From ffffb5b27fa172fc9e5108be8a5129f45e404f90 Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Wed, 16 Aug 2023 20:45:21 +0200 Subject: [PATCH] dracut-057-43.git20230816 Resolves: #2158155,#2176560 --- 0038.patch | 41 +++++++++++++++++++++++++++++++++++++++++ 0039.patch | 24 ++++++++++++++++++++++++ 0040.patch | 24 ++++++++++++++++++++++++ 0041.patch | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 0042.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++++ dracut.spec | 23 +++++++++++++---------- 6 files changed, 197 insertions(+), 10 deletions(-) create mode 100644 0038.patch create mode 100644 0039.patch create mode 100644 0040.patch create mode 100644 0041.patch create mode 100644 0042.patch diff --git a/0038.patch b/0038.patch new file mode 100644 index 0000000..8ae1078 --- /dev/null +++ b/0038.patch @@ -0,0 +1,41 @@ +From abc03e87ef3dff517c1da05643e8a5ec92b1bf14 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 14 Aug 2023 10:24:14 +0200 +Subject: [PATCH] feat(spec): include modules for IMA + +Resolves: #2158155 +--- + pkgbuild/dracut.spec | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/pkgbuild/dracut.spec b/pkgbuild/dracut.spec +index e148bbf7..b2d75951 100644 +--- a/pkgbuild/dracut.spec ++++ b/pkgbuild/dracut.spec +@@ -214,13 +214,6 @@ rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00dash + # we do not support mksh in the initramfs + rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00mksh + +-%if %{defined _unitdir} +-# with systemd IMA and selinux modules do not make sense +-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/96securityfs +-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/97masterkey +-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/98integrity +-%endif +- + %ifnarch s390 s390x + # remove architecture specific modules + rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80cms +@@ -394,11 +387,9 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ + %{dracutlibdir}/modules.d/95zfcp + %{dracutlibdir}/modules.d/95zfcp_rules + %endif +-%if %{undefined _unitdir} + %{dracutlibdir}/modules.d/96securityfs + %{dracutlibdir}/modules.d/97masterkey + %{dracutlibdir}/modules.d/98integrity +-%endif + %{dracutlibdir}/modules.d/97biosdevname + %{dracutlibdir}/modules.d/98dracut-systemd + %{dracutlibdir}/modules.d/98ecryptfs + diff --git a/0039.patch b/0039.patch new file mode 100644 index 0000000..0a16533 --- /dev/null +++ b/0039.patch @@ -0,0 +1,24 @@ +From aaffb39dc86b674501cb447c7fef5dd40aad85fb Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 14 Aug 2023 11:25:19 +0200 +Subject: [PATCH] fix(dracut): there can be \ at the end on line in awk script + +Related: #2158155 +--- + dracut.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dracut.sh b/dracut.sh +index 1ff51bb1..30dfb229 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -2592,7 +2592,7 @@ if [[ $uefi == yes ]]; then + printf "%s " "$(< "$conf")" >> "$uefi_outdir/cmdline.txt" + done + fi +- ++ # shellcheck disable=SC1004 + offs=$(objdump -h "$uefi_stub" 2> /dev/null | gawk 'NF==7 {size=strtonum("0x"$3);\ + offset=strtonum("0x"$4)} END {print size + offset}') + if [[ $offs -eq 0 ]]; then + diff --git a/0040.patch b/0040.patch new file mode 100644 index 0000000..6db26f4 --- /dev/null +++ b/0040.patch @@ -0,0 +1,24 @@ +From 9c1c19de50de5dba6d0875425539cb9259dd7451 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 14 Aug 2023 12:37:33 +0200 +Subject: [PATCH] fix(rngd): spacing + +Related: #2158155 +--- + modules.d/06rngd/module-setup.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/06rngd/module-setup.sh b/modules.d/06rngd/module-setup.sh +index 66923a38..1e5f0eb9 100644 +--- a/modules.d/06rngd/module-setup.sh ++++ b/modules.d/06rngd/module-setup.sh +@@ -35,7 +35,7 @@ install() { + inst_simple "${systemdsystemunitdir}/rngd.service" + + if [ -r /etc/sysconfig/rngd ]; then +- inst_simple "${moddir}/sysconfig" "/etc/sysconfig/rngd" ++ inst_simple "${moddir}/sysconfig" "/etc/sysconfig/rngd" + fi + + # make sure dependant libs are installed too + diff --git a/0041.patch b/0041.patch new file mode 100644 index 0000000..4f4df86 --- /dev/null +++ b/0041.patch @@ -0,0 +1,49 @@ +From 9d2a3df5453001612b225c7423451f6e02e06c19 Mon Sep 17 00:00:00 2001 +From: Alberto Planas +Date: Mon, 20 Jun 2022 17:13:19 +0200 +Subject: [PATCH] fix(integrity): do not enable EVM if there is no key + +Track when a key is successfully loaded, and return 1 if no key has been +loaded. This will not enable EVM if there are no keys available in the +system. + +Fix #1847 + +Signed-off-by: Alberto Planas + +(Cherry-picked commit: 90585c624af15ba0abb7f32b0c2afc2b122dd019) + +Related: #2158155 +--- + modules.d/98integrity/evm-enable.sh | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh +index 0abdfb80..913b5f12 100755 +--- a/modules.d/98integrity/evm-enable.sh ++++ b/modules.d/98integrity/evm-enable.sh +@@ -99,6 +99,7 @@ load_evm_x509() { + fi + # load the default EVM public key onto the EVM keyring along + # with all the other ones in $EVMKEYSDIR ++ local key_imported=1 + for PUBKEY in ${EVMX509PATH} "${NEWROOT}${EVMKEYSDIR}"/*; do + if [ ! -f "${PUBKEY}" ]; then + if [ "${RD_DEBUG}" = "yes" ]; then +@@ -110,13 +111,14 @@ load_evm_x509() { + info "integrity: failed to load the EVM X509 cert ${PUBKEY}" + return 1 + fi ++ key_imported=0 + done + + if [ "${RD_DEBUG}" = "yes" ]; then + keyctl show @u + fi + +- return 0 ++ return ${key_imported} + } + + unload_evm_key() { + diff --git a/0042.patch b/0042.patch new file mode 100644 index 0000000..0b5c25f --- /dev/null +++ b/0042.patch @@ -0,0 +1,46 @@ +From ecc17a2cd574b31ce6f95f5a7d8ee6c62ecbb51b Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Wed, 16 Aug 2023 14:02:51 +0200 +Subject: [PATCH] fix(fips): include openssl's fips.so and openssl.cnf + +Resolves: #2176560 +--- + modules.d/01fips/module-setup.sh | 13 +++++++++++++ + modules.d/01fips/openssl.cnf | 7 +++++++ + 2 files changed, 20 insertions(+) + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index cc9d15ce..7ff5e640 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -82,4 +82,17 @@ install() { + dfatal "To create an initramfs with fips support, dracut has to run as root" + return 1 + } ++ ++ # if we have openssl we need to install their fips library and configuration ++ [ -x /usr/bin/openssl ] && { ++ read -r _ conf < <(openssl version -d) ++ conf=${conf#\"} ++ conf=${conf%\"} ++ inst_simple "${moddir}/openssl.cnf" "$conf/openssl.cnf" ++ ++ read -r _ mod < <(openssl version -m) ++ mod=${mod#\"} ++ mod=${mod%\"} ++ inst_simple "$mod/fips.so" ++ } + } +diff --git a/modules.d/01fips/openssl.cnf b/modules.d/01fips/openssl.cnf +new file mode 100644 +index 00000000..ee9adcf0 +--- /dev/null ++++ b/modules.d/01fips/openssl.cnf +@@ -0,0 +1,7 @@ ++openssl_conf = openssl_init ++[openssl_init] ++providers = provider_sect ++[provider_sect] ++default = default_sect ++[default_sect] ++activate = 1 diff --git a/dracut.spec b/dracut.spec index 20a067a..74cdfd1 100644 --- a/dracut.spec +++ b/dracut.spec @@ -5,7 +5,7 @@ # strip the automatically generated dep here and instead co-own the # directory. %global __requires_exclude pkg-config -%define dist_free_release 38.git20230725 +%define dist_free_release 43.git20230816 Name: dracut Version: 057 @@ -66,6 +66,11 @@ Patch34: 0034.patch Patch35: 0035.patch Patch36: 0036.patch Patch37: 0037.patch +Patch38: 0038.patch +Patch39: 0039.patch +Patch40: 0040.patch +Patch41: 0041.patch +Patch42: 0042.patch Source1: https://www.gnu.org/licenses/lgpl-2.1.txt @@ -252,13 +257,6 @@ rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00dash # we do not support mksh in the initramfs rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00mksh -%if %{defined _unitdir} -# with systemd IMA and selinux modules do not make sense -rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/96securityfs -rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/97masterkey -rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/98integrity -%endif - %ifnarch s390 s390x # remove architecture specific modules rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80cms @@ -432,11 +430,9 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/modules.d/95zfcp %{dracutlibdir}/modules.d/95zfcp_rules %endif -%if %{undefined _unitdir} %{dracutlibdir}/modules.d/96securityfs %{dracutlibdir}/modules.d/97masterkey %{dracutlibdir}/modules.d/98integrity -%endif %{dracutlibdir}/modules.d/97biosdevname %{dracutlibdir}/modules.d/98dracut-systemd %{dracutlibdir}/modules.d/98ecryptfs @@ -524,6 +520,13 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install %changelog +* Wed Aug 16 2023 Pavel Valena - 057-43.git20230816 +- feat(spec): include modules for IMA +- fix(dracut): there can be \ at the end on line in awk script +- fix(rngd): spacing +- fix(integrity): do not enable EVM if there is no key +- fix(fips): include openssl's fips.so and openssl.cnf + * Tue Jul 25 2023 Pavel Valena - 057-38.git20230725 - fix(dracut.sh): use dynamically uefi's sections offset - fix(dracut.sh): handle imagebase for uefi