Import from AlmaLinux stable repository
This commit is contained in:
parent
c9895fc672
commit
16a16a4545
@ -1,9 +0,0 @@
|
||||
b2620c36bd23ca699567fd4e4add039ee4375247 SOURCES/DBXUpdate-20100307-x64.cab
|
||||
dfdb1d0d42c1563ca63bd45c7e2ddc48cbfc5023 SOURCES/DBXUpdate-20140413-x64.cab
|
||||
a5f73c606abb93bf61625e4628d27a2cd460f162 SOURCES/DBXUpdate-20160809-x64.cab
|
||||
b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab
|
||||
3fb407561768a3a2f5fb49d7738b5e0650e70810 SOURCES/DBXUpdate-20200729-ia32.cab
|
||||
89db93c9d9d20f81791a262e817b99d8882c8bb0 SOURCES/DBXUpdate-20200729-x64.cab
|
||||
59006fd556faeacc8185075c8fe7826249a2da32 SOURCES/fwupd-1.7.8.tar.xz
|
||||
1a586c3634ef190e6128351ee60fd17d0e584f7c SOURCES/fwupd-efi-1.3.tar.xz
|
||||
a62a28924d26cd49b6441170795a237ba33ec192 SOURCES/libjcat-0.1.9.tar.xz
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -4,6 +4,7 @@ SOURCES/DBXUpdate-20160809-x64.cab
|
||||
SOURCES/DBXUpdate-20200729-aa64.cab
|
||||
SOURCES/DBXUpdate-20200729-ia32.cab
|
||||
SOURCES/DBXUpdate-20200729-x64.cab
|
||||
SOURCES/almalinuxsecurebootca0.cer
|
||||
SOURCES/fwupd-1.7.8.tar.xz
|
||||
SOURCES/fwupd-efi-1.3.tar.xz
|
||||
SOURCES/libjcat-0.1.9.tar.xz
|
||||
|
29
SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch
Normal file
29
SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Tue, 22 Aug 2023 10:05:27 +0100
|
||||
Subject: [PATCH] Use /usr/libexec/platform-python for RHEL
|
||||
|
||||
---
|
||||
meson.build | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/meson.build b/meson.build
|
||||
index bb406d616..ac90c8ee6 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes',
|
||||
endif
|
||||
|
||||
bashcomp = dependency('bash-completion', required: false)
|
||||
-if host_machine.system() != 'freebsd'
|
||||
- python3 = find_program('python3')
|
||||
-else
|
||||
- python3 = find_program('python3.8', 'python3', 'python3.9')
|
||||
-endif
|
||||
+python3 = find_program('/usr/libexec/platform-python')
|
||||
|
||||
if get_option('gnutls')
|
||||
gnutls = dependency('gnutls', version : '>= 3.6.0')
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,28 @@
|
||||
From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Tue, 20 Sep 2022 08:06:12 +0100
|
||||
Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install
|
||||
time
|
||||
|
||||
Although typically we set the password using fu_plugin_set_secure_config_value()
|
||||
or something like Ansible or Puppet -- the user could just edit the file with
|
||||
vim and we still want the permissions set correctly.
|
||||
---
|
||||
plugins/redfish/meson.build | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
|
||||
index 34ba4b7f6..7b19574de 100644
|
||||
--- a/plugins/redfish/meson.build
|
||||
+++ b/plugins/redfish/meson.build
|
||||
@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish',
|
||||
|
||||
install_data(['redfish.conf'],
|
||||
install_dir: join_paths(sysconfdir, 'fwupd'),
|
||||
+ install_mode: 'rw-r-----',
|
||||
)
|
||||
|
||||
if get_option('tests')
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,47 @@
|
||||
From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Tue, 20 Sep 2022 09:13:52 +0100
|
||||
Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's
|
||||
going to work
|
||||
|
||||
Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI
|
||||
implementations are not specification compliant and do entirely the wrong thing.
|
||||
---
|
||||
plugins/redfish/fu-plugin-redfish.c | 8 ++++++++
|
||||
plugins/redfish/redfish.quirk | 2 +-
|
||||
2 files changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c
|
||||
index deb0fe742..3972d4b4b 100644
|
||||
--- a/plugins/redfish/fu-plugin-redfish.c
|
||||
+++ b/plugins/redfish/fu-plugin-redfish.c
|
||||
@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error)
|
||||
#ifdef HAVE_LINUX_IPMI_H
|
||||
/* we got neither a type 42 entry or config value, lets try IPMI */
|
||||
if (fu_redfish_backend_get_username(data->backend) == NULL) {
|
||||
+ if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) {
|
||||
+ g_set_error_literal(error,
|
||||
+ FWUPD_ERROR,
|
||||
+ FWUPD_ERROR_NOT_SUPPORTED,
|
||||
+ "no username and password specified, "
|
||||
+ "and no vendor quirk for 'ipmi-create-user'");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) {
|
||||
g_debug("attempting to create user using IPMI");
|
||||
if (!fu_redfish_plugin_ipmi_create_user(plugin, error))
|
||||
diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk
|
||||
index b12439926..5e9722fda 100644
|
||||
--- a/plugins/redfish/redfish.quirk
|
||||
+++ b/plugins/redfish/redfish.quirk
|
||||
@@ -1,6 +1,6 @@
|
||||
# Lenovo ThinkSystem
|
||||
[42f00735-c9ab-5374-bd63-a5deee5881e0]
|
||||
-Flags = wildcard-targets,reset-required
|
||||
+Flags = wildcard-targets,reset-required,ipmi-create-user
|
||||
|
||||
[REDFISH\VENDOR_Lenovo&ID_BMC-Backup]
|
||||
ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,141 @@
|
||||
From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Wed, 21 Sep 2022 14:56:10 +0100
|
||||
Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by
|
||||
users
|
||||
|
||||
When the redfish plugin automatically creates an OPERATOR user account on the
|
||||
BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it
|
||||
is chmod'ed to 0660 before writing the file with g_key_file_save_to_file().
|
||||
|
||||
Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with
|
||||
the keyfile string data.
|
||||
I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being
|
||||
used to copy permissions, but alas not.
|
||||
|
||||
GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666,
|
||||
which undoes the previous chmod().
|
||||
|
||||
Use g_file_set_contents_full() with the correct mode for newer GLib versions,
|
||||
and provide a fallback with the same semantics for older versions.
|
||||
---
|
||||
contrib/fwupd.spec.in | 3 ++
|
||||
libfwupdplugin/fu-plugin.c | 65 +++++++++++++++++++++++++++++------
|
||||
libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++
|
||||
3 files changed, 114 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in
|
||||
index a50e30a9c..0854fcf4f 100644
|
||||
--- a/contrib/fwupd.spec.in
|
||||
+++ b/contrib/fwupd.spec.in
|
||||
@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do
|
||||
fi
|
||||
done
|
||||
|
||||
+# ensure this is private
|
||||
+chmod 0660 /etc/fwupd/redfish.conf
|
||||
+
|
||||
%preun
|
||||
%systemd_preun fwupd.service
|
||||
|
||||
diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c
|
||||
index 18042a028..04951de85 100644
|
||||
--- a/libfwupdplugin/fu-plugin.c
|
||||
+++ b/libfwupdplugin/fu-plugin.c
|
||||
@@ -9,6 +9,7 @@
|
||||
#include "config.h"
|
||||
|
||||
#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
#include <fwupd.h>
|
||||
#include <glib/gstdio.h>
|
||||
#include <gmodule.h>
|
||||
@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value,
|
||||
return g_key_file_save_to_file(keyfile, conf_path, error);
|
||||
}
|
||||
|
||||
+#if !GLIB_CHECK_VERSION(2, 66, 0)
|
||||
+
|
||||
+#define G_FILE_SET_CONTENTS_CONSISTENT 0
|
||||
+typedef guint GFileSetContentsFlags;
|
||||
+static gboolean
|
||||
+g_file_set_contents_full(const gchar *filename,
|
||||
+ const gchar *contents,
|
||||
+ gssize length,
|
||||
+ GFileSetContentsFlags flags,
|
||||
+ int mode,
|
||||
+ GError **error)
|
||||
+{
|
||||
+ gint fd;
|
||||
+ gssize wrote;
|
||||
+
|
||||
+ if (length < 0)
|
||||
+ length = strlen(contents);
|
||||
+ fd = g_open(filename, O_CREAT, mode);
|
||||
+ if (fd <= 0) {
|
||||
+ g_set_error(error,
|
||||
+ G_IO_ERROR,
|
||||
+ G_IO_ERROR_FAILED,
|
||||
+ "could not open %s file",
|
||||
+ filename);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ wrote = write(fd, contents, length);
|
||||
+ if (wrote != length) {
|
||||
+ g_set_error(error,
|
||||
+ G_IO_ERROR,
|
||||
+ G_IO_ERROR_FAILED,
|
||||
+ "did not write %s file",
|
||||
+ filename);
|
||||
+ g_close(fd, NULL);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ return g_close(fd, error);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/**
|
||||
* fu_plugin_set_secure_config_value:
|
||||
* @self: a #FuPlugin
|
||||
@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
|
||||
GError **error)
|
||||
{
|
||||
g_autofree gchar *conf_path = fu_plugin_get_config_filename(self);
|
||||
- gint ret;
|
||||
+ g_autofree gchar *data = NULL;
|
||||
+ g_autoptr(GKeyFile) keyfile = g_key_file_new();
|
||||
|
||||
g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE);
|
||||
g_return_val_if_fail(error == NULL || *error == NULL, FALSE);
|
||||
@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
|
||||
g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path);
|
||||
return FALSE;
|
||||
}
|
||||
- ret = g_chmod(conf_path, 0660);
|
||||
- if (ret == -1) {
|
||||
- g_set_error(error,
|
||||
- FWUPD_ERROR,
|
||||
- FWUPD_ERROR_INTERNAL,
|
||||
- "failed to set permissions on %s",
|
||||
- conf_path);
|
||||
+ if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error))
|
||||
return FALSE;
|
||||
- }
|
||||
-
|
||||
- return fu_plugin_set_config_value(self, key, value, error);
|
||||
+ g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value);
|
||||
+ data = g_key_file_to_data(keyfile, NULL, error);
|
||||
+ if (data == NULL)
|
||||
+ return FALSE;
|
||||
+ return g_file_set_contents_full(conf_path,
|
||||
+ data,
|
||||
+ -1,
|
||||
+ G_FILE_SET_CONTENTS_CONSISTENT,
|
||||
+ 0660,
|
||||
+ error);
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.39.1
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -1,3 +1,7 @@
|
||||
%global efi_vendor almalinux
|
||||
%global efidir almalinux
|
||||
%global efi_esp_dir /boot/efi/EFI/%{efidir}
|
||||
|
||||
%global glib2_version 2.45.8
|
||||
%global libxmlb_version 0.1.3
|
||||
%global libgusb_version 0.2.11
|
||||
@ -40,7 +44,7 @@
|
||||
Summary: Firmware update daemon
|
||||
Name: fwupd
|
||||
Version: 1.7.8
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}.alma
|
||||
License: LGPLv2+
|
||||
URL: https://github.com/fwupd/fwupd
|
||||
Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
|
||||
@ -56,10 +60,12 @@ Source15: http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-x64.cab
|
||||
|
||||
# these are numbered high just to keep them wildly away from colliding with
|
||||
# the real package sources, in order to reduce churn.
|
||||
Source300: redhatsecurebootca3.cer
|
||||
Source301: redhatsecureboot301.cer
|
||||
Source500: redhatsecurebootca5.cer
|
||||
Source503: redhatsecureboot503.cer
|
||||
Source300: almalinuxsecurebootca0.cer
|
||||
|
||||
Patch1: 0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch
|
||||
Patch2: 0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch
|
||||
Patch3: 0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch
|
||||
Patch4: 0001-Use-usr-libexec-platform-python-for-RHEL.patch
|
||||
|
||||
BuildRequires: efi-srpm-macros
|
||||
BuildRequires: gettext
|
||||
@ -163,7 +169,7 @@ Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
Data files for installed tests.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%autosetup -p1
|
||||
|
||||
mkdir -p subprojects/libjcat
|
||||
tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1
|
||||
@ -215,11 +221,11 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
|
||||
-Dplugin_uefi_capsule=true \
|
||||
-Dplugin_uefi_pk=false \
|
||||
%ifarch x86_64
|
||||
-Dfwupd-efi:efi_sbat_distro_id="rhel" \
|
||||
-Dfwupd-efi:efi_sbat_distro_summary="Red Hat Enterprise Linux" \
|
||||
-Dfwupd-efi:efi_sbat_distro_id="almalinux" \
|
||||
-Dfwupd-efi:efi_sbat_distro_summary="AlmaLinux" \
|
||||
-Dfwupd-efi:efi_sbat_distro_pkgname="%{name}" \
|
||||
-Dfwupd-efi:efi_sbat_distro_version="%{version}" \
|
||||
-Dfwupd-efi:efi_sbat_distro_url="mail:secalert@redhat.com" \
|
||||
-Dfwupd-efi:efi_sbat_distro_url="mail:security@almalinux.org" \
|
||||
-Dfwupd-efi:efi-libdir="/usr/lib64" \
|
||||
%endif
|
||||
-Dplugin_tpm=false \
|
||||
@ -267,9 +273,7 @@ install %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
|
||||
%ifarch x86_64
|
||||
%global efiarch x64
|
||||
%global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
|
||||
%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
|
||||
%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
|
||||
rm -fv %{fwup_efi_fn}.tmp
|
||||
%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE300} -c %{SOURCE301} -n clsecureboot001
|
||||
%endif
|
||||
|
||||
mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
|
||||
@ -491,6 +495,9 @@ done
|
||||
%if 0%{?have_uefi}
|
||||
%{_datadir}/fwupd/uefi-capsule-ux.tar.xz
|
||||
%endif
|
||||
%if 0%{?have_modem_manager}
|
||||
%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so
|
||||
%endif
|
||||
|
||||
%files devel
|
||||
%{_datadir}/gir-1.0/Fwupd-2.0.gir
|
||||
@ -526,6 +533,12 @@ done
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Sep 27 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1.7.8-2.alma
|
||||
- Use AlmaLinux cert
|
||||
|
||||
* Mon Feb 20 2023 Richard Hughes <richard@hughsie.com> 1.7.8-2
|
||||
- Backport the Redfish security fixes which affect IDRAC.
|
||||
- Resolves: rhbz#2170950
|
||||
* Wed Jun 15 2022 Richard Hughes <richard@hughsie.com> 1.7.8-1
|
||||
- New upstream release
|
||||
- Resolves: rhbz#2095668
|
||||
@ -657,7 +670,7 @@ done
|
||||
* Wed Aug 29 2018 Richard Hughes <richard@hughsie.com> 1.1.1-5
|
||||
- Include the certificates for secure boot signing
|
||||
|
||||
* Tue Aug 23 2018 Richard Hughes <richard@hughsie.com> 1.1.1-4
|
||||
* Thu Aug 23 2018 Richard Hughes <richard@hughsie.com> 1.1.1-4
|
||||
- Rebuild to get the EFI executable signed with the Red Hat key
|
||||
|
||||
* Thu Aug 23 2018 Richard Hughes <richard@hughsie.com> 1.1.1-3
|
||||
|
Loading…
Reference in New Issue
Block a user