460d2c99f9
git snapshot
41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
From 5a4c3469338410b6aea9452994b4b0af1ba59be7 Mon Sep 17 00:00:00 2001
|
|
From: Kairui Song <kasong@redhat.com>
|
|
Date: Wed, 10 Jun 2020 15:57:20 +0800
|
|
Subject: [PATCH] dracut.sh: FIPS workaround for openssl-libs on Fedora/RHEL
|
|
|
|
On Fedora/RHEL, libcryto will verify both itself and libssl on start, if
|
|
libssl is missing, FIPS self test will fail. However libssl is not a
|
|
dependency of libcryto so dracut will not install it, unless some other
|
|
binary or library pulls it in. Systemd requires libssl, so in most cases
|
|
it just worked, but could fail in some corner cases where systemd is not
|
|
used.
|
|
|
|
Signed-off-by: Kairui Song <kasong@redhat.com>
|
|
---
|
|
dracut.sh | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/dracut.sh b/dracut.sh
|
|
index 9ee722c9..e3195499 100755
|
|
--- a/dracut.sh
|
|
+++ b/dracut.sh
|
|
@@ -1941,6 +1941,17 @@ if [[ $kernel_only != yes ]]; then
|
|
break 2
|
|
done
|
|
done
|
|
+
|
|
+ # FIPS workaround for Fedora/RHEL: libcrypto needs libssl when FIPS is enabled
|
|
+ if [[ $DRACUT_FIPS_MODE ]]; then
|
|
+ for _dir in $libdirs; do
|
|
+ for _f in "$dracutsysrootdir$_dir/libcrypto.so"*; do
|
|
+ [[ -e "$_f" ]] || continue
|
|
+ inst_libdir_file -o "libssl.so*"
|
|
+ break 2
|
|
+ done
|
|
+ done
|
|
+ fi
|
|
fi
|
|
|
|
if [[ $do_strip = yes ]] && ! [[ $DRACUT_FIPS_MODE ]]; then
|
|
|