From 2e4662341213349f90d98e0aeaf405f387906386 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Thu, 25 Apr 2013 20:35:25 +0200 Subject: [PATCH] dracut-027-39.git20130425 - fix shutdown, if /dev/console is not writeable - fixed fips mode Resolves: rhbz#956521 --- ...t-output-to-dev-console-only-if-it-e.patch | 22 +++ 0037-fixup-3be5d63c2f.patch | 23 +++ 0038-fixed-fips-mode.patch | 131 ++++++++++++++++++ dracut.spec | 10 +- 4 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch create mode 100644 0037-fixup-3be5d63c2f.patch create mode 100644 0038-fixed-fips-mode.patch diff --git a/0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch b/0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch new file mode 100644 index 0000000..c017606 --- /dev/null +++ b/0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch @@ -0,0 +1,22 @@ +From 3be5d63c2fe24252fff92ea9c0ad43d4c7e579bd Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Fri, 19 Apr 2013 15:00:20 +0200 +Subject: [PATCH] shutdown: redirect output to /dev/console only if it exists + +--- + modules.d/99shutdown/shutdown.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/99shutdown/shutdown.sh b/modules.d/99shutdown/shutdown.sh +index 6457cb0..f7b8509 100755 +--- a/modules.d/99shutdown/shutdown.sh ++++ b/modules.d/99shutdown/shutdown.sh +@@ -8,7 +8,7 @@ + # Harald Hoyer + ACTION="$1" + +-exec >/dev/console 2>>/dev/console ++[ test -w /dev/console ] && exec >/dev/console 2>>/dev/console + + export TERM=linux + export PATH=/usr/sbin:/usr/bin:/sbin:/bin diff --git a/0037-fixup-3be5d63c2f.patch b/0037-fixup-3be5d63c2f.patch new file mode 100644 index 0000000..983dc28 --- /dev/null +++ b/0037-fixup-3be5d63c2f.patch @@ -0,0 +1,23 @@ +From ab42fe38fd1672f83cd3500771caf321ae25080d Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Fri, 19 Apr 2013 15:08:16 +0200 +Subject: [PATCH] fixup 3be5d63c2f + +either test or [] +--- + modules.d/99shutdown/shutdown.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/99shutdown/shutdown.sh b/modules.d/99shutdown/shutdown.sh +index f7b8509..d6a532b 100755 +--- a/modules.d/99shutdown/shutdown.sh ++++ b/modules.d/99shutdown/shutdown.sh +@@ -8,7 +8,7 @@ + # Harald Hoyer + ACTION="$1" + +-[ test -w /dev/console ] && exec >/dev/console 2>>/dev/console ++[ -w /dev/console ] && exec >/dev/console 2>>/dev/console + + export TERM=linux + export PATH=/usr/sbin:/usr/bin:/sbin:/bin diff --git a/0038-fixed-fips-mode.patch b/0038-fixed-fips-mode.patch new file mode 100644 index 0000000..e35b4f3 --- /dev/null +++ b/0038-fixed-fips-mode.patch @@ -0,0 +1,131 @@ +From 6f4c2dada400f455cf7ee0afcd6bf41974c712d4 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Thu, 25 Apr 2013 19:44:01 +0200 +Subject: [PATCH] fixed fips mode + +- preserve timestamps +- copy /lib*/hmaccalc files +- run sha512hmac after kernel module loading +- add more fips kernel modules +--- + dracut.sh | 2 ++ + install/dracut-install.c | 10 +++++++++- + modules.d/01fips/fips.sh | 7 ++++--- + modules.d/01fips/module-setup.sh | 8 +++++--- + modules.d/99base/dracut-lib.sh | 2 +- + 5 files changed, 21 insertions(+), 8 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index 586172c..82b4a5f 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -1179,6 +1179,8 @@ if [[ $do_strip = yes ]] ; then + -executable -not -path '*/lib/modules/*.ko' -print0 \ + | while read -r -d $'\0' f; do + if ! [[ -e "${f%/*}/.${f##*/}.hmac" ]] \ ++ && ! [[ -e "/lib/hmaccalc/${f##*/}.hmac" ]] \ ++ && ! [[ -e "/lib64/hmaccalc/${f##*/}.hmac" ]] \ + && ! [[ -e "/lib/fipscheck/${f##*/}.hmac" ]] \ + && ! [[ -e "/lib64/fipscheck/${f##*/}.hmac" ]]; then + echo -n "$f"; echo -n -e "\000" +diff --git a/install/dracut-install.c b/install/dracut-install.c +index 2d0412c..2fad6df 100644 +--- a/install/dracut-install.c ++++ b/install/dracut-install.c +@@ -214,8 +214,14 @@ static int cp(const char *src, const char *dst) + ret = clone_file(dest_desc, source_desc); + close(source_desc); + if (ret == 0) { ++ struct timeval tv[2]; + if (fchown(dest_desc, sb.st_uid, sb.st_gid) != 0) + fchown(dest_desc, -1, sb.st_gid); ++ tv[0].tv_sec = sb.st_atime; ++ tv[0].tv_usec = 0; ++ tv[1].tv_sec = sb.st_mtime; ++ tv[1].tv_usec = 0; ++ futimes(dest_desc, tv); + close(dest_desc); + return ret; + } +@@ -230,7 +236,7 @@ static int cp(const char *src, const char *dst) + normal_copy: + pid = fork(); + if (pid == 0) { +- execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode", "-fL", src, dst, NULL); ++ execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode,timestamps", "-fL", src, dst, NULL); + _exit(EXIT_FAILURE); + } + +@@ -350,6 +356,8 @@ static int hmac_install(const char *src, const char *dst, const char *hmacpath) + if (!hmacpath) { + hmac_install(src, dst, "/lib/fipscheck"); + hmac_install(src, dst, "/lib64/fipscheck"); ++ hmac_install(src, dst, "/lib/hmaccalc"); ++ hmac_install(src, dst, "/lib64/hmaccalc"); + } + + srcpath[dlen] = '\0'; +diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh +index 48ad0e6..ce3e49c 100755 +--- a/modules.d/01fips/fips.sh ++++ b/modules.d/01fips/fips.sh +@@ -51,7 +51,6 @@ mount_boot() + + do_fips() + { +- info "Checking integrity of kernel" + KERNEL=$(uname -r) + + if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then +@@ -59,8 +58,6 @@ do_fips() + return 1 + fi + +- sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1 +- + FIPSMODULES=$(cat /etc/fipsmodules) + + info "Loading and integrity checking all crypto modules" +@@ -72,6 +69,10 @@ do_fips() + info "Self testing crypto algorithms" + modprobe tcrypt || return 1 + rmmod tcrypt ++ ++ info "Checking integrity of kernel" ++ sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1 ++ + info "All initrd crypto checks done" + + > /tmp/fipsdone +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index 8953132..a7f5be8 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -12,9 +12,11 @@ depends() { + + installkernel() { + local _fipsmodules _mod +- _fipsmodules="aead aes_generic xts aes-x86_64 ansi_cprng cbc ccm chainiv ctr gcm ghash_generic" +- _fipsmodules+=" des deflate ecb eseqiv hmac seqiv sha256 sha256_generic sha512 sha512_generic" +- _fipsmodules+=" cryptomgr crypto_null tcrypt dm-mod dm-crypt lzo" ++ _fipsmodules="aead aes_generic aes-x86_64 ansi_cprng arc4 blowfish camellia cast6 cbc ccm " ++ _fipsmodules+="chainiv crc32c cryptomgr crypto_null ctr cts deflate des des3_ede dm-crypt dm-mod " ++ _fipsmodules+="ecb eseqiv fcrypt gcm ghash_generic hmac khazad lzo md4 md5 michael_mic rmd128 " ++ _fipsmodules+="rmd160 rmd256 rmd320 rot13 salsa20 seed seqiv serpent sha1 sha224 sha256 sha256_generic " ++ _fipsmodules+="sha384 sha512 sha512_generic tcrypt tea tnepres twofish wp256 wp384 wp512 xeta xtea xts zlib" + + mkdir -m 0755 -p "${initdir}/etc/modprobe.d" + +diff --git a/modules.d/99base/dracut-lib.sh b/modules.d/99base/dracut-lib.sh +index ae79a82..9bd25f4 100755 +--- a/modules.d/99base/dracut-lib.sh ++++ b/modules.d/99base/dracut-lib.sh +@@ -384,7 +384,7 @@ die() { + echo "warn dracut: FATAL: \"$*\""; + echo "warn dracut: Refusing to continue"; + } >> $hookdir/emergency/01-die.sh +- ++ [ -d /run/initramfs ] || mkdir -p /run/initramfs + > /run/initramfs/.die + emergency_shell + exit 1 diff --git a/dracut.spec b/dracut.spec index 5facf0d..bece2ed 100644 --- a/dracut.spec +++ b/dracut.spec @@ -10,7 +10,7 @@ Name: dracut Version: 027 -Release: 36.git20130418%{?dist} +Release: 39.git20130425%{?dist} Summary: Initramfs generator using udev %if 0%{?fedora} || 0%{?rhel} @@ -64,6 +64,9 @@ Patch32: 0032-.gitignore-ignore-more-files.patch Patch33: 0033-Makefile-remove-dracut-version.sh-on-clean.patch Patch34: 0034-base-dracut-lib.sh-do-not-setdebug-if-not-in-initram.patch Patch35: 0035-dracut-install-error-out-if-ldd-reports-no-execution.patch +Patch36: 0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch +Patch37: 0037-fixup-3be5d63c2f.patch +Patch38: 0038-fixed-fips-mode.patch BuildRequires: dash bash git @@ -472,6 +475,11 @@ rm -rf $RPM_BUILD_ROOT %{dracutlibdir}/dracut.conf.d/02-norescue.conf %changelog +* Thu Apr 25 2013 Harald Hoyer 027-39.git20130425 +- fix shutdown, if /dev/console is not writeable +- fixed fips mode +Resolves: rhbz#956521 + * Thu Apr 18 2013 Harald Hoyer 027-36.git20130418 - fix initramfs creation on noexec tmpdir Resolves: rhbz#953426