rpms/dracut
7
0
Fork 0
Code Issues Pull Requests Releases Activity

dracut - 046-1

Browse Source 
- version 046
This commit is contained in:
Harald Hoyer 2017-08-11 14:02:44 +02:00
parent 4eece4100e
commit 9e6bbe0722
22 changed files with 14 additions and 811 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -30,3 +30,4 @@
/dracut-043.tar.xz
/dracut-044.tar.xz
/dracut-045.tar.xz
/dracut-046.tar.xz

98
0001-crypt-gpg-For-GnuPG-2.1-support-OpenPGP-smartcards.patch
View File

@ -1,98 +0,0 @@
From 2a1723ed83accdcb6871e12c722c03dac35dc35e Mon Sep 17 00:00:00 2001
From: Moritz Maxeiner <moritz@ucworks.org>
Date: Fri, 10 Jul 2015 15:38:59 +0200
Subject: [PATCH] crypt-gpg: For GnuPG >= 2.1 support OpenPGP smartcards
---
modules.d/91crypt-gpg/crypt-gpg-lib.sh | 34 ++++++++++++++++++++++++++++++++--
modules.d/91crypt-gpg/module-setup.sh | 17 +++++++++++++++++
2 files changed, 49 insertions(+), 2 deletions(-)
diff --git a/modules.d/91crypt-gpg/crypt-gpg-lib.sh b/modules.d/91crypt-gpg/crypt-gpg-lib.sh
index 5c7ea855..b85ed2b8 100755
--- a/modules.d/91crypt-gpg/crypt-gpg-lib.sh
+++ b/modules.d/91crypt-gpg/crypt-gpg-lib.sh
@@ -4,7 +4,7 @@ command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
# gpg_decrypt mnt_point keypath keydev device
#
-# Decrypts encrypted symmetrically key to standard output.
+# Decrypts symmetrically encrypted (password or OpenPGP smartcard) key to standard output.
#
# mnt_point - mount point where <keydev> is already mounted
# keypath - GPG encrypted key path relative to <mnt_point>
@@ -22,10 +22,40 @@ gpg_decrypt() {
mkdir -m 0700 -p "$gpghome"
+ # Setup GnuPG home and gpg-agent for usage of OpenPGP smartcard.
+ # This requires GnuPG >= 2.1, as it uses the new ,,pinentry-mode´´
+ # feature, which - when set to ,,loopback´´ - allows us to pipe
+ # the smartcard's pin to GnuPG (instead of using a normal pinentry
+ # program needed with GnuPG < 2.1), making for uncomplicated
+ # integration with the existing codebase.
+ local useSmartcard="0"
+ local gpgMajorVersion="$(gpg --version | sed -n 1p | sed -n -r -e 's|.* ([0-9]*).*|\1|p')"
+ local gpgMinorVersion="$(gpg --version | sed -n 1p | sed -n -r -e 's|.* [0-9]*\.([0-9]*).*|\1|p')"
+
+ if [ "${gpgMajorVersion}" -ge 2 ] && [ "${gpgMinorVersion}" -ge 1 ] \
+ && [ -f /root/crypt-public-key.gpg ] && getargbool 1 rd.luks.smartcard ; then
+ useSmartcard="1"
+ echo "allow-loopback-pinentry" >> "$gpghome/gpg-agent.conf"
+ GNUPGHOME="$gpghome" gpg-agent --quiet --daemon
+ GNUPGHOME="$gpghome" gpg --quiet --no-tty --import < /root/crypt-public-key.gpg
+ local smartcardSerialNumber="$(GNUPGHOME=$gpghome gpg --no-tty --card-status \
+ | sed -n -r -e 's|Serial number.*: ([0-9]*)|\1|p' | tr -d '\n')"
+ if [ -n "${smartcardSerialNumber}" ]; then
+ inputPrompt="PIN (OpenPGP card ${smartcardSerialNumber})"
+ fi
+ GNUPGHOME="$gpghome" gpg-connect-agent 1>/dev/null learn /bye
+ opts="$opts --pinentry-mode=loopback"
+ fi
+
ask_for_password \
--cmd "gpg $opts --decrypt $mntp/$keypath" \
- --prompt "Password ($keypath on $keydev for $device)" \
+ --prompt "${inputPrompt:-Password ($keypath on $keydev for $device)}" \
--tries 3 --tty-echo-off
+ # Clean up the smartcard gpg-agent
+ if [ "${useSmartcard}" == "1" ]; then
+ GNUPGHOME="$gpghome" gpg-connect-agent 1>/dev/null killagent /bye
+ fi
+
rm -rf -- "$gpghome"
}
diff --git a/modules.d/91crypt-gpg/module-setup.sh b/modules.d/91crypt-gpg/module-setup.sh
index d328c04c..1323a181 100755
--- a/modules.d/91crypt-gpg/module-setup.sh
+++ b/modules.d/91crypt-gpg/module-setup.sh
@@ -5,6 +5,12 @@
check() {
require_binaries gpg || return 1
+ if [ -f "${initdir}/root/crypt-public-key.gpg" ]; then
+ require_binaries gpg-agent || return 1
+ require_binaries gpg-connect-agent || return 1
+ require_binaries /usr/libexec/scdaemon || return 1
+ fi
+
return 255
}
@@ -17,4 +23,15 @@ depends() {
install() {
inst_multiple gpg
inst "$moddir/crypt-gpg-lib.sh" "/lib/dracut-crypt-gpg-lib.sh"
+
+ local gpgMajorVersion="$(gpg --version | sed -n 1p | sed -n -r -e 's|.* ([0-9]*).*|\1|p')"
+ local gpgMinorVersion="$(gpg --version | sed -n 1p | sed -n -r -e 's|.* [0-9]*\.([0-9]*).*|\1|p')"
+ if [ "${gpgMajorVersion}" -ge 2 ] && [ "${gpgMinorVersion}" -ge 1 ] && [ -f /etc/dracut.conf.d/crypt-public-key.gpg ]; then
+ inst_multiple gpg-agent
+ inst_multiple gpg-connect-agent
+ inst_multiple /usr/libexec/scdaemon || derror "crypt-gpg: gnugpg with scdaemon required for smartcard support in the initramfs"
+ cp "/etc/dracut.conf.d/crypt-public-key.gpg" "${initdir}/root/"
+ elif [ -f /etc/dracut.conf.d/crypt-public-key.gpg ]; then
+ dwarning "crypt-gpg: gnupg >= 2.1 required for smartcard support in the initramfs"
+ fi
}

67
0002-crypt-gpg-Add-README-describing-the-procedure-of-mov.patch
View File

@ -1,67 +0,0 @@
From 98047e08d02b91f632ec8554fc02af05069216dd Mon Sep 17 00:00:00 2001
From: Moritz Maxeiner <moritz@ucworks.org>
Date: Mon, 13 Jul 2015 17:53:29 +0200
Subject: [PATCH] crypt-gpg: Add README describing the procedure of moving from
password-only gpg keyfile to password/smartcard gpg keyfile
---
modules.d/91crypt-gpg/README | 50 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 modules.d/91crypt-gpg/README
diff --git a/modules.d/91crypt-gpg/README b/modules.d/91crypt-gpg/README
new file mode 100644
index 00000000..be6df55a
--- /dev/null
+++ b/modules.d/91crypt-gpg/README
@@ -0,0 +1,50 @@
+# Directions for changing a system from password-based gpg keyfile
+# to smartcard-based gpg keyfile
+
+# Be sure that you meet the following requirements:
+# 1. GnuPG >= 2.1 installed with
+# * Smartcard support enabled (scdaemon must be built)
+# * Direct CCID access built into scdaemon
+# 2. A password-based gpg keyfile ${KEYFILE} (e.g. "keyfile.gpg"):
+# That is, a file containing the slot key for LUKS, which
+# has been encrypted symmetrically with GnuPG using
+# a password.
+# 3. Your public OpenPGP identity ${RECIPIENT} (e.g. "3A696356")
+# 4. An OpenPGP smartcard holding the decryption key associated
+# with your public identity
+# 5. A CCID smartcard reader
+
+# Notes: Requirement 4. and 5. can of course be one device, e.g.
+# a USB token with an integrated OpenPGP smartcard
+
+# Make a backup of your keyfile (assuming it lies on the boot partition)
+$ cp /boot/${KEYFILE} /safe/place/keyfile.bak.gpg
+
+# Change your keyfile from purely password-based to both
+# password-based and key-based (you can then decrypt the keyfile
+# with either method). As an example aes256 is chosen, the cipher
+# is not important to this guide, but do note that your kernel
+# must support it at boot time (be it built into the kernel image
+# or loaded as a module from the initramfs).
+$ cat /safe/place/keyfile.bak.gpg | gpg -d | gpg --encrypt --recipient ${RECIPIENT} --cipher-algo aes256 --armor -c > /safe/place/keyfile_sc.gpg
+
+# Verify that you can decrypt your new keyfile both with the password
+# and your smartcard.
+# (with smartcard inserted, you should be prompted for your PIN, unless
+# you already did so and have not yet timed out)
+$ gpg -d /safe/place/keyfile_sc.gpg
+# (with smartcard disconnected, you should be prompted for your password)
+$ gpg -d /safe/place/keyfile_sc.gpg
+
+# After verification, replace your old keyfile with your new one
+$ su -c 'cp /safe/place/keyfile_sc.gpg /boot/${KEYFILE}'
+
+# Export your public key to where crypt-gpg can find it
+$ gpg --armor --export-options export-minimal --export ${RECIPIENT} > /safe/place/crypt-public-key.gpg
+$ su -c 'cp /safe/place/crypt-public-key.gpg /etc/dracut.conf.d/crypt-public-key.gpg'
+
+# Rebuild your initramfs as usual
+# When booting with any of the requirements not met, crypt-gpg will default to password-based keyfile unlocking.
+# If all requirements are met and smartcard support is not disabled by setting the kernel option "rd.luks.smartcard=0"
+# crypt-gpg will try find and use a connected OpenPGP smartcard by prompting you for the PIN and then
+# unlocking the gpg keyfile with the smartcard.

74
0003-crypt-gpg-Rework-setup-for-CCID-smartcard-support.patch
View File

@ -1,74 +0,0 @@
From 0982fcb2e5ae334790851fa8ff7cf65281842ad1 Mon Sep 17 00:00:00 2001
From: Moritz Maxeiner <moritz@ucworks.org>
Date: Thu, 30 Mar 2017 14:17:05 +0200
Subject: [PATCH] crypt-gpg: Rework setup for CCID smartcard support
---
modules.d/91crypt-gpg/module-setup.sh | 46 ++++++++++++++++++++++++++---------
1 file changed, 35 insertions(+), 11 deletions(-)
diff --git a/modules.d/91crypt-gpg/module-setup.sh b/modules.d/91crypt-gpg/module-setup.sh
index 1323a181..bb34676f 100755
--- a/modules.d/91crypt-gpg/module-setup.sh
+++ b/modules.d/91crypt-gpg/module-setup.sh
@@ -5,10 +5,11 @@
check() {
require_binaries gpg || return 1
- if [ -f "${initdir}/root/crypt-public-key.gpg" ]; then
- require_binaries gpg-agent || return 1
- require_binaries gpg-connect-agent || return 1
- require_binaries /usr/libexec/scdaemon || return 1
+ if sc_requested; then
+ if ! sc_supported; then
+ dwarning "crypt-gpg: GnuPG >= 2.1 with scdaemon and libusb required for ccid smartcard support"
+ return 1
+ fi
fi
return 255
@@ -24,14 +25,37 @@ install() {
inst_multiple gpg
inst "$moddir/crypt-gpg-lib.sh" "/lib/dracut-crypt-gpg-lib.sh"
- local gpgMajorVersion="$(gpg --version | sed -n 1p | sed -n -r -e 's|.* ([0-9]*).*|\1|p')"
- local gpgMinorVersion="$(gpg --version | sed -n 1p | sed -n -r -e 's|.* [0-9]*\.([0-9]*).*|\1|p')"
- if [ "${gpgMajorVersion}" -ge 2 ] && [ "${gpgMinorVersion}" -ge 1 ] && [ -f /etc/dracut.conf.d/crypt-public-key.gpg ]; then
+ if sc_requested; then
inst_multiple gpg-agent
inst_multiple gpg-connect-agent
- inst_multiple /usr/libexec/scdaemon || derror "crypt-gpg: gnugpg with scdaemon required for smartcard support in the initramfs"
- cp "/etc/dracut.conf.d/crypt-public-key.gpg" "${initdir}/root/"
- elif [ -f /etc/dracut.conf.d/crypt-public-key.gpg ]; then
- dwarning "crypt-gpg: gnupg >= 2.1 required for smartcard support in the initramfs"
+ inst_multiple /usr/libexec/scdaemon
+ cp "$(sc_public_key)" "${initdir}/root/"
+ fi
+}
+
+sc_public_key() {
+ echo -n "/etc/dracut.conf.d/crypt-public-key.gpg"
+}
+
+# CCID Smartcard support requires GnuPG >= 2.1 with scdaemon and libusb
+sc_supported() {
+ local gpgMajor="$(gpg --version | sed -n 1p | sed -n -r -e 's|.* ([0-9]*).*|\1|p')"
+ local gpgMinor="$(gpg --version | sed -n 1p | sed -n -r -e 's|.* [0-9]*\.([0-9]*).*|\1|p')"
+ if [[ "${gpgMajor}" -gt 2 || "${gpgMajor}" -eq 2 && "${gpgMinor}" -ge 1 ]] && \
+ require_binaries gpg-agent &&
+ require_binaries gpg-connect-agent &&
+ require_binaries /usr/libexec/scdaemon &&
+ (ldd /usr/libexec/scdaemon | grep libusb > /dev/null); then
+ return 0
+ else
+ return 1
+ fi
+}
+
+sc_requested() {
+ if [ -f "$(sc_public_key)" ]; then
+ return 0
+ else
+ return 1
fi
}

21
0004-crypt-gpg-Include-module-if-CCID-smartcard-support-r.patch
View File

@ -1,21 +0,0 @@
From 0e1b686b8367925b21c76b9d9e36bf7d2f6b89ac Mon Sep 17 00:00:00 2001
From: Moritz Maxeiner <moritz@ucworks.org>
Date: Thu, 30 Mar 2017 14:54:26 +0200
Subject: [PATCH] crypt-gpg: Include module if CCID smartcard support requested
---
modules.d/91crypt-gpg/module-setup.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules.d/91crypt-gpg/module-setup.sh b/modules.d/91crypt-gpg/module-setup.sh
index bb34676f..f1c6a34b 100755
--- a/modules.d/91crypt-gpg/module-setup.sh
+++ b/modules.d/91crypt-gpg/module-setup.sh
@@ -10,6 +10,7 @@ check() {
dwarning "crypt-gpg: GnuPG >= 2.1 with scdaemon and libusb required for ccid smartcard support"
return 1
fi
+ return 0
fi
return 255

21
0005-wait-for-IPv6-RA-if-using-none-static-IPv6-assignmen.patch
View File

@ -1,21 +0,0 @@
From c603419030136570b5944dc4620f62d07b9e82bb Mon Sep 17 00:00:00 2001
From: pallotron <pallotron@fb.com>
Date: Tue, 4 Apr 2017 08:31:21 -0700
Subject: [PATCH] wait for IPv6 RA if using none/static IPv6 assignment
---
modules.d/40network/net-lib.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh
index 75051544..b74fdbdd 100755
--- a/modules.d/40network/net-lib.sh
+++ b/modules.d/40network/net-lib.sh
@@ -671,6 +671,7 @@ wait_for_ipv6_dad() {
while [ $cnt -lt $timeout ]; do
[ -z "$(ip -6 addr show dev "$1" tentative)" ] \
+ && [ -n "$(ip -6 route list proto ra dev "$1")" ] \
&& return 0
[ -n "$(ip -6 addr show dev "$1" dadfailed)" ] \
&& return 1

23
0006-enabling-some-ipv6-config-before-running-wait_for_ip.patch
View File

@ -1,23 +0,0 @@
From 4c3d99f9665118198ec68a93ecdcc15c88e23c98 Mon Sep 17 00:00:00 2001
From: pallotron <pallotron@fb.com>
Date: Tue, 4 Apr 2017 12:59:45 -0700
Subject: [PATCH] enabling some ipv6 config before running wait_for_ipv6_dad
---
modules.d/40network/ifup.sh | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules.d/40network/ifup.sh b/modules.d/40network/ifup.sh
index fd721e74..f979b59b 100755
--- a/modules.d/40network/ifup.sh
+++ b/modules.d/40network/ifup.sh
@@ -108,6 +108,9 @@ do_static() {
if strglobin $ip '*:*:*'; then
# note no ip addr flush for ipv6
ip addr add $ip/$mask ${srv:+peer $srv} dev $netif
+ echo 0 > /proc/sys/net/ipv6/conf/$netif/forwarding
+ echo 1 > /proc/sys/net/ipv6/conf/$netif/accept_ra
+ echo 1 > /proc/sys/net/ipv6/conf/$netif/accept_redirects
wait_for_ipv6_dad $netif
else
if command -v arping2 >/dev/null; then

45
0007-more-ipv6-improvements.patch
View File

@ -1,45 +0,0 @@
From 96b708e178930b0891daab8dcc9d1d7375637a29 Mon Sep 17 00:00:00 2001
From: pallotron <pallotron@fb.com>
Date: Wed, 5 Apr 2017 00:15:16 -0700
Subject: [PATCH] more ipv6 improvements
---
modules.d/40network/net-lib.sh | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh
index b74fdbdd..e0f761f3 100755
--- a/modules.d/40network/net-lib.sh
+++ b/modules.d/40network/net-lib.sh
@@ -653,7 +653,9 @@ wait_for_ipv6_dad_link() {
timeout=$(($timeout*10))
while [ $cnt -lt $timeout ]; do
+ echo "wait_for_ipv6_dad_link..." 1>&2
[ -z "$(ip -6 addr show dev "$1" scope link tentative)" ] \
+ && [ -n "$(ip -6 route list proto ra dev "$1" | grep default)" ] \
&& return 0
[ -n "$(ip -6 addr show dev "$1" scope link dadfailed)" ] \
&& return 1
@@ -670,8 +672,9 @@ wait_for_ipv6_dad() {
timeout=$(($timeout*10))
while [ $cnt -lt $timeout ]; do
+ echo "wait_for_ipv6_dad..." 1>&2
[ -z "$(ip -6 addr show dev "$1" tentative)" ] \
- && [ -n "$(ip -6 route list proto ra dev "$1")" ] \
+ && [ -n "$(ip -6 route list proto ra dev "$1" | grep default)" ] \
&& return 0
[ -n "$(ip -6 addr show dev "$1" dadfailed)" ] \
&& return 1
@@ -688,8 +691,9 @@ wait_for_ipv6_auto() {
timeout=$(($timeout*10))
while [ $cnt -lt $timeout ]; do
+ echo "wait_for_ipv6_auto..." 1>&2
[ -z "$(ip -6 addr show dev "$1" tentative)" ] \
- && [ -n "$(ip -6 route list proto ra dev "$1")" ] \
+ && [ -n "$(ip -6 route list proto ra dev "$1" | grep default)" ] \
&& return 0
sleep 0.1
cnt=$(($cnt+1))

37
0008-remove-prints.patch
View File

@ -1,37 +0,0 @@
From a0545765e8cec749e59a664ef09944786132327b Mon Sep 17 00:00:00 2001
From: pallotron <pallotron@fb.com>
Date: Wed, 5 Apr 2017 00:16:16 -0700
Subject: [PATCH] remove prints
---
modules.d/40network/net-lib.sh | 3 ---
1 file changed, 3 deletions(-)
diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh
index e0f761f3..fea45be2 100755
--- a/modules.d/40network/net-lib.sh
+++ b/modules.d/40network/net-lib.sh
@@ -653,7 +653,6 @@ wait_for_ipv6_dad_link() {
timeout=$(($timeout*10))
while [ $cnt -lt $timeout ]; do
- echo "wait_for_ipv6_dad_link..." 1>&2
[ -z "$(ip -6 addr show dev "$1" scope link tentative)" ] \
&& [ -n "$(ip -6 route list proto ra dev "$1" | grep default)" ] \
&& return 0
@@ -672,7 +671,6 @@ wait_for_ipv6_dad() {
timeout=$(($timeout*10))
while [ $cnt -lt $timeout ]; do
- echo "wait_for_ipv6_dad..." 1>&2
[ -z "$(ip -6 addr show dev "$1" tentative)" ] \
&& [ -n "$(ip -6 route list proto ra dev "$1" | grep default)" ] \
&& return 0
@@ -691,7 +689,6 @@ wait_for_ipv6_auto() {
timeout=$(($timeout*10))
while [ $cnt -lt $timeout ]; do
- echo "wait_for_ipv6_auto..." 1>&2
[ -z "$(ip -6 addr show dev "$1" tentative)" ] \
&& [ -n "$(ip -6 route list proto ra dev "$1" | grep default)" ] \
&& return 0

40
0009-more-ipv6-improvements.patch
View File

@ -1,40 +0,0 @@
From 031e2f7bb8aea447cd87e455b184106acb4aa435 Mon Sep 17 00:00:00 2001
From: pallotron <pallotron@fb.com>
Date: Wed, 5 Apr 2017 00:23:36 -0700
Subject: [PATCH] more ipv6 improvements
---
modules.d/40network/net-lib.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh
index fea45be2..71a665cd 100755
--- a/modules.d/40network/net-lib.sh
+++ b/modules.d/40network/net-lib.sh
@@ -654,7 +654,7 @@ wait_for_ipv6_dad_link() {
while [ $cnt -lt $timeout ]; do
[ -z "$(ip -6 addr show dev "$1" scope link tentative)" ] \
- && [ -n "$(ip -6 route list proto ra dev "$1" | grep default)" ] \
+ && [ -n "$(ip -6 route list proto ra dev "$1" | grep ^default)" ] \
&& return 0
[ -n "$(ip -6 addr show dev "$1" scope link dadfailed)" ] \
&& return 1
@@ -672,7 +672,7 @@ wait_for_ipv6_dad() {
while [ $cnt -lt $timeout ]; do
[ -z "$(ip -6 addr show dev "$1" tentative)" ] \
- && [ -n "$(ip -6 route list proto ra dev "$1" | grep default)" ] \
+ && [ -n "$(ip -6 route list proto ra dev "$1" | grep ^default)" ] \
&& return 0
[ -n "$(ip -6 addr show dev "$1" dadfailed)" ] \
&& return 1
@@ -690,7 +690,7 @@ wait_for_ipv6_auto() {
while [ $cnt -lt $timeout ]; do
[ -z "$(ip -6 addr show dev "$1" tentative)" ] \
- && [ -n "$(ip -6 route list proto ra dev "$1" | grep default)" ] \
+ && [ -n "$(ip -6 route list proto ra dev "$1" | grep ^default)" ] \
&& return 0
sleep 0.1
cnt=$(($cnt+1))

33
0010-dmsquash-live-root-Avoid-mount-source-conflict-on-BA.patch
View File

@ -1,33 +0,0 @@
From ea765c0ee17178fe74c73873505f7c86f40f9ec7 Mon Sep 17 00:00:00 2001
From: Frederick Grose <fgrose@sugarlabs.org>
Date: Sat, 8 Apr 2017 21:01:19 -0400
Subject: [PATCH] dmsquash-live-root: Avoid mount source conflict on
$BASE_LOOPDEV.
The newer mount utilities are more strict about directly shared
devices. For OverlayFS boots, which mount $BASE_LOOPDEV directly,
avoid a mount error by indirectly sharing the read-only base
filesystem through a second, over-attached $BASE_LOOPDEV for
the DM live-base target.
---
modules.d/90dmsquash-live/dmsquash-live-root.sh | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/modules.d/90dmsquash-live/dmsquash-live-root.sh b/modules.d/90dmsquash-live/dmsquash-live-root.sh
index 264983f5..3a25465c 100755
--- a/modules.d/90dmsquash-live/dmsquash-live-root.sh
+++ b/modules.d/90dmsquash-live/dmsquash-live-root.sh
@@ -241,7 +241,12 @@ do_live_overlay() {
fi
# Create a device that always points to a ro base image
- echo 0 $sz linear $BASE_LOOPDEV 0 | dmsetup create --readonly live-base
+ if [ -n "$overlayfs" ]; then
+ BASE_LOOPDUP=$(losetup -f --show -r $BASE_LOOPDEV)
+ echo 0 $sz linear $BASE_LOOPDUP 0 | dmsetup create --readonly live-base
+ else
+ echo 0 $sz linear $BASE_LOOPDEV 0 | dmsetup create --readonly live-base
+ fi
}
# we might have a genMinInstDelta delta file for anaconda to take advantage of

18
0011-add-.mailmap.patch
View File

@ -1,18 +0,0 @@
From 538ff0fd802589587734ccdcc811d78e2c0816a4 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Mon, 10 Apr 2017 14:50:21 +0200
Subject: [PATCH] add .mailmap
---
.mailmap | 1 +
1 file changed, 1 insertion(+)
diff --git a/.mailmap b/.mailmap
index 53d61f2a..fd7ab839 100644
--- a/.mailmap
+++ b/.mailmap
@@ -16,3 +16,4 @@ Frederick Grose <fgrose@sugarlabs.org> <fgrose@gmail.com>
Frederic Crozat <fcrozat@suse.com> <fcrozat@mandriva.com>
Shawn W Dunn <sfalken@opensuse.org> <sfalken@opensuse.org>
Kyle McMartin <kmcmarti@redhat.com> <kyle@redhat.com>
+Angelo "pallotron" Failla <pallotron@fb.com> <pallotron@fb.com>

24
0012-fix-build-with-KMOD.patch
View File

@ -1,24 +0,0 @@
From f59548aeab5da479493e2c49400993a6502f6f8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomasz=20Pawe=C5=82=20Gajc?= <tpgxyz@gmail.com>
Date: Mon, 24 Apr 2017 21:37:56 +0200
Subject: [PATCH] fix build with KMOD
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 64b46e75..414fb330 100644
--- a/Makefile
+++ b/Makefile
@@ -12,8 +12,8 @@ pkglibdir ?= ${libdir}/dracut
sysconfdir ?= ${prefix}/etc
bindir ?= ${prefix}/bin
mandir ?= ${prefix}/share/man
-CFLAGS ?= -O2 -g -Wall $(KMOD_CFLAGS)
-CFLAGS += -std=gnu99 -D_FILE_OFFSET_BITS=64 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
+CFLAGS ?= -O2 -g -Wall
+CFLAGS += -std=gnu99 -D_FILE_OFFSET_BITS=64 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 $(KMOD_CFLAGS)
bashcompletiondir ?= ${datadir}/bash-completion/completions
pkgconfigdatadir ?= $(datadir)/pkgconfig

27
0013-mkinitrd-suse.sh-Fix-prefix-calculation.patch
View File

@ -1,27 +0,0 @@
From 7cf2c21798b537a5553ecc23df5ce8cfda631e9c Mon Sep 17 00:00:00 2001
From: Daniel Molkentin <dmolkentin@suse.com>
Date: Tue, 25 Apr 2017 15:25:20 +0200
Subject: [PATCH] mkinitrd-suse.sh: Fix prefix calculation
The previous algorithm was incorrect and would return
incorrect results e.g. for a /20 mask. Also gets rid
of an undocumented depencency on bc(1).
Reference: bsc#1035743
---
mkinitrd-suse.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mkinitrd-suse.sh b/mkinitrd-suse.sh
index bc49d731..d9de81b9 100755
--- a/mkinitrd-suse.sh
+++ b/mkinitrd-suse.sh
@@ -104,7 +104,7 @@ calc_netmask() {
local prefix=$1
[ -z "$prefix" ] && return
- mask=$(echo "(2 ^ 32) - (2 ^ $prefix)" | bc -l)
+ mask=$(( 0xffffffff << (32 - $prefix) ))
byte1=$(( mask >> 24 ))
byte2=$(( mask >> 16 ))
byte3=$(( mask >> 8 ))

42
0014-TEST-50-MULTINIC-fix-bridge-test.patch
View File

@ -1,42 +0,0 @@
From 29fd71b23dc1aca1301510bf68ee8e1a5e336496 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Wed, 26 Apr 2017 09:39:20 +0200
Subject: [PATCH] TEST-50-MULTINIC: fix bridge test
Bridge with nics on a different vlan, otherwise we will see:
[ 117.750825] bridge0: received packet on ens5 with own address as source address
---
test/TEST-50-MULTINIC/test.sh | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/test/TEST-50-MULTINIC/test.sh b/test/TEST-50-MULTINIC/test.sh
index 84792fe6..917272d8 100755
--- a/test/TEST-50-MULTINIC/test.sh
+++ b/test/TEST-50-MULTINIC/test.sh
@@ -51,10 +51,12 @@ client_test() {
fi
$testdir/run-qemu -drive format=raw,index=0,media=disk,file="$TESTDIR"/client.img -m 512M -smp 2 -nographic \
- -net socket,connect=127.0.0.1:12350 \
- -net nic,macaddr=52:54:00:12:34:$mac1,model=e1000 \
- -net nic,macaddr=52:54:00:12:34:$mac2,model=e1000 \
- -net nic,macaddr=52:54:00:12:34:$mac3,model=e1000 \
+ -net socket,vlan=0,connect=127.0.0.1:12350 \
+ -net nic,vlan=0,macaddr=52:54:00:12:34:$mac1,model=e1000 \
+ -net nic,vlan=0,macaddr=52:54:00:12:34:$mac2,model=e1000 \
+ -net nic,vlan=0,macaddr=52:54:00:12:34:$mac3,model=e1000 \
+ -net nic,vlan=1,macaddr=52:54:00:12:34:98,model=e1000 \
+ -net nic,vlan=2,macaddr=52:54:00:12:34:99,model=e1000 \
-watchdog i6300esb -watchdog-action poweroff \
-no-reboot \
-append "panic=1 rd.shell=0 $cmdline $DEBUGFAIL rd.retry=5 ro console=ttyS0,115200n81 selinux=0 init=/sbin/init rd.debug systemd.log_target=console loglevel=7" \
@@ -146,7 +148,7 @@ test_client() {
client_test "MULTINIC bridging" \
00 01 02 \
- "root=nfs:192.168.50.1:/nfs/client ip=bridge0:dhcp bridge=bridge0:ens3,ens4,ens5" \
+ "root=nfs:192.168.50.1:/nfs/client ip=bridge0:dhcp bridge=bridge0:ens3,ens6,ens7" \
"bridge0" || return 1
return 0
}

22
0015-Check-the-proper-variable-for-a-custom-IMA-keys-dire.patch
View File

@ -1,22 +0,0 @@
From ab66ef2d4a4297642fa059e9df4f86ccefbed4aa Mon Sep 17 00:00:00 2001
From: Jason Dana <jasondana@quarksecurity.com>
Date: Thu, 27 Apr 2017 07:55:58 -0400
Subject: [PATCH] Check the proper variable for a custom IMA keys directory
---
modules.d/98integrity/ima-keys-load.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules.d/98integrity/ima-keys-load.sh b/modules.d/98integrity/ima-keys-load.sh
index 659b7222..e142f74d 100755
--- a/modules.d/98integrity/ima-keys-load.sh
+++ b/modules.d/98integrity/ima-keys-load.sh
@@ -13,7 +13,7 @@ load_x509_keys()
. ${IMACONFIG}
fi
- if [ -z "${IMAKEYDIR}" ]; then
+ if [ -z "${IMAKEYSDIR}" ]; then
IMAKEYSDIR="/etc/keys/ima"
fi

99
0016-Handle-curl-using-libnssckbi-for-TLS-RHBZ-1447777.patch
View File

@ -1,99 +0,0 @@
From 892b1fe6b74a04e7901db306231136a430326ee3 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Wed, 3 May 2017 12:32:43 -0700
Subject: [PATCH] Handle curl using libnssckbi for TLS (RHBZ #1447777)
curl in Fedora recently changed its default CA trust store. The
Fedora package no longer specifies an OpenSSL-format bundle file
during build, and curl itself has been patched to use an NSS
plugin called libnssckbi.so when no bundle file or directory is
specified. There are (at present) two possible providers of the
libnssckbi.so module: the original NSS implementation, which
uses a trust bundle built in at build time, and a compatible
implementation from the p11-kit project, which reads a trust
bundle at run time. So if we find a string in libcurl.so that
suggests libnssckbi might be in use, we must both install it and
make an effort to install any trust bundle files it may use.
The p11-kit libnssckbi implementation does include a string that
lists the top-level trust directories it will use, so we try to
find that string, though the best effort I can come up with will
also find many false positives too. To weed out the false
positives, we check whether the matches actually exist as dirs,
and if so, whether they contain some specific subdirectories we
know p11-kit trust dirs must have (thanks, @kaie). For the NSS
libnssckbi implementation, we will likely wind up not finding any
dirs that match the requirements, so we will simply install the
libnssckbi.so file itself, which is the correct action.
This fixes TLS transactions in the initramfs environment when
using a curl that's built this new way; it's significant for
use of kickstarts and update images with the Fedora / RHEL
installer, as these are retrieved in the initramfs environment,
and are frequently retrieved via HTTPS.
---
modules.d/45url-lib/module-setup.sh | 38 +++++++++++++++++++++++++++++++++++--
1 file changed, 36 insertions(+), 2 deletions(-)
diff --git a/modules.d/45url-lib/module-setup.sh b/modules.d/45url-lib/module-setup.sh
index 1ece400f..b3fe55a6 100755
--- a/modules.d/45url-lib/module-setup.sh
+++ b/modules.d/45url-lib/module-setup.sh
@@ -15,7 +15,7 @@ depends() {
# called by dracut
install() {
- local _dir _crt _found _lib
+ local _dir _crt _found _lib _nssckbi _p11roots _p11root _p11item
inst_simple "$moddir/url-lib.sh" "/lib/url-lib.sh"
inst_multiple -o ctorrent
inst_multiple curl
@@ -29,6 +29,7 @@ install() {
[[ -d $_dir ]] || continue
for _lib in $_dir/libcurl.so.*; do
[[ -e $_lib ]] || continue
+ [[ $_nssckbi ]] || _nssckbi=$(grep -F --binary-files=text -z libnssckbi $_lib)
_crt=$(grep -F --binary-files=text -z .crt $_lib)
[[ $_crt ]] || continue
[[ $_crt == /*/* ]] || continue
@@ -39,6 +40,39 @@ install() {
_found=1
done
done
- [[ $_found ]] || dwarn "Couldn't find SSL CA cert bundle; HTTPS won't work."
+ # If we found no cert bundle files referenced in libcurl but we
+ # *did* find a mention of libnssckbi (checked above), install it.
+ # If its truly NSS libnssckbi, it includes its own trust bundle,
+ # but if it's really p11-kit-trust.so, we need to find the dirs
+ # where it will look for a trust bundle and install them too.
+ if ! [[ $_found ]] && [[ $_nssckbi ]] ; then
+ _found=1
+ inst_libdir_file "libnssckbi.so*" || _found=
+ for _dir in $libdirs; do
+ [[ -e $_dir/libnssckbi.so ]] || continue
+ # this looks for directory-ish strings in the file
+ for _p11roots in $(grep -o --binary-files=text "/[[:alpha:]][[:print:]]*" $_dir/libnssckbi.so) ; do
+ # the string can be a :-separated list of dirs
+ for _p11root in $(echo "$_p11roots" | tr ':' '\n') ; do
+ # check if it's actually a directory (there are
+ # several false positives in the results)
+ [[ -d "$_p11root" ]] || continue
+ # check if it has some specific subdirs that all
+ # p11-kit trust dirs have
+ [[ -d "${_p11root}/anchors" ]] || continue
+ [[ -d "${_p11root}/blacklist" ]] || continue
+ # so now we know it's really a p11-kit trust dir;
+ # install everything in it
+ for _p11item in $(find "$_p11root") ; do
+ if ! inst "$_p11item" ; then
+ dwarn "Couldn't install '$_p11item' from p11-kit trust dir '$_p11root'; HTTPS might not work."
+ continue
+ fi
+ done
+ done
+ done
+ done
+ fi
+ [[ $_found ]] || dwarn "Couldn't find SSL CA cert bundle or libnssckbi.so; HTTPS won't work."
}

37
0017-drm-Install-pwm-modules-on-all-architectures.patch
View File

@ -1,37 +0,0 @@
From feaaee4278077dd67fe24acebfbe47ba20738955 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Sat, 13 May 2017 17:23:36 +0200
Subject: [PATCH] drm: Install pwm modules on all architectures
At least on x86 on Bay and Cherry Trail devices the pmw-lpss modules must
be in the initrd too, otherwise the i915 driver will still load, but
it will report the following error:
[drm:pwm_setup_backlight [i915]] *ERROR* Failed to own the pwm chip
And not register /sys/class/backlight/intel_backlight and users will
not be able to control their backlight.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
modules.d/50drm/module-setup.sh | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/modules.d/50drm/module-setup.sh b/modules.d/50drm/module-setup.sh
index 42a5e7bc..2014539a 100755
--- a/modules.d/50drm/module-setup.sh
+++ b/modules.d/50drm/module-setup.sh
@@ -21,12 +21,11 @@ installkernel() {
"=drivers/gpu/drm/i2c" \
"=drivers/gpu/drm/panel" \
"=drivers/gpu/drm/bridge" \
- "=drivers/pwm" \
"=drivers/video/backlight" \
${NULL}
fi
- instmods amdkfd hyperv_fb
+ instmods amdkfd hyperv_fb "=drivers/pwm"
# if the hardware is present, include module even if it is not currently loaded,
# as we could e.g. be in the installer; nokmsboot boot parameter will disable

25
0018-add-options-to-pickup-dw_mmc-submodules-to-blockfunc.patch
View File

@ -1,25 +0,0 @@
From f496af50b7c5ddf13154123186cee713f540c8db Mon Sep 17 00:00:00 2001
From: Peter Robinson <pbrobinson@gmail.com>
Date: Fri, 4 Aug 2017 18:43:26 +0100
Subject: [PATCH 1/2] add options to pickup dw_mmc submodules to blockfuncs
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
---
modules.d/90kernel-modules/module-setup.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules.d/90kernel-modules/module-setup.sh b/modules.d/90kernel-modules/module-setup.sh
index 623af868..4478dfe6 100755
--- a/modules.d/90kernel-modules/module-setup.sh
+++ b/modules.d/90kernel-modules/module-setup.sh
@@ -27,6 +27,7 @@ installkernel() {
if [[ "$(uname -m)" == arm* || "$(uname -m)" == aarch64 ]]; then
# arm/aarch64 specific modules
+ _blockfuncs+='|dw_mc_probe|dw_mci_pltfm_register'
instmods \
"=drivers/clk" \
"=drivers/dma" \
--
2.13.4

33
0019-arm-add-soc-extcon-mfd-as-they-re-often-needed-for-U.patch
View File

@ -1,33 +0,0 @@
From 39018c93c2bcf20a7f5f9ee509ad1c0448d598f7 Mon Sep 17 00:00:00 2001
From: Peter Robinson <pbrobinson@gmail.com>
Date: Fri, 4 Aug 2017 19:51:25 +0100
Subject: [PATCH 2/2] arm: add soc/extcon/mfd as they're often needed for USB
and core memory/soc drivers
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
---
modules.d/90kernel-modules/module-setup.sh | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules.d/90kernel-modules/module-setup.sh b/modules.d/90kernel-modules/module-setup.sh
index 4478dfe6..462b5417 100755
--- a/modules.d/90kernel-modules/module-setup.sh
+++ b/modules.d/90kernel-modules/module-setup.sh
@@ -31,11 +31,14 @@ installkernel() {
instmods \
"=drivers/clk" \
"=drivers/dma" \
+ "=drivers/extcon" \
"=drivers/i2c/busses" \
+ "=drivers/mfd" \
"=drivers/phy" \
"=drivers/power" \
"=drivers/regulator" \
"=drivers/rtc" \
+ "=drivers/soc" \
"=drivers/usb/chipidea" \
"=drivers/usb/dwc2" \
"=drivers/usb/dwc3" \
--
2.13.4

36
dracut.spec
View File

@ -15,8 +15,8 @@
%endif
Name: dracut
Version: 045
Release: 21.git20170515%{?dist}
Version: 046
Release: 1%{?dist}
Summary: Initramfs generator using udev
%if 0%{?fedora} || 0%{?rhel}
@ -35,30 +35,10 @@ URL: https://dracut.wiki.kernel.org/
# Source can be generated by
# http://git.kernel.org/?p=boot/dracut/dracut.git;a=snapshot;h=%%{version};sf=tgz
Source0: http://www.kernel.org/pub/linux/utils/boot/dracut/dracut-%{version}.tar.xz
Patch1: 0001-crypt-gpg-For-GnuPG-2.1-support-OpenPGP-smartcards.patch
Patch2: 0002-crypt-gpg-Add-README-describing-the-procedure-of-mov.patch
Patch3: 0003-crypt-gpg-Rework-setup-for-CCID-smartcard-support.patch
Patch4: 0004-crypt-gpg-Include-module-if-CCID-smartcard-support-r.patch
Patch5: 0005-wait-for-IPv6-RA-if-using-none-static-IPv6-assignmen.patch
Patch6: 0006-enabling-some-ipv6-config-before-running-wait_for_ip.patch
Patch7: 0007-more-ipv6-improvements.patch
Patch8: 0008-remove-prints.patch
Patch9: 0009-more-ipv6-improvements.patch
Patch10: 0010-dmsquash-live-root-Avoid-mount-source-conflict-on-BA.patch
Patch11: 0011-add-.mailmap.patch
Patch12: 0012-fix-build-with-KMOD.patch
Patch13: 0013-mkinitrd-suse.sh-Fix-prefix-calculation.patch
Patch14: 0014-TEST-50-MULTINIC-fix-bridge-test.patch
Patch15: 0015-Check-the-proper-variable-for-a-custom-IMA-keys-dire.patch
Patch16: 0016-Handle-curl-using-libnssckbi-for-TLS-RHBZ-1447777.patch
Patch17: 0017-drm-Install-pwm-modules-on-all-architectures.patch
Patch18: 0018-add-options-to-pickup-dw_mmc-submodules-to-blockfunc.patch
Patch19: 0019-arm-add-soc-extcon-mfd-as-they-re-often-needed-for-U.patch
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
BuildRequires: bash git-core
BuildRequires: bash git
BuildRequires: kmod-devel >= 15
%if 0%{?fedora} || 0%{?rhel}
@ -121,7 +101,7 @@ Requires: sed
Requires: xz
Requires: gzip
%if 0%{?fedora} > 22
%if 0%{?fedora} > 22 || 0%{?rhel} > 7
Recommends: grubby
Recommends: hardlink
Recommends: pigz
@ -323,6 +303,8 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
> $RPM_BUILD_ROOT/etc/system-fips
%endif
%clean
rm -rf -- $RPM_BUILD_ROOT
%files
%defattr(-,root,root,0755)
@ -389,6 +371,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
%{dracutlibdir}/modules.d/50drm
%{dracutlibdir}/modules.d/50plymouth
%{dracutlibdir}/modules.d/80cms
%{dracutlibdir}/modules.d/80lvmmerge
%{dracutlibdir}/modules.d/90btrfs
%{dracutlibdir}/modules.d/90crypt
%{dracutlibdir}/modules.d/90dm
@ -397,6 +380,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
%{dracutlibdir}/modules.d/90lvm
%{dracutlibdir}/modules.d/90mdraid
%{dracutlibdir}/modules.d/90multipath
%{dracutlibdir}/modules.d/90multipath-hostonly
%{dracutlibdir}/modules.d/90qemu
%{dracutlibdir}/modules.d/91crypt-gpg
%{dracutlibdir}/modules.d/91crypt-loop
@ -489,6 +473,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
%defattr(-,root,root,0755)
%{dracutlibdir}/modules.d/99img-lib
%{dracutlibdir}/modules.d/90dmsquash-live
%{dracutlibdir}/modules.d/90dmsquash-live-ntfs
%{dracutlibdir}/modules.d/90livenet
%files tools
@ -516,6 +501,9 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
%endif
%changelog
* Fri Aug 11 2017 Harald Hoyer <harald@redhat.com> - 046-1
- version 046
* Mon Aug 7 2017 Peter Robinson <pbrobinson@fedoraproject.org> 045-21.git20170515
- Add upstream patches to fix a number of ARM devices with generic initrd

2
sources
View File

@ -1 +1 @@
SHA512 (dracut-045.tar.xz) = 2cc64dd2a86ad8707f2c12ba4d0069f7987e8c3a028a59ec6fcf43ae5416d4272e57d395648ebbb557af625f40b17d3ab2a211debbb5a0b7e183c0ff4e6cdb29
SHA512 (dracut-046.tar.xz) = 75cefc184960024ef32f7bb5a0fe060e9c7d82dbfd0fe247d54b585e2ebbf0f8af5d5dc1be7e5e8cf2c3bc27b3293842c6361ae62d047289d0c59d7d40b09122