Pavel Valena
parent
a5ba84ec9e
commit
ffffb5b27f
|
|
@ -0,0 +1,41 @@
|
|||
From abc03e87ef3dff517c1da05643e8a5ec92b1bf14 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Nykryn <lnykryn@redhat.com>
|
||||
Date: Mon, 14 Aug 2023 10:24:14 +0200
|
||||
Subject: [PATCH] feat(spec): include modules for IMA
|
||||
|
||||
Resolves: #2158155
|
||||
---
|
||||
pkgbuild/dracut.spec | 9 ---------
|
||||
1 file changed, 9 deletions(-)
|
||||
|
||||
diff --git a/pkgbuild/dracut.spec b/pkgbuild/dracut.spec
|
||||
index e148bbf7..b2d75951 100644
|
||||
--- a/pkgbuild/dracut.spec
|
||||
+++ b/pkgbuild/dracut.spec
|
||||
@@ -214,13 +214,6 @@ rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00dash
|
||||
# we do not support mksh in the initramfs
|
||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00mksh
|
||||
|
||||
-%if %{defined _unitdir}
|
||||
-# with systemd IMA and selinux modules do not make sense
|
||||
-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/96securityfs
|
||||
-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/97masterkey
|
||||
-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/98integrity
|
||||
-%endif
|
||||
-
|
||||
%ifnarch s390 s390x
|
||||
# remove architecture specific modules
|
||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80cms
|
||||
@@ -394,11 +387,9 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
|
||||
%{dracutlibdir}/modules.d/95zfcp
|
||||
%{dracutlibdir}/modules.d/95zfcp_rules
|
||||
%endif
|
||||
-%if %{undefined _unitdir}
|
||||
%{dracutlibdir}/modules.d/96securityfs
|
||||
%{dracutlibdir}/modules.d/97masterkey
|
||||
%{dracutlibdir}/modules.d/98integrity
|
||||
-%endif
|
||||
%{dracutlibdir}/modules.d/97biosdevname
|
||||
%{dracutlibdir}/modules.d/98dracut-systemd
|
||||
%{dracutlibdir}/modules.d/98ecryptfs
|
||||
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
From aaffb39dc86b674501cb447c7fef5dd40aad85fb Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Nykryn <lnykryn@redhat.com>
|
||||
Date: Mon, 14 Aug 2023 11:25:19 +0200
|
||||
Subject: [PATCH] fix(dracut): there can be \ at the end on line in awk script
|
||||
|
||||
Related: #2158155
|
||||
---
|
||||
dracut.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/dracut.sh b/dracut.sh
|
||||
index 1ff51bb1..30dfb229 100755
|
||||
--- a/dracut.sh
|
||||
+++ b/dracut.sh
|
||||
@@ -2592,7 +2592,7 @@ if [[ $uefi == yes ]]; then
|
||||
printf "%s " "$(< "$conf")" >> "$uefi_outdir/cmdline.txt"
|
||||
done
|
||||
fi
|
||||
-
|
||||
+ # shellcheck disable=SC1004
|
||||
offs=$(objdump -h "$uefi_stub" 2> /dev/null | gawk 'NF==7 {size=strtonum("0x"$3);\
|
||||
offset=strtonum("0x"$4)} END {print size + offset}')
|
||||
if [[ $offs -eq 0 ]]; then
|
||||
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
From 9c1c19de50de5dba6d0875425539cb9259dd7451 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Nykryn <lnykryn@redhat.com>
|
||||
Date: Mon, 14 Aug 2023 12:37:33 +0200
|
||||
Subject: [PATCH] fix(rngd): spacing
|
||||
|
||||
Related: #2158155
|
||||
---
|
||||
modules.d/06rngd/module-setup.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules.d/06rngd/module-setup.sh b/modules.d/06rngd/module-setup.sh
|
||||
index 66923a38..1e5f0eb9 100644
|
||||
--- a/modules.d/06rngd/module-setup.sh
|
||||
+++ b/modules.d/06rngd/module-setup.sh
|
||||
@@ -35,7 +35,7 @@ install() {
|
||||
inst_simple "${systemdsystemunitdir}/rngd.service"
|
||||
|
||||
if [ -r /etc/sysconfig/rngd ]; then
|
||||
- inst_simple "${moddir}/sysconfig" "/etc/sysconfig/rngd"
|
||||
+ inst_simple "${moddir}/sysconfig" "/etc/sysconfig/rngd"
|
||||
fi
|
||||
|
||||
# make sure dependant libs are installed too
|
||||
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
From 9d2a3df5453001612b225c7423451f6e02e06c19 Mon Sep 17 00:00:00 2001
|
||||
From: Alberto Planas <aplanas@suse.com>
|
||||
Date: Mon, 20 Jun 2022 17:13:19 +0200
|
||||
Subject: [PATCH] fix(integrity): do not enable EVM if there is no key
|
||||
|
||||
Track when a key is successfully loaded, and return 1 if no key has been
|
||||
loaded. This will not enable EVM if there are no keys available in the
|
||||
system.
|
||||
|
||||
Fix #1847
|
||||
|
||||
Signed-off-by: Alberto Planas <aplanas@suse.com>
|
||||
|
||||
(Cherry-picked commit: 90585c624af15ba0abb7f32b0c2afc2b122dd019)
|
||||
|
||||
Related: #2158155
|
||||
---
|
||||
modules.d/98integrity/evm-enable.sh | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
|
||||
index 0abdfb80..913b5f12 100755
|
||||
--- a/modules.d/98integrity/evm-enable.sh
|
||||
+++ b/modules.d/98integrity/evm-enable.sh
|
||||
@@ -99,6 +99,7 @@ load_evm_x509() {
|
||||
fi
|
||||
# load the default EVM public key onto the EVM keyring along
|
||||
# with all the other ones in $EVMKEYSDIR
|
||||
+ local key_imported=1
|
||||
for PUBKEY in ${EVMX509PATH} "${NEWROOT}${EVMKEYSDIR}"/*; do
|
||||
if [ ! -f "${PUBKEY}" ]; then
|
||||
if [ "${RD_DEBUG}" = "yes" ]; then
|
||||
@@ -110,13 +111,14 @@ load_evm_x509() {
|
||||
info "integrity: failed to load the EVM X509 cert ${PUBKEY}"
|
||||
return 1
|
||||
fi
|
||||
+ key_imported=0
|
||||
done
|
||||
|
||||
if [ "${RD_DEBUG}" = "yes" ]; then
|
||||
keyctl show @u
|
||||
fi
|
||||
|
||||
- return 0
|
||||
+ return ${key_imported}
|
||||
}
|
||||
|
||||
unload_evm_key() {
|
||||
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
From ecc17a2cd574b31ce6f95f5a7d8ee6c62ecbb51b Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Valena <pvalena@redhat.com>
|
||||
Date: Wed, 16 Aug 2023 14:02:51 +0200
|
||||
Subject: [PATCH] fix(fips): include openssl's fips.so and openssl.cnf
|
||||
|
||||
Resolves: #2176560
|
||||
---
|
||||
modules.d/01fips/module-setup.sh | 13 +++++++++++++
|
||||
modules.d/01fips/openssl.cnf | 7 +++++++
|
||||
2 files changed, 20 insertions(+)
|
||||
|
||||
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
|
||||
index cc9d15ce..7ff5e640 100755
|
||||
--- a/modules.d/01fips/module-setup.sh
|
||||
+++ b/modules.d/01fips/module-setup.sh
|
||||
@@ -82,4 +82,17 @@ install() {
|
||||
dfatal "To create an initramfs with fips support, dracut has to run as root"
|
||||
return 1
|
||||
}
|
||||
+
|
||||
+ # if we have openssl we need to install their fips library and configuration
|
||||
+ [ -x /usr/bin/openssl ] && {
|
||||
+ read -r _ conf < <(openssl version -d)
|
||||
+ conf=${conf#\"}
|
||||
+ conf=${conf%\"}
|
||||
+ inst_simple "${moddir}/openssl.cnf" "$conf/openssl.cnf"
|
||||
+
|
||||
+ read -r _ mod < <(openssl version -m)
|
||||
+ mod=${mod#\"}
|
||||
+ mod=${mod%\"}
|
||||
+ inst_simple "$mod/fips.so"
|
||||
+ }
|
||||
}
|
||||
diff --git a/modules.d/01fips/openssl.cnf b/modules.d/01fips/openssl.cnf
|
||||
new file mode 100644
|
||||
index 00000000..ee9adcf0
|
||||
--- /dev/null
|
||||
+++ b/modules.d/01fips/openssl.cnf
|
||||
@@ -0,0 +1,7 @@
|
||||
+openssl_conf = openssl_init
|
||||
+[openssl_init]
|
||||
+providers = provider_sect
|
||||
+[provider_sect]
|
||||
+default = default_sect
|
||||
+[default_sect]
|
||||
+activate = 1
|
||||
23
dracut.spec
23
dracut.spec
|
|
@ -5,7 +5,7 @@
|
|||
# strip the automatically generated dep here and instead co-own the
|
||||
# directory.
|
||||
%global __requires_exclude pkg-config
|
||||
%define dist_free_release 38.git20230725
|
||||
%define dist_free_release 43.git20230816
|
||||
|
||||
Name: dracut
|
||||
Version: 057
|
||||
|
|
@ -66,6 +66,11 @@ Patch34: 0034.patch
|
|||
Patch35: 0035.patch
|
||||
Patch36: 0036.patch
|
||||
Patch37: 0037.patch
|
||||
Patch38: 0038.patch
|
||||
Patch39: 0039.patch
|
||||
Patch40: 0040.patch
|
||||
Patch41: 0041.patch
|
||||
Patch42: 0042.patch
|
||||
|
||||
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
|
||||
|
||||
|
|
@ -252,13 +257,6 @@ rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00dash
|
|||
# we do not support mksh in the initramfs
|
||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00mksh
|
||||
|
||||
%if %{defined _unitdir}
|
||||
# with systemd IMA and selinux modules do not make sense
|
||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/96securityfs
|
||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/97masterkey
|
||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/98integrity
|
||||
%endif
|
||||
|
||||
%ifnarch s390 s390x
|
||||
# remove architecture specific modules
|
||||
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80cms
|
||||
|
|
@ -432,11 +430,9 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
|
|||
%{dracutlibdir}/modules.d/95zfcp
|
||||
%{dracutlibdir}/modules.d/95zfcp_rules
|
||||
%endif
|
||||
%if %{undefined _unitdir}
|
||||
%{dracutlibdir}/modules.d/96securityfs
|
||||
%{dracutlibdir}/modules.d/97masterkey
|
||||
%{dracutlibdir}/modules.d/98integrity
|
||||
%endif
|
||||
%{dracutlibdir}/modules.d/97biosdevname
|
||||
%{dracutlibdir}/modules.d/98dracut-systemd
|
||||
%{dracutlibdir}/modules.d/98ecryptfs
|
||||
|
|
@ -524,6 +520,13 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
|
|||
%{_prefix}/lib/kernel/install.d/51-dracut-rescue.install
|
||||
|
||||
%changelog
|
||||
* Wed Aug 16 2023 Pavel Valena <pvalena@redhat.com> - 057-43.git20230816
|
||||
- feat(spec): include modules for IMA
|
||||
- fix(dracut): there can be \ at the end on line in awk script
|
||||
- fix(rngd): spacing
|
||||
- fix(integrity): do not enable EVM if there is no key
|
||||
- fix(fips): include openssl's fips.so and openssl.cnf
|
||||
|
||||
* Tue Jul 25 2023 Pavel Valena <pvalena@redhat.com> - 057-38.git20230725
|
||||
- fix(dracut.sh): use dynamically uefi's sections offset
|
||||
- fix(dracut.sh): handle imagebase for uefi
|
||||
|
|
|
|||
Loading…
Reference in New Issue