fipsmodules+="gf128mul " + _fipsmodules+="cmac vmac xcbc salsa20_generic salsa20_x86_64 camellia_generic camellia_x86_64 pcbc tgr192 anubis " + _fipsmodules+="cast6_generic cast5_generic cast_common sha512_ssse3 serpent_sse2_x86_64 serpent_generic twofish_generic " + _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper twofish_x86_64 twofish_common blowfish_generic " + _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc " + _fipsmodules+="algif_hash af_alg crypto_user " + fi mkdir -m 0755 -p "${initdir}/etc/modprobe.d" -- 2.13.6 ++++++ 0552-98integrity-support-validating-the-IMA-policy-file-s.patch ++++++ >From d31e03d34cc743c6538f532704ec7fc3bc75a03d Mon Sep 17 00:00:00 2001 From: Stefan Berger <stef...@us.ibm.com> Date: Thu, 13 Oct 2016 16:49:43 -0400 Subject: [PATCH] 98integrity: support validating the IMA policy file signature IMA validates file signatures based on the security.ima xattr. As of Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy, the IMA policy pathname can be written, allowing the IMA policy file signature to be validated. This patch first attempts to write the pathname, but on failure falls back to cat'ing the IMA policy contents . Signed-off-by: Stefan Berger <stef...@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> --- modules.d/98integrity/ima-policy-load.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh index 0061cfff..5460d025 100755 --- a/modules.d/98integrity/ima-policy-load.sh +++ b/modules.d/98integrity/ima-policy-load.sh @@ -30,7 +30,8 @@ load_ima_policy() # check the existence of the IMA policy file [ -f "${IMAPOLICYPATH}" ] && { info "Loading the provided IMA custom policy"; - cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy; + echo -n "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \ + cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy } return 0 -- 2.13.6 ++++++ 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch ++++++ >From 266d28ad09755c1c7016891f356bb75a9861f77c Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <matthias.gerst...@suse.de> Date: Wed, 24 Jan 2018 16:58:15 +0100 Subject: [PATCH 1/2] 98integrity: support loading x509 into the trusted/builtin .evm keyring This implements logic analogous to the one already implemented in ima-keys-load.sh, only for the .evm/_evm keyrings. If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel initially creates and configures .ima and .evm keyrings. These keyrings only accept x509 certificates that have been signed by a local CA which belongs to the kernel builtin trusted keyring. Thus if such a keyring is already present then additional evm keys should be loaded into them. If this is not the case then the _evm keyring needs to be created in userspace and keys will be loaded into it instead. Before this change dracut always created the _evm keyring and loaded keys into it without considering an existing .evm keyring. In case of CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be used by the kernel, however, and EVM digital signatures will not work as expected. --- modules.d/98integrity/evm-enable.sh | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh index ec4f03bc..a3ba59fd 100755 --- a/modules.d/98integrity/evm-enable.sh +++ b/modules.d/98integrity/evm-enable.sh @@ -76,8 +76,21 @@ load_evm_x509() return 1 fi + local evm_pubid + local line=$(keyctl describe %keyring:.evm) + if [ $? -eq 0 ]; then + # the kernel already setup a trusted .evm keyring so use that one + evm_pubid=${line%%:*} + else + # look for an existing regular keyring + evm_pubid=`keyctl search @u keyring _evm` + if [ -z "${evm_pubid}" ]; then + # create a new regular _evm keyring + evm_pubid=`keyctl newring _evm @u` + fi + fi + # load the EVM public key onto the EVM keyring - evm_pubid=`keyctl newring _evm @u` EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid}) [ $? -eq 0 ] || { info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}"; -- 2.13.6 ++++++ 0554-98integrity-support-X.509-only-EVM-configuration.patch ++++++ >From 16d52f692c2add82f54f712a7fc60885536dc39a Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <matthias.gerst...@suse.de> Date: Wed, 24 Jan 2018 17:19:03 +0100 Subject: [PATCH 2/2] 98integrity: support X.509-only EVM configuration Previously if no symmetric key was configured for EVM, then the initialization process was aborted. It can be a valid use case, however, to only use EVM digital signatures. In this case only X.509 certificates need to be loaded. With this change EVM initialization will continue if any of the symmetric or X.509 keys could be loaded. --- modules.d/98integrity/evm-enable.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh index a3ba59fd..5a92b598 100755 --- a/modules.d/98integrity/evm-enable.sh +++ b/modules.d/98integrity/evm-enable.sh @@ -125,11 +125,18 @@ enable_evm() return 0 fi - # load the EVM encrypted key - load_evm_key || return 1 + local evm_configured + + # try to load the EVM encrypted key + load_evm_key && evm_configured=1 + + # try to load the EVM public key + load_evm_x509 && evm_configured=1 - # load the EVM public key, if it exists - load_evm_x509 + # only enable EVM if a key or x509 certificate could be loaded + if [ -z "$evm_configured" ]; then + return 1 + fi # initialize EVM info "Enabling EVM" -- 2.13.6