Hello community,
here is the log from the commit of package dracut for openSUSE:Factory checked
in at 2018-01-31 19:48:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dracut (Old)
and /work/SRC/openSUSE:Factory/.dracut.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dracut"
Wed Jan 31 19:48:28 2018 rev:119 rq:569525 version:044.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/dracut/dracut.changes 2017-12-16
20:47:36.034261514 +0100
+++ /work/SRC/openSUSE:Factory/.dracut.new/dracut.changes 2018-01-31
19:48:29.846946900 +0100
@@ -1,0 +2,34 @@
+Thu Jan 25 09:19:05 UTC 2018 - daniel.molken...@suse.com
+
+- support validating the IMA policy file signature, needed since Kernel 4.7
+ * Adds 0552-98integrity-support-validating-the-IMA-policy-file-s.patch
+
+- IMA: improve support for evm key loading (bsc#1077359, fate#323906)
+ * Adds 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch
+ * Adds 0554-98integrity-support-X.509-only-EVM-configuration.patch
+
+- FIPS: Adjust dependencies to work for cryptsetup 2.0 (bsc#1077070)
+
+- Added a few more patch annotations
+
+-------------------------------------------------------------------
+Fri Jan 19 15:29:15 UTC 2018 - daniel.molken...@suse.com
+
+- Fix typo for ima dependency (evmtcl vs evmctl) (bsc#1073466)
+
+- Updated Patch annotation regarding their upstream state
+
+-------------------------------------------------------------------
+Wed Jan 10 11:25:13 UTC 2018 - daniel.molken...@suse.com
+
+- FIPS: Try to fetch list of fips modules from the kernel's modules dir
(bsc#1074984)
+ * Adds 0551-fips-use-lib-modules-uname-r-modules.fips.patch
+
+- Annotated patches regarding their upstream state
+
+-------------------------------------------------------------------
+Tue Jan 9 08:08:01 UTC 2018 - daniel.molken...@suse.com
+
+- dracut-ima requires evmctl and keyutils (bsc#1073466)
+
+-------------------------------------------------------------------
New:
----
0551-fips-use-lib-modules-uname-r-modules.fips.patch
0552-98integrity-support-validating-the-IMA-policy-file-s.patch
0553-98integrity-support-loading-x509-into-the-trusted-bu.patch
0554-98integrity-support-X.509-only-EVM-configuration.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dracut.spec ++++++
--- /var/tmp/diff_new_pack.ksBnNX/_old 2018-01-31 19:48:32.550821180 +0100
+++ /var/tmp/diff_new_pack.ksBnNX/_new 2018-01-31 19:48:32.554820994 +0100
@@ -1,7 +1,7 @@
#
# spec file for package dracut
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -36,7 +36,7 @@
Source7: 99-debug.conf
Source8: s390x_persistent_device.conf
-#Network:
+# Network, none are upstream yet:
Patch12: 0012-40network-Fix-race-condition-when-wait-for-networks.patch
Patch13: 0013-40network-always-start-netroot-in-ifup.sh.patch
Patch15: 0015-40network-replace-dhclient-with-wickedd-dhcp-supplic.patch
@@ -59,33 +59,61 @@
Patch170: 0170-iscsi-skip-ibft-invalid-dhcp.patch
#S390
+# Applied upstream as 55c763b1ff37405da390ab1ef5765683f3a7838e
Patch16: 0016-Add-new-s390x-specific-rule-files.patch
+# Submitted to upstream as d43cccf5885a84d688a3b526d5fc57865369da57
Patch21: 0021-95dcssblk-Add-new-module-for-DCSS-block-devices.patch
+# Submitted to upstream as d0c97fdf4c33bb422f0a13a8752751d3054de143
Patch56: 0056-81cio_ignore-handle-cio_ignore-commandline.patch
+# Applied upstream as 856d039ba4716ba080fc8d823b3329a4470a60ef
Patch75: 0075-95dasd_rules-enable-parsing-of-rd.dasd-commandline-p.patch
+# Applied upstream as 5d1ea2d72616ec7ed9cf5e1f3bc99d7d5bc4f003
Patch76: 0076-Correctly-set-cio_ignore-for-dynamic-s390-rules.patch
+# Applied upstream as e5d21b80c054235114c4167e0bf7769aa698b4d4
Patch79: 0079-95dasd_rules-fixup-rd.dasd-parsing.patch
+# Applied upstream as 13626413107b67ab493ccfc4f6a1c6bef228a74e
Patch80: 0080-95dasd_rules-print-out-rd.dasd-commandline.patch
+# Applied upstream as 6f1b5c0dabe57259d7e67ab9b643b11b70deb388
Patch81: 0081-95dasd_mod-do-not-set-module-parameters-if-dasd_cio_.patch
+# Applied upstream as 9be4be7aa72af312c6b0588ddb008da7632612bc
Patch83: 0083-95zfcp_rules-Fixup-rd.zfcp-parsing.patch
+# Applied upstream as 624f173cbd49b7389577aac10a887f16d4f89b7a
Patch85: 0085-95zfcp_rules-print-out-rd.zfcp-commandline-parameter.patch
+# Applied upstream as c8e531239bf314ae532ca1bc820285250a3b35d7
Patch86: 0086-95zfcp_rules-Auto-generate-udev-rule-for-ipl-device.patch
+# Applied upstream as bd355f8643555762acf02c6dd6179b683cd0a6aa
Patch87: 0087-95dasd_rules-Auto-generate-udev-rule-for-ipl-device.patch
+# Submitted to upstream as 73f89bbadbd61ffb4cb485e11b630571185b7ef2
Patch88: 0088-91zipl-Add-new-module-to-update-s390x-configuration.patch
+# Applied upstream as 2600b54c187e5668f5b55d5d73f49e99c7b33212
Patch107: 0107-Fixup-typo-firmare-instead-of-firmware.patch
+# Submitted to upstream as 73f89bbadbd61ffb4cb485e11b630571185b7ef2
Patch108: 0108-91zipl-Store-commandline-correctly.patch
+# Applied upstream as 05bf32097201c24c56dc6bb7a59a428293247d61
Patch109: 0109-95dasd_rules-Store-all-devices-in-commandline.patch
+# Applied upstream as 3a8ba440265696ce1279dc12eb5a7acda14c1712
Patch110: 0110-95zfcp_rules-Store-all-devices-in-commandline.patch
+# Submitted to upstream as d118e9d94050ea65cb4514dda5fda10ef30275fe
Patch113: 0113-91zipl-Install-script-as-executable.patch
+# Submitted to upstream as 403f2c3e1dbb681c27b1279b9d023449cfc6d007
Patch114: 0114-91zipl-Translate-ext2-3-into-ext4.patch
+# TODO: Apply upstream, already incorporated where original patches have been
upstreamed
Patch116: 0116-Mark-scripts-as-executable.patch
+# Applied upstream as cf9c8c5fe3fdb899b57c25867bf54b74adc3272f
Patch117: 0117-95dasd_rules-Enable-the-device-before-checking-devic.patch
+# Applied upstream as 5e7bbe43a349a9d3ef0300c61f62a49a2e44c0a0
Patch118: 0118-95zfcp_rules-Enable-the-device-before-checking-devic.patch
+# Applied upstream as 5f923256e33893bead8233852a741a4b0036f709
Patch123: 0123-95zfcp_rules-fix-typo-in-module_setup.patch
+# Submitted to upstream as 33260dac6e0980da2d6577a29d83644b6637745c
Patch157: 0157-Add-boot-zipl-to-host-devs-if-it-is-a-mount-point.patch
+# Submitted to upstream as 8bae047a4e096e69a34c520dae15458e210eecdb
Patch160: 0160-s390-update_active_devices_initrd.patch
+# Applied upstream as c8aa1d949aecaf146b0a0e1ce269f69e6048dc5a
Patch161: 0161-95zfcp_rules-simplified-rd.zfcp-commandline-for-NPIV.patch
+# Applied upstream as e5bf1cecd635897e5f2c8ae373494d33af3b1996
Patch188: 0188-95dasd_rules-Install-collect-udev-helper-binary.patch
+# TODO: Apply upstream (??)
Patch506: 0506-Boot-on-s390x-with-fips-1-on-the-kernel-commnad-line.patch
#FIPS
@@ -99,25 +127,35 @@
Patch510: 0510-01fips-Some-modules-use-separators-other-than.patch
Patch511: 0511-01fips-ensure-fips-initialization-succeeds-on-s390-x.patch
-# Others
+# Others, partly SUSE specific. Not submitted unless annotated otherwise
+
+# Submitted to upstream as 7ce2872be28a5463757651cc30049c3f4e81559a
Patch20: 0020-00warpclock-Set-correct-timezone.patch
Patch58: 0058-dracut-add-warning-when-including-unsupported-module.patch
Patch59: 0059-99suse-Add-SUSE-specific-initrd-parsing.patch
+# TODO: This should not be a patch, but be removed in the install section
Patch90: 0090-dracut-caps-Remove-whole-caps-module.patch
Patch91: 0091-dracut-biosdevname-In-SUSE-biosdevname-package-is-in.patch
Patch121: 0121-Adjust-initramfs-kernel.img-to-SUSE-default-initrd-k.patch
Patch130: 0130-nfs-Always-add-all-kernel-modules-for-kdump.patch
+# Applied upstream as c3b6970394ad677f05a42bef420bf34b1d0652e0
Patch144: 0144-90crypt-Fixed-crypttab_contains-to-also-work-with-de.patch
Patch150: 0150-Find-kernel-modules-in-extra-and-weak-updates-path-a.patch
Patch158: 0158-Add-SUSE-kernel-module-dependencies-in-etc-modprobe.patch
Patch163: 0163-Install-etc-sysconfig-console-to-see-specific-fonts.patch
+# TODO: Verify: Should be obsolete due to fixes in systemd
Patch164: 0164-Fix-initramfs-ver.img-vs-initrd-ver-in-dracut-initra.patch
+# Submitted as a check to upstream as 446654703742e6c1d7b1134a7d73b2bf7ce20cda
Patch168: 0168-remove_plymouth_logo_file.patch
+# Applied upstream as 251afd36b2be35b7b27011b6f90b5ab3bbbbff84
Patch180: 0180-i18n_add_correct_fontmaps.patch
+# Applied upstream as dcacd2b072c301a51c114256e8bb696346879a2b
Patch182: 0182-fix-include-parsing.patch
+# Applied upstream as d53bb5c01737270049fde82559ae72aae1943b81
Patch183: 0183-fix_add_drivers_hang.patch
# iscsiadm
+# TODO: Apply all patches in this section upstream
Patch190: 0190-replace-iscsistart-with-systemd-service-files.patch
Patch191: 0191-static_network_setup_return_zero.patch
Patch192: 0192-iscsi_set_boot_protocol_from_ifcfg.patch
@@ -128,31 +166,58 @@
Patch199: 0199-rd-iscsi-waitnet-default-false.patch
# Submit mainline asap
+
+# Applied upstream as 5c84d51b3f258af9035a4031c6b482103adea4d9
Patch128: 0128-90lvm-Install-dm-snapshot-module.patch
+# Applied upstream as d12ce1da8551c065616f81f158b6425b20ee191c
Patch200: 0200-dracut_fix_multipath_without_config.patch
+# Applied upstream as f5c10673de18d84f3b054df9a68ffa8d43f9571c
Patch201: 0201-fix_nfs_with_ip_instead_of_hostname.patch
+# TODO: Apply upstream
Patch202: 0202-dracut_dmraid_use_udev.patch
+# TODO: Check if still an issue with C-style insmod logic
Patch203: 0203-no-fail-builtin-module.patch
+# Applied upstream as 51d2436c22d64e45376c64ad3b6c90c48cc88d78
Patch204: 0204-mkinitrd-fix-monster.patch
+# TODO: Apply upstream
Patch205: 0205-mdraid_ignore_hostonly.patch
+# Applied upstream as 8602e5986702f6118f8b30f1053a45af1df892bd
Patch206: 0206-nfs_dns_alias.patch
+# Applied upstream as 43819af68c7789ec932c25e699c56889fdf7276c
Patch207: 0207-handle_module_aliases.patch
+# TODO: Possibly made redundant by changes done by upstream
Patch208: 0208-no_forced_virtnet.patch
+# Applied upstream as 9fd3e045d5b41ba5cf9fb0c51db9750ce0e530d8
Patch209: 0209-fix_modules_load_d_hostonly.patch
+# Applied upstream as 22836a092191c1abc0e04e4c6d68856f2603d6e8
Patch210: 0210-add_fcoe_uefi_check.patch
+# Applied upstream as 6b96b50d2cd92d6598240e6061a81b29b889ecdd
Patch212: 0212-fcoe_reorder_init_path.patch
+# Applied upstream as 18729719a7091c35ffe377b21b860a60a352def8
Patch213: 0213-Fix-wrong-keymap-inclusion.patch
+# Applied upstream as d066fcc3fb9080ffff412c8dc5177ca1dcc08e75
Patch214: 0214-95fcoe-Do-not-overwrite-FCoE-configuration.patch
+# Applied upstream as 1279a9e1a0a28107e0a240ab344f700b465c96b3 by upstream
Patch215: 0215-95fcoe-Do-not-complain-about-missing-etc-hba.conf.patch
+# Applied upstream as d71c9ee286def5d1a5e90f549b65e21d0f18c9ac
Patch216: 0216-95fcoe-silence-lldpad-warnings.patch
+# Applied upstream as c75196e11ec4325fc76bb11aeb884ceade62df48
Patch217: 0217-95fcoe-Allow-to-specify-the-FCoE-mode-via-the-fcoe-p.patch
+# Probably not upstreamable?
Patch218: 0218-40network-allow-persistent-interface-names.patch
+# Applied upstream as 164760f4b075ff564c349cb40d1fa308c139432d
Patch219: 0219-95fcoe-use-interface-names-instead-of-MAC-addresses.patch
+# Applied upstream as 2aac3194100b903740bb9057aed71a35ce92a2e3
Patch220: 0220-95fcoe-always-set-AUTO_VLAN-for-fcoemon.patch
+# Applied upstream as a3f91db4768451a10fbbc3e28270c29e1368df6c
Patch221: 0221-95fcoe-Add-shutdown-script.patch
+# Applied upstream as 07e635748342aa70a76bc1a2237339f6a897d841
Patch222: 0222-90dm-Fixup-shutdown-script.patch
+# Applied upstream as 870591acec41e854071129e7bf834cdfe43ae716
Patch223: 0223-90dm-fixup-dependency-cycle-between-MD-and-DM-shutdo.patch
+# TODO: Apply upstream
Patch224: 0224-95iscsi-setup-bnx2i-offload-connections-properly.patch
+# Applied upstream as part of 36a8b2e3058518255dbd39e33bf2c72b7889cfae
Patch225: 0225-95fcoe-do-not-start-fcoemon-twice.patch
# SUSE-specific fixes
@@ -173,68 +238,130 @@
Patch314: 0314-nfs_do_not_pass_ifname_for_bonding_devices.patch
# New features/improvements
+# TODO: Apply upstream
Patch402: 0402-driver-fail-summary.patch
+# Applied upstream as 10f06425a597ca797b8efbf45e8838c4d30651e9
Patch403: 0403-95lunmask-Add-module-to-handle-LUN-masking.patch
+# Applied upstream as 1f8a7ae799effed1e57033167beca4281389391c
Patch404: 0404-dracut-emergency-optionally-print-fs-help.patch
# Workarounds/Patches no longer relevant in 045
Patch450: 0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch
+# Patch from upstream: d4efc0aeeecc470d9a267b7f3c130f472488905c
Patch451: 0451-systemd-initrd-add-initrd-root-device.target.patch
+# Applied upstream as 9ffab3f3a5105691b4b640649c3a99e3cce39c1a
Patch452: 0452-Always-try-to-add-pinctrl-cherryview.patch
+# Applied upstream as 7957bd01b097507a601495ed7cd2c8480c2af67b
Patch453: 0453-Resolve-symbolic-links-for-i-and-k-parameters-bsc-90.patch
+# Applied upstream as e69da98de1a4175fb3c745570471fc3a7d567a33
Patch454: 0454-Add-md4-and-arc4-modules-for-ntlm.patch
# On top patches/fixes which have to be applied late
+# Applied upstream as 8b0791fa010cf7e5fde3a37a8c2bb6d6f1264f59
Patch500: 0500-Reset-IFS-variable.patch
+# Applied upstream as e0c3b0793f92c24d442f543a755aed8cc218ab20
Patch501: 0501-dasd_fix_ssid_bigger_zero.patch
+# TODO: Apply upstream
Patch502: 0502-persistent_device_policy_param_enhance.patch
+# Applied upstream as 0db98910a11c12a454eac4c8e86dc7a7bbc764a4
Patch503: 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch
+# TODO: Apply upstream
Patch504: 0504-ibft-fix-boot-flag-check.patch
+# Applied upstream as f1c790495baa017ec48b266a33b0dd558e760dde
Patch505: 0505-Allow-booting-from-degraded-MD-RAID-arrays.patch
+# Applied upstream as 649619f6a5775d1c94d9c4f3fec627c747633275
Patch507: 0507-Set-TaskMax-inifinite-for-the-emergency-shell.patch
+# Applied upstream as 8008d47fafcecd27c456215e910be33a23546519
Patch508: 0508-90multipath-start-before-local-fs-pre.target.patch
+# Applied upstream as 8b6d136e625cb538f8845e858b37e9f6c67a5f1c
Patch512: 0512-Make-binutils-optional-when-elfutils-are-available.patch
+# TODO: Apply upstream
Patch513: 0513-Fix-regression-caused-by-6f9bf2b8ac436259bdccb110545.patch
+# Applied upstream as 4a739be99c409719e76078ece55e7ba3c817b054
Patch514: 0514-man-make-the-k-option-clear-using-mkinitrd.patch
+# Reverted later. Do not submit!
Patch515: 0515-90kernel-modules-also-add-block-device-driver-revers.patch
+# Applied upstream as 7cf2c21798b537a5553ecc23df5ce8cfda631e9c
Patch516: 0516-mkinitrd-suse.sh-Fix-prefix-calculation.patch
+# Applied upstream as fd13d5d4d50dd837be393c4b7dc1859237f6daac
Patch517: 0517-95fcoe-fixup-fcoe-genrules.sh-for-VN2VN-mode.patch
+# Fixed more generically in upstream as
feaaee4278077dd67fe24acebfbe47ba20738955
Patch518: 0518-90kernel-modules-Fix-backlight-on-Cherrytrail-device.patch
+# TODO: Apply upstream if correct
Patch519: 0519-90kernel-modules-Ensure-phy-drivers-are-loaded-in-in.patch
+# TODO: Check if still relevant and apply upstream
Patch520: 0520-Ignore-module-resolution-errors.patch
+# TODO: Apply upstream
Patch521: 0521-Ensure-udev-persistent-storage-compat-rules-get-crea.patch
+# TODO: belongs with FIPS commits
Patch522: 0522-Fix-typo-from-commit-3f1cdb520.patch
+# Applied upstream as e3189ab1235748cda136b564668b697d1c87847b
Patch523: 0523-98dracut-systemd-Fix-module-force-loading-with-syste.patch
+# Fixes SUSE Patch
Patch524: 0524-Suppress-nonsensical-error-message-bsc-1032029.patch
+# Applied from upstream commit 106255afd46ea2be1d035aca0c5695186a3f2c41
Patch525: 0525-backport-bail-out-if-module-directory-does-not-exist.patch
+# TODO: apply upstream
Patch526: 0526-iscsiroot-call-handle_firmware-only-for-non-iface-in.patch
+# TODO: belongs with FIPS commits
Patch527: 0527-switch-fips-checking-to-use-the-libkcapi-based-fipsc.patch
+# TODO: apply upstream
Patch528: 0528-Ensure-dracut.sh-responds-properly-to-hostonly_cmdli.patch
+# Applied from upstream commit 8261d2367ee673e24d03306b9623f4f3070dae5b
Patch529: 0529-systemd-add-missing-.slice-unit.patch
+# Applied from upstream commit eddca3c9c24e4cb9c5def0b98920e36b16fafaac
Patch530: 0530-dracut-systemd-dracut-cmdline-ask-fix-dracut-kernel-.patch
+# Applied from upstream commit c000a21c25bd436f2b3cc2076cb7025cc82d2807
Patch531: 0531-dracut-systemd-.service-conflict-with-shutdown-targe.patch
+# Do not submit, reverts bogus patch
Patch532: 0532-List-drivers-rather-than-looking-for-reverse-depende.patch
+# TODO: check if still relevant
Patch533: 0533-instmods-check-modules.builtin-in-srcmods.patch
+# Applied upstream as 348935e3b65b5058e65f66682df6a5b184eaacb2
Patch534: 0534-ssh-client-Include-nss_-libraries.patch
+# Applied upstream as e316ae0e4309726b2c067a70ac41f7b22011c063
Patch535: 0535-Sync-initramfs-after-creation.patch
+# TODO: apply upstream
Patch536: 0536-90multipath-drop-67-kpartx-compat.rules.patch
+# TODO: check how to submit upstream
Patch537: 0537-dracut-init.sh-ignore-crc32.ko-in-builtin-test.patch
+# Applied upstream as afe4e2844ffa7c06160434430f0ce9e493c112e0
Patch538: 0538-Enable-core-dumps-with-systemd-from-initrd.patch
+# Not eligable for submit, unless specfile gets submitted
Patch539: 0539-Add-IMA-functionality-fate-323289.patch
+# Applied from upstream commit 551cc3694e32be97084b1f198f76f4daf908d503
Patch540: 0540-Check-the-proper-variable-for-a-custom-IMA-keys-dire.patch
# SLE and Leap have persistent net names, but not Factory/TW
%if 0%{?suse_version} && ! 0%{?sle_version}
+# TODO: Unsure if this can be sumbmitted
Patch541: 0541-Make-sure-70-persistent-net.rules-is-included-in-ini.patch
%endif
+# Applied upstream as 9f2916cce13d584610295e001394274e823c3f15
Patch542: 0542-Include-crc32c-intel-module-when-using-btrfs.patch
+# Applied upstream as b36d322bd2ccb6ef4eb31384c86a75572184bba1
Patch543: 0543-Remove-00systemd-bootchart.patch
+# TODO: Check if still relevant
Patch544: 0544-40network-Make-ip-dhcp-work.patch
+# More generic fix upstream
Patch545: 0545-Add-early-microcode-support-for-AMD-family-16h.patch
+# More generic fix upstream
Patch546: 0546-Support-Microcode-Updates-for-AMD-CPU-Family-0x17.patch
+# Applied upstream as df96cccc8f562f8aeab7c09248c204f21ed42c4a
Patch547: 0547-Fix-task-limit-in-emergency.service-the-same-change-.patch
+# Applied upstream as 36a8b2e3058518255dbd39e33bf2c72b7889cfae
Patch548: 0548-95fcoe-Switch-back-to-using-fipvlan-for-bnx2fc.patch
+# Same patch applied by upstream: 3966a1e1ee0e3d27197258f446f54b683c415208
Patch549: 0549-fcoe-up-Increase-sleeptime-to-13s.patch
+# Applied upstream as fd13d5d4d50dd837be393c4b7dc1859237f6daac
Patch550: 0550-95fcoe-add-timeout-initqueue-entries.patch
+# Patch adopted from upstream commit 7c29d205f4bfb465f1618fdb8984798522c8eb4a
+Patch551: 0551-fips-use-lib-modules-uname-r-modules.fips.patch
+# Patch adopted from upstream commit 479b5cd94f16052cf6ea28d0e8abba2b926fff83
+Patch552: 0552-98integrity-support-validating-the-IMA-policy-file-s.patch
+# Patch submitted to upstream as 9e451d4770ec3a98816fcf97fdd745d6af135336
+Patch553: 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch
+# Patch submitted to upstream as cb2c9a4338ddc15d55c6c524276a1807bec23485
+Patch554: 0554-98integrity-support-X.509-only-EVM-configuration.patch
BuildRequires: asciidoc
BuildRequires: bash
@@ -282,7 +409,7 @@
Requires(post): coreutils
Requires: %{name} = %{version}-%{release}
Requires: fipscheck
-Requires: libcryptsetup4-hmac
+Requires: libcryptsetup12-hmac
Requires: libgcrypt20-hmac
Requires: libkcapi-tools
@@ -295,6 +422,8 @@
Summary: Dracut modules to build a dracut initramfs with IMA
Group: System/Base
Requires: %{name} = %{version}-%{release}
+Requires: evmctl
+Requires: keyutils
%description ima
This package requires everything which is needed to build an
@@ -505,6 +634,10 @@
%patch548 -p1
%patch549 -p1
%patch550 -p1
+%patch551 -p1
+%patch552 -p1
+%patch553 -p1
+%patch554 -p1
%build
%configure\
++++++ 0551-fips-use-lib-modules-uname-r-modules.fips.patch ++++++
>From 2a7f2be7475dfaf5090bbafbbf5b7eb3067eef46 Mon Sep 17 00:00:00 2001
From: Daniel Molkentin <dmolken...@suse.com>
Date: Wed, 10 Jan 2018 11:03:22 +0100
Subject: [PATCH] fips: use /lib/modules/$(uname -r)/modules.fips
if /lib/modules/$(uname -r)/modules.fips exists, use that list instead
of the hardcoded dracut module list.
Backported from upstream's master branch
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 9e5eca4f..709cfc85 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -13,18 +13,22 @@ depends() {
# called by dracut
installkernel() {
local _fipsmodules _mod
- _fipsmodules="ansi_cprng arc4 authenc ccm "
- _fipsmodules+="ctr cts deflate drbg "
- _fipsmodules+="ecb fcrypt gcm ghash_generic khazad md4 michael_mic rmd128 "
- _fipsmodules+="rmd160 rmd256 rmd320 seed "
- _fipsmodules+="sha512_generic tcrypt tea wp512 xts "
- _fipsmodules+="aes_s390 des_s390 sha256_s390 ghash_s390 sha1_s390
sha512_s390 "
- _fipsmodules+="gf128mul "
- _fipsmodules+="cmac vmac xcbc salsa20_generic salsa20_x86_64
camellia_generic camellia_x86_64 pcbc tgr192 anubis "
- _fipsmodules+="cast6_generic cast5_generic cast_common sha512_ssse3
serpent_sse2_x86_64 serpent_generic twofish_generic "
- _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper
twofish_x86_64 twofish_common blowfish_generic "
- _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc "
- _fipsmodules+="algif_hash af_alg crypto_user "
+ if [[ -f "${srcmods}/modules.fips" ]]; then
+ _fipsmodules="$(cat "${srcmods}/modules.fips")"
+ else
+ _fipsmodules="ansi_cprng arc4 authenc ccm "
+ _fipsmodules+="ctr cts deflate drbg "
+ _fipsmodules+="ecb fcrypt gcm ghash_generic khazad md4 michael_mic
rmd128 "
+ _fipsmodules+="rmd160 rmd256 rmd320 seed "
+ _fipsmodules+="sha512_generic tcrypt tea wp512 xts "
+ _fipsmodules+="aes_s390 des_s390 sha256_s390 ghash_s390 sha1_s390
sha512_s390 "
+ _fipsmodules+="gf128mul "
+ _fipsmodules+="cmac vmac xcbc salsa20_generic salsa20_x86_64
camellia_generic camellia_x86_64 pcbc tgr192 anubis "
+ _fipsmodules+="cast6_generic cast5_generic cast_common sha512_ssse3
serpent_sse2_x86_64 serpent_generic twofish_generic "
+ _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper
twofish_x86_64 twofish_common blowfish_generic "
+ _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc "
+ _fipsmodules+="algif_hash af_alg crypto_user "
+ fi
mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
--
2.13.6
++++++ 0552-98integrity-support-validating-the-IMA-policy-file-s.patch ++++++
>From d31e03d34cc743c6538f532704ec7fc3bc75a03d Mon Sep 17 00:00:00 2001
From: Stefan Berger <stef...@us.ibm.com>
Date: Thu, 13 Oct 2016 16:49:43 -0400
Subject: [PATCH] 98integrity: support validating the IMA policy file signature
IMA validates file signatures based on the security.ima xattr. As of
Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy,
the IMA policy pathname can be written, allowing the IMA policy file
signature to be validated.
This patch first attempts to write the pathname, but on failure falls
back to cat'ing the IMA policy contents .
Signed-off-by: Stefan Berger <stef...@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
modules.d/98integrity/ima-policy-load.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules.d/98integrity/ima-policy-load.sh
b/modules.d/98integrity/ima-policy-load.sh
index 0061cfff..5460d025 100755
--- a/modules.d/98integrity/ima-policy-load.sh
+++ b/modules.d/98integrity/ima-policy-load.sh
@@ -30,7 +30,8 @@ load_ima_policy()
# check the existence of the IMA policy file
[ -f "${IMAPOLICYPATH}" ] && {
info "Loading the provided IMA custom policy";
- cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
+ echo -n "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \
+ cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy
}
return 0
--
2.13.6
++++++ 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch ++++++
>From 266d28ad09755c1c7016891f356bb75a9861f77c Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerst...@suse.de>
Date: Wed, 24 Jan 2018 16:58:15 +0100
Subject: [PATCH 1/2] 98integrity: support loading x509 into the
trusted/builtin .evm keyring
This implements logic analogous to the one already implemented in
ima-keys-load.sh, only for the .evm/_evm keyrings.
If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel
initially creates and configures .ima and .evm keyrings. These keyrings
only accept x509 certificates that have been signed by a local CA which
belongs to the kernel builtin trusted keyring.
Thus if such a keyring is already present then additional evm keys
should be loaded into them. If this is not the case then the _evm
keyring needs to be created in userspace and keys will be loaded into
it instead.
Before this change dracut always created the _evm keyring and loaded
keys into it without considering an existing .evm keyring. In case of
CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be
used by the kernel, however, and EVM digital signatures will not work as
expected.
---
modules.d/98integrity/evm-enable.sh | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/modules.d/98integrity/evm-enable.sh
b/modules.d/98integrity/evm-enable.sh
index ec4f03bc..a3ba59fd 100755
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@@ -76,8 +76,21 @@ load_evm_x509()
return 1
fi
+ local evm_pubid
+ local line=$(keyctl describe %keyring:.evm)
+ if [ $? -eq 0 ]; then
+ # the kernel already setup a trusted .evm keyring so use that one
+ evm_pubid=${line%%:*}
+ else
+ # look for an existing regular keyring
+ evm_pubid=`keyctl search @u keyring _evm`
+ if [ -z "${evm_pubid}" ]; then
+ # create a new regular _evm keyring
+ evm_pubid=`keyctl newring _evm @u`
+ fi
+ fi
+
# load the EVM public key onto the EVM keyring
- evm_pubid=`keyctl newring _evm @u`
EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})
[ $? -eq 0 ] || {
info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}";
--
2.13.6
++++++ 0554-98integrity-support-X.509-only-EVM-configuration.patch ++++++
>From 16d52f692c2add82f54f712a7fc60885536dc39a Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerst...@suse.de>
Date: Wed, 24 Jan 2018 17:19:03 +0100
Subject: [PATCH 2/2] 98integrity: support X.509-only EVM configuration
Previously if no symmetric key was configured for EVM, then the
initialization process was aborted. It can be a valid use case, however,
to only use EVM digital signatures. In this case only X.509 certificates
need to be loaded.
With this change EVM initialization will continue if any of the
symmetric or X.509 keys could be loaded.
---
modules.d/98integrity/evm-enable.sh | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/modules.d/98integrity/evm-enable.sh
b/modules.d/98integrity/evm-enable.sh
index a3ba59fd..5a92b598 100755
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@@ -125,11 +125,18 @@ enable_evm()
return 0
fi
- # load the EVM encrypted key
- load_evm_key || return 1
+ local evm_configured
+
+ # try to load the EVM encrypted key
+ load_evm_key && evm_configured=1
+
+ # try to load the EVM public key
+ load_evm_x509 && evm_configured=1
- # load the EVM public key, if it exists
- load_evm_x509
+ # only enable EVM if a key or x509 certificate could be loaded
+ if [ -z "$evm_configured" ]; then
+ return 1
+ fi
# initialize EVM
info "Enabling EVM"
--
2.13.6
