- Resolves: RHEL-80632, tokens are deleted on reboot
- Related: RHEL-77146, opencryptoki doesn't work in image mode
This commit is contained in:
Than Ngo
parent
0326a7fd21
commit
4be31fffd4
7
opencryptoki-3.24.0-sysusers-config.patch
Normal file
7
opencryptoki-3.24.0-sysusers-config.patch
Normal file
@ -0,0 +1,7 @@
|
||||
diff -Nur opencryptoki-3.24.0.me/opencryptoki.sysusers.conf opencryptoki-3.24.0/opencryptoki.sysusers.conf
|
||||
--- opencryptoki-3.24.0.me/opencryptoki.sysusers.conf 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ opencryptoki-3.24.0/opencryptoki.sysusers.conf 2025-03-12 15:56:16.270318728 +0100
|
||||
@@ -0,0 +1,3 @@
|
||||
+u pkcsslotd - "Opencryptoki pkcsslotd user" /run/opencryptoki /sbin/nologin
|
||||
+g pkcs11 - -
|
||||
+m pkcsslotd pkcs11
|
||||
@ -5,8 +5,43 @@ diff -up opencryptoki-3.24.0/misc/tmpfiles.conf.in.me opencryptoki-3.24.0/misc/t
|
||||
# path mode uid gid age
|
||||
D /run/opencryptoki 710 @pkcsslotd_user@ @pkcs_group@ -
|
||||
d @localstatedir@/lib/opencryptoki 0770 root @pkcs_group@ -
|
||||
+D @localstatedir@/lib/opencryptoki/HSM_MK_CHANGE 770 root @pkcs_group@ -
|
||||
+d @localstatedir@/lib/opencryptoki/HSM_MK_CHANGE 770 root @pkcs_group@ -
|
||||
+z /etc/opencryptoki/p11sak_defined_attrs.conf 0640 root pkcs11 -
|
||||
+z /etc/opencryptoki/strength.conf 0640 root pkcs11 -
|
||||
d @logdir@ 0770 root @pkcs_group@ -
|
||||
D @lockdir@ 0770 root @pkcs_group@ -
|
||||
diff -Nur opencryptoki-3.24.0.me/opencryptoki-ccatok.conf opencryptoki-3.24.0/opencryptoki-ccatok.conf
|
||||
--- opencryptoki-3.24.0.me/opencryptoki-ccatok.conf 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ opencryptoki-3.24.0/opencryptoki-ccatok.conf 2025-03-12 15:40:01.270065049 +0100
|
||||
@@ -0,0 +1,2 @@
|
||||
+d /var/lib/opencryptoki/ccatok 770 root pkcs11 -
|
||||
+d /var/lib/opencryptoki/ccatok/TOK_OBJ 770 root pkcs11 -
|
||||
diff -Nur opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf opencryptoki-3.24.0/opencryptoki-ep11tok.conf
|
||||
--- opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ opencryptoki-3.24.0/opencryptoki-ep11tok.conf 2025-03-12 15:40:01.270122658 +0100
|
||||
@@ -0,0 +1,2 @@
|
||||
+d /var/lib/opencryptoki/ep11tok 770 root pkcs11 -
|
||||
+d /var/lib/opencryptoki/ep11tok/TOK_OBJ 770 root pkcs11 -
|
||||
diff -Nur opencryptoki-3.24.0.me/opencryptoki-icatok.conf opencryptoki-3.24.0/opencryptoki-icatok.conf
|
||||
--- opencryptoki-3.24.0.me/opencryptoki-icatok.conf 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ opencryptoki-3.24.0/opencryptoki-icatok.conf 2025-03-12 15:40:01.270168936 +0100
|
||||
@@ -0,0 +1,2 @@
|
||||
+d /var/lib/opencryptoki/lite 770 root pkcs11 -
|
||||
+d /var/lib/opencryptoki/lite/TOK_OBJ 770 root pkcs11 -
|
||||
diff -Nur opencryptoki-3.24.0.me/opencryptoki-icsftok.conf opencryptoki-3.24.0/opencryptoki-icsftok.conf
|
||||
--- opencryptoki-3.24.0.me/opencryptoki-icsftok.conf 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ opencryptoki-3.24.0/opencryptoki-icsftok.conf 2025-03-12 15:40:01.270213441 +0100
|
||||
@@ -0,0 +1 @@
|
||||
+d /var/lib/opencryptoki/icsf 770 root pkcs11 -
|
||||
diff -Nur opencryptoki-3.24.0.me/opencryptoki-swtok.conf opencryptoki-3.24.0/opencryptoki-swtok.conf
|
||||
--- opencryptoki-3.24.0.me/opencryptoki-swtok.conf 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ opencryptoki-3.24.0/opencryptoki-swtok.conf 2025-03-12 15:40:01.270256492 +0100
|
||||
@@ -0,0 +1,3 @@
|
||||
+# path mode uid gid age
|
||||
+d /var/lib/opencryptoki/swtok 770 root pkcs11 -
|
||||
+d /var/lib/opencryptoki/swtok/TOK_OBJ 770 root pkcs11 -
|
||||
diff -Nur opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf opencryptoki-3.24.0/opencryptoki-tpmtok.conf
|
||||
--- opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ opencryptoki-3.24.0/opencryptoki-tpmtok.conf 2025-03-12 15:40:01.270339921 +0100
|
||||
@@ -0,0 +1 @@
|
||||
+d /var/lib/opencryptoki/tpm 770 root pkcs11 -
|
||||
|
||||
@ -1,2 +0,0 @@
|
||||
D /var/lib/opencryptoki/ccatok 770 root pkcs11 -
|
||||
D /var/lib/opencryptoki/ccatok/TOK_OBJ 770 root pkcs11 -
|
||||
@ -1,2 +0,0 @@
|
||||
D /var/lib/opencryptoki/ep11tok 770 root pkcs11 -
|
||||
D /var/lib/opencryptoki/ep11tok/TOK_OBJ 770 root pkcs11 -
|
||||
@ -1,2 +0,0 @@
|
||||
D /var/lib/opencryptoki/lite 770 root pkcs11 -
|
||||
D /var/lib/opencryptoki/lite/TOK_OBJ 770 root pkcs11 -
|
||||
@ -1 +0,0 @@
|
||||
D /var/lib/opencryptoki/icsf 770 root pkcs11 -
|
||||
@ -1,3 +0,0 @@
|
||||
# path mode uid gid age
|
||||
D /var/lib/opencryptoki/swtok 770 root pkcs11 -
|
||||
D /var/lib/opencryptoki/swtok/TOK_OBJ 770 root pkcs11 -
|
||||
@ -1,2 +0,0 @@
|
||||
d /run/opencryptoki 0710 pkcsslotd pkcs11 -
|
||||
|
||||
@ -1 +0,0 @@
|
||||
D /var/lib/opencryptoki/tpm 770 root pkcs11 -
|
||||
@ -1,26 +1,23 @@
|
||||
%global use_sysusers 1
|
||||
|
||||
Name: opencryptoki
|
||||
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
|
||||
Version: 3.24.0
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: CPL-1.0
|
||||
URL: https://github.com/opencryptoki/opencryptoki
|
||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: opencryptoki.module
|
||||
Source2: opencryptoki.sysusers
|
||||
# split tmpfiles for image mode
|
||||
Source3: opencryptoki-ccatok.conf
|
||||
Source4: opencryptoki-icatok.conf
|
||||
Source5: opencryptoki-swtok.conf
|
||||
Source6: opencryptoki-tpmtok.conf
|
||||
Source7: opencryptoki-ep11tok.conf
|
||||
Source8: opencryptoki-icsftok.conf
|
||||
|
||||
# fix install problem in buildroot
|
||||
Patch1: opencryptoki-3.24.0-p11sak.patch
|
||||
|
||||
# use tmpfiles to change file ownership for image mode
|
||||
# tmpfiles.d config files for image mode
|
||||
Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch
|
||||
|
||||
# sysuser config file for image mode
|
||||
Patch3: opencryptoki-3.24.0-sysusers-config.patch
|
||||
|
||||
# upstream patches
|
||||
Patch100: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch
|
||||
Patch101: opencryptoki-3.24.0-resource-leaks.patch
|
||||
@ -39,8 +36,6 @@ BuildRequires: libcap-devel
|
||||
BuildRequires: expect
|
||||
BuildRequires: make
|
||||
BuildRequires: systemd-rpm-macros
|
||||
%{?sysusers_requires_compat}
|
||||
|
||||
%ifarch s390 s390x
|
||||
BuildRequires: libica-devel >= 3.3
|
||||
# for /usr/include/libudev.h
|
||||
@ -218,24 +213,28 @@ configured with Enterprise PKCS#11 (EP11) firmware.
|
||||
%install
|
||||
%make_install CHGRP=/bin/true
|
||||
|
||||
%if %{use_sysusers}
|
||||
# Install sysusers.d config file
|
||||
install -p -D -m 0644 %{name}.sysusers.conf %{buildroot}%{_sysusersdir}/%{name}.sysusers.conf
|
||||
|
||||
# Install sysusers.d configuration
|
||||
install -p -D -m 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
|
||||
|
||||
# Install tmpfiles.d config
|
||||
# Install tmpfiles.d config files
|
||||
%ifarch s390 s390x
|
||||
install -p -D -m 0644 %{SOURCE4} %{SOURCE7} %{buildroot}%{_tmpfilesdir}/
|
||||
install -p -D -m 0644 %{name}-icatok.conf %{buildroot}%{_tmpfilesdir}/
|
||||
install -p -D -m 0644 %{name}-ep11tok.conf %{buildroot}%{_tmpfilesdir}/
|
||||
%endif
|
||||
|
||||
%ifarch s390 s390x x86_64 ppc64le
|
||||
install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/
|
||||
install -p -D -m 0644 %{name}-ccatok.conf %{buildroot}%{_tmpfilesdir}/
|
||||
%endif
|
||||
|
||||
%if 0%{?tmptok}
|
||||
install -p -D -m 0644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/
|
||||
install -p -D -m 0644 %{name}-tpmtok.conf %{buildroot}%{_tmpfilesdir}/
|
||||
%endif
|
||||
|
||||
install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/
|
||||
install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/
|
||||
%endif
|
||||
|
||||
install -p -D -m 0644 %{SOURCE5} %{SOURCE8} %{buildroot}%{_tmpfilesdir}/
|
||||
|
||||
%pre
|
||||
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion
|
||||
@ -247,7 +246,10 @@ if test $1 -gt 1 && test -f %{cfile} ; then
|
||||
fi
|
||||
|
||||
%pre libs
|
||||
%sysusers_create_compat %{SOURCE2}
|
||||
%if ! %{use_sysusers}
|
||||
getent group pkcs11 >/dev/null || groupadd -r pkcs11
|
||||
getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd
|
||||
%endif
|
||||
exit 0
|
||||
|
||||
%post
|
||||
@ -264,7 +266,6 @@ if test $1 -eq 1; then
|
||||
%tmpfiles_create %{name}.conf
|
||||
fi
|
||||
|
||||
|
||||
%preun
|
||||
%systemd_preun pkcsslotd.service
|
||||
|
||||
@ -325,7 +326,9 @@ fi
|
||||
%{_libdir}/pkcs11/PKCS11_API.so
|
||||
%{_libdir}/pkcs11/stdll
|
||||
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
|
||||
%{_sysusersdir}/%{name}.conf
|
||||
%if %{use_sysusers}
|
||||
%{_sysusersdir}/%{name}.sysusers.conf
|
||||
%endif
|
||||
|
||||
%files devel
|
||||
%{_includedir}/%{name}/
|
||||
@ -336,7 +339,9 @@ fi
|
||||
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
|
||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
|
||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
|
||||
%if %{use_sysusers}
|
||||
%{_tmpfilesdir}/%{name}-swtok.conf
|
||||
%endif
|
||||
|
||||
%if 0%{?tmptok}
|
||||
%files tpmtok
|
||||
@ -344,8 +349,10 @@ fi
|
||||
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
|
||||
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
|
||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
|
||||
%if %{use_sysusers}
|
||||
%{_tmpfilesdir}/%{name}-tpmtok.conf
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%files icsftok
|
||||
%doc doc/README.icsf_stdll
|
||||
@ -354,7 +361,9 @@ fi
|
||||
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
|
||||
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
|
||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
|
||||
%if %{use_sysusers}
|
||||
%{_tmpfilesdir}/%{name}-icsftok.conf
|
||||
%endif
|
||||
|
||||
%ifarch s390 s390x
|
||||
%files icatok
|
||||
@ -362,8 +371,10 @@ fi
|
||||
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
|
||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
|
||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
|
||||
%if %{use_sysusers}
|
||||
%{_tmpfilesdir}/%{name}-icatok.conf
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%ifarch s390 s390x x86_64 ppc64le
|
||||
%files ccatok
|
||||
@ -375,8 +386,10 @@ fi
|
||||
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
|
||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
|
||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
|
||||
%if %{use_sysusers}
|
||||
%{_tmpfilesdir}/%{name}-ccatok.conf
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%ifarch s390 s390x
|
||||
%files ep11tok
|
||||
@ -391,11 +404,17 @@ fi
|
||||
%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
|
||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
|
||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
|
||||
%if %{use_sysusers}
|
||||
%{_tmpfilesdir}/%{name}-ep11tok.conf
|
||||
%endif
|
||||
%endif
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Mar 18 2025 Than Ngo <than@redhat.com> - 3.24.0-7
|
||||
- Resolves: RHEL-80632, tokens are deleted on reboot
|
||||
- Related: RHEL-77146, opencryptoki doesn't work in image mode
|
||||
|
||||
* Tue Feb 04 2025 Than Ngo <than@redhat.com> - 3.24.0-6
|
||||
- Use tmpfiles to change file ownership for image mode
|
||||
Related: RHEL-77146
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
u pkcsslotd - "Opencryptoki pkcsslotd user" /run/opencryptoki /sbin/nologin
|
||||
g pkcs11 - -
|
||||
m pkcsslotd pkcs11
|
||||
Loading…
Reference in New Issue
Block a user