From 2d7bee74f82797f86bf42a4c7ca87314f318b866 Mon Sep 17 00:00:00 2001 From: Manuel Fombuena Date: Sat, 27 Jan 2024 23:39:06 +0000 Subject: [PATCH] Fix pkcs11 and pcsc modules pkcs11 and pcsc don't seem to have ever worked. In the case of pkcs11, the following install line is incorrect (note the dot before *): {"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-pkcs11.so.*" And it should be: {"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-pkcs11.so*" I opened a PR and it was merged a while ago: https://github.com/dracutdevs/dracut/pull/2540 In the case of pcsc there are two problems. One, the installation file is missing /usr/share/p11-kit/modules/opensc.module and without that, you can't really do anything. Two, dracut doesn't include polkit and pcsc is compiled with it enabled by default. The option --disable-polkit was added to pcscd in 2.0, precisely to address this issue. It needs to be added to pcscd.service in the module for it to work on initramfs. I opened another PR which has been approved by 2 reviewers and merged into openSUSE: https://github.com/dracutdevs/dracut/pull/2547 Signed-off-by: Manuel Fombuena --- ...ptsetup-token-systemd-pkcs11-so-path.patch | 23 +++++++++ 2547-fix-pcsc-module.patch | 50 +++++++++++++++++++ dracut.spec | 16 +++++- 3 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 2540-fix-pkcs11-libcryptsetup-token-systemd-pkcs11-so-path.patch create mode 100644 2547-fix-pcsc-module.patch diff --git a/2540-fix-pkcs11-libcryptsetup-token-systemd-pkcs11-so-path.patch b/2540-fix-pkcs11-libcryptsetup-token-systemd-pkcs11-so-path.patch new file mode 100644 index 0000000..388f5b5 --- /dev/null +++ b/2540-fix-pkcs11-libcryptsetup-token-systemd-pkcs11-so-path.patch @@ -0,0 +1,23 @@ +From 1c762c0da6ed2bb6fa44d5e0968605cc4d45361c Mon Sep 17 00:00:00 2001 +From: innovara +Date: Fri, 27 Oct 2023 11:53:49 +0100 +Subject: [PATCH] fix(pkcs11): delete trailing dot on + libcryptsetup-token-systemd-pkcs11.so + +libcryptsetup-token-systemd-pkcs11.so.* doesn't match the file libcryptsetup-token-systemd-pkcs11.so +--- + modules.d/91pkcs11/module-setup.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/91pkcs11/module-setup.sh b/modules.d/91pkcs11/module-setup.sh +index 547631db66..5675efb580 100755 +--- a/modules.d/91pkcs11/module-setup.sh ++++ b/modules.d/91pkcs11/module-setup.sh +@@ -30,6 +30,6 @@ install() { + {"tls/$_arch/",tls/,"$_arch/",}"libffi.so.*" \ + {"tls/$_arch/",tls/,"$_arch/",}"libp11-kit.so.*" \ + {"tls/$_arch/",tls/,"$_arch/",}"libcryptsetup.so.*" \ +- {"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-pkcs11.so.*" ++ {"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-pkcs11.so*" + + } diff --git a/2547-fix-pcsc-module.patch b/2547-fix-pcsc-module.patch new file mode 100644 index 0000000..ca8cb78 --- /dev/null +++ b/2547-fix-pcsc-module.patch @@ -0,0 +1,50 @@ +From 6da61a2c0e38da4e6e880e1bb7f47d55d2c54c65 Mon Sep 17 00:00:00 2001 +From: Manuel Fombuena +Date: Fri, 3 Nov 2023 09:04:53 +0000 +Subject: [PATCH 1/2] fix(pcsc): add opensc load module file + +On Fedora, and possibly others, this file loads opensc-pkcs11.so which you need to interact with the smart card to unlock a LUKS encrypted volume. +--- + modules.d/91pcsc/module-setup.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules.d/91pcsc/module-setup.sh b/modules.d/91pcsc/module-setup.sh +index 6f8b2c88e1..26b463d436 100755 +--- a/modules.d/91pcsc/module-setup.sh ++++ b/modules.d/91pcsc/module-setup.sh +@@ -29,7 +29,8 @@ install() { + inst_simple "$moddir/pcscd.socket" "${systemdsystemunitdir}"/pcscd.socket + + inst_multiple -o \ +- pcscd ++ pcscd \ ++ /usr/share/p11-kit/modules/opensc.module + + # Enable systemd type unit(s) + for i in \ + +From 842be0c89fe0cc8cac9efa88e68b07ae1c2d2464 Mon Sep 17 00:00:00 2001 +From: Manuel Fombuena +Date: Fri, 3 Nov 2023 11:53:38 +0000 +Subject: [PATCH 2/2] fix(pcsc): add --disable-polkit to pcscd.service + +Needs pcsc >= 2.0.0 + +polkit is not included in dracut and without this option, pcscd simply fails +--- + modules.d/91pcsc/pcscd.service | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/91pcsc/pcscd.service b/modules.d/91pcsc/pcscd.service +index 639decd275..7d4e0a2b30 100644 +--- a/modules.d/91pcsc/pcscd.service ++++ b/modules.d/91pcsc/pcscd.service +@@ -5,7 +5,7 @@ Documentation=man:pcscd(8) + Requires=pcscd.socket + + [Service] +-ExecStart=/usr/sbin/pcscd --foreground --auto-exit ++ExecStart=/usr/sbin/pcscd --foreground --auto-exit --disable-polkit + ExecReload=/usr/sbin/pcscd --hotplug + + [Install] diff --git a/dracut.spec b/dracut.spec index 10d92a6..010e592 100644 --- a/dracut.spec +++ b/dracut.spec @@ -7,7 +7,7 @@ %global __requires_exclude pkg-config # rpmdev-bumpspec and releng automation compatible variable -%global baserelease 20 +%global baserelease 21 Name: dracut Version: 059 @@ -98,6 +98,15 @@ Patch17: 2481-remove-microcode-check-based-on-CONFIG_MICROCODE_.patch # https://github.com/dracutdevs/dracut/pull/2531 Patch: 2531.patch +# fix(pkcs11): delete trailing dot on libcryptsetup-token-systemd-pkcs11.so +# https://github.com/dracutdevs/dracut/pull/2540 +Patch19: 2540-fix-pkcs11-libcryptsetup-token-systemd-pkcs11-so-path.patch + +# fix(pcsc): add opensc load module file +# fix(pcsc): add --disable-polkit to pcscd.service +# https://github.com/dracutdevs/dracut/pull/2547 +Patch20: 2547-fix-pcsc-module.patch + BuildRequires: bash BuildRequires: git-core BuildRequires: pkgconfig(libkmod) >= 23 @@ -498,6 +507,11 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install %changelog +* Sat Jan 27 2024 Manuel Fombuena - 059-21 +- fix(pkcs11): delete trailing dot on libcryptsetup-token-systemd-pkcs11.so +- fix(pcsc): add opensc load module file +- fix(pcsc): add --disable-polkit to pcscd.service + * Wed Jan 24 2024 Fedora Release Engineering - 059-20 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild