Hello community, here is the log from the commit of package dracut for openSUSE:Factory checked in at 2018-04-30 22:51:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dracut (Old) and /work/SRC/openSUSE:Factory/.dracut.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dracut" Mon Apr 30 22:51:29 2018 rev:125 rq:601124 version:044.1 Changes: -------- --- /work/SRC/openSUSE:Factory/dracut/dracut.changes 2018-04-22 14:35:19.830323802 +0200 +++ /work/SRC/openSUSE:Factory/.dracut.new/dracut.changes 2018-04-30 22:51:33.840606309 +0200 @@ -1,0 +2,6 @@ +Wed Apr 25 16:50:06 UTC 2018 - [email protected] + +- 01fips: fix FIPS mode on SLES 15 (bsc#1074984) + * adds 0567-Fix-booting-with-fips-1-on-SLES-15.patch + +------------------------------------------------------------------- New: ---- 0567-Fix-booting-with-fips-1-on-SLES-15.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dracut.spec ++++++ --- /var/tmp/diff_new_pack.DAVeIS/_old 2018-04-30 22:51:36.888495102 +0200 +++ /var/tmp/diff_new_pack.DAVeIS/_new 2018-04-30 22:51:36.892494957 +0200 @@ -388,6 +388,8 @@ Patch565: 0565-90kernel-modules-Include-Intel-Volume-Management-Dev.patch # Patch specific to SUSE, not upstream Patch566: 0566-95nfs-If-no-server-is-configured-read-BOOTSERVERADDR.patch +# Patch specific to SUSE, upstream only documentation +Patch567: 0567-Fix-booting-with-fips-1-on-SLES-15.patch BuildRequires: asciidoc BuildRequires: bash @@ -677,6 +679,7 @@ %patch564 -p1 %patch565 -p1 %patch566 -p1 +%patch567 -p1 %build %configure\ ++++++ 0567-Fix-booting-with-fips-1-on-SLES-15.patch ++++++ >From c3f2e356ca15c32123334764c014df264d72f149 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin <[email protected]> Date: Wed, 25 Apr 2018 18:43:46 +0200 Subject: [PATCH] Fix booting with fips=1 on SLES 15 Also, add some documentation on how FIPS actually works. Reference: bsc#1074984 --- modules.d/01fips/module-setup.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh index 709cfc85..178bae17 100755 --- a/modules.d/01fips/module-setup.sh +++ b/modules.d/01fips/module-setup.sh @@ -13,6 +13,12 @@ depends() { # called by dracut installkernel() { local _fipsmodules _mod + # The FIPS process requires that crypto primitives should perform a power-up self test. They must not be loaded and + # used prior to successful completion. FIPS140-2, section 4.9 mandates that during power-up, crypto algorithms should + # perform self tests, displaying an error if any one of them fails. + + # dracut implements this by first compiling a blacklist (provided by the kernel in newer distros) and then + # load the modules in that list one by one in a controlled manner, aborting on failure. if [[ -f "${srcmods}/modules.fips" ]]; then _fipsmodules="$(cat "${srcmods}/modules.fips")" else @@ -28,6 +34,7 @@ installkernel() { _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper twofish_x86_64 twofish_common blowfish_generic " _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc " _fipsmodules+="algif_hash af_alg crypto_user " + _fipsmodules+="sha3_generic " fi mkdir -m 0755 -p "${initdir}/etc/modprobe.d" @@ -52,10 +59,10 @@ install() { inst_libdir_file \ fipscheck .fipscheck.hmac \ libfipscheck.so.1 \ - .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac \ - libcrypto.so.1.0.0 libssl.so.1.0.0 \ - .libcrypto.so.1.0.0.hmac .libssl.so.1.0.0.hmac \ - .libcryptsetup.so.4.5.0.hmac .libcryptsetup.so.4.hmac \ + .libfipscheck.so.1.hmac .libfipscheck.so.1.2.1.hmac \ + libcrypto.so.1.1 libssl.so.1.1 \ + .libcrypto.so.1.1.hmac .libssl.so.1.1.hmac \ + .libcryptsetup.so.12.1.0.hmac .libcryptsetup.so.12.hmac \ .libgcrypt.so.20.hmac \ libfreeblpriv3.so libfreeblpriv3.chk -- 2.13.6
