diff --git a/opencryptoki-3.24.0-sysusers-config.patch b/opencryptoki-3.24.0-sysusers-config.patch new file mode 100644 index 0000000..63b7317 --- /dev/null +++ b/opencryptoki-3.24.0-sysusers-config.patch @@ -0,0 +1,7 @@ +diff -Nur opencryptoki-3.24.0.me/opencryptoki.sysusers.conf opencryptoki-3.24.0/opencryptoki.sysusers.conf +--- opencryptoki-3.24.0.me/opencryptoki.sysusers.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki.sysusers.conf 2025-03-12 15:56:16.270318728 +0100 +@@ -0,0 +1,3 @@ ++u pkcsslotd - "Opencryptoki pkcsslotd user" /run/opencryptoki /sbin/nologin ++g pkcs11 - - ++m pkcsslotd pkcs11 diff --git a/opencryptoki-3.24.0-tmpfiles-image-mode.patch b/opencryptoki-3.24.0-tmpfiles-image-mode.patch new file mode 100644 index 0000000..3f39f14 --- /dev/null +++ b/opencryptoki-3.24.0-tmpfiles-image-mode.patch @@ -0,0 +1,47 @@ +diff -up opencryptoki-3.24.0/misc/tmpfiles.conf.in.me opencryptoki-3.24.0/misc/tmpfiles.conf.in +--- opencryptoki-3.24.0/misc/tmpfiles.conf.in.me 2025-02-04 16:59:16.072468667 +0100 ++++ opencryptoki-3.24.0/misc/tmpfiles.conf.in 2025-02-04 17:02:06.151451176 +0100 +@@ -1,5 +1,8 @@ + # path mode uid gid age + D /run/opencryptoki 710 @pkcsslotd_user@ @pkcs_group@ - + d @localstatedir@/lib/opencryptoki 0770 root @pkcs_group@ - ++d @localstatedir@/lib/opencryptoki/HSM_MK_CHANGE 770 root @pkcs_group@ - ++z /etc/opencryptoki/p11sak_defined_attrs.conf 0640 root pkcs11 - ++z /etc/opencryptoki/strength.conf 0640 root pkcs11 - + d @logdir@ 0770 root @pkcs_group@ - + D @lockdir@ 0770 root @pkcs_group@ - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-ccatok.conf opencryptoki-3.24.0/opencryptoki-ccatok.conf +--- opencryptoki-3.24.0.me/opencryptoki-ccatok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-ccatok.conf 2025-03-12 15:40:01.270065049 +0100 +@@ -0,0 +1,2 @@ ++d /var/lib/opencryptoki/ccatok 770 root pkcs11 - ++d /var/lib/opencryptoki/ccatok/TOK_OBJ 770 root pkcs11 - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf opencryptoki-3.24.0/opencryptoki-ep11tok.conf +--- opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-ep11tok.conf 2025-03-12 15:40:01.270122658 +0100 +@@ -0,0 +1,2 @@ ++d /var/lib/opencryptoki/ep11tok 770 root pkcs11 - ++d /var/lib/opencryptoki/ep11tok/TOK_OBJ 770 root pkcs11 - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-icatok.conf opencryptoki-3.24.0/opencryptoki-icatok.conf +--- opencryptoki-3.24.0.me/opencryptoki-icatok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-icatok.conf 2025-03-12 15:40:01.270168936 +0100 +@@ -0,0 +1,2 @@ ++d /var/lib/opencryptoki/lite 770 root pkcs11 - ++d /var/lib/opencryptoki/lite/TOK_OBJ 770 root pkcs11 - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-icsftok.conf opencryptoki-3.24.0/opencryptoki-icsftok.conf +--- opencryptoki-3.24.0.me/opencryptoki-icsftok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-icsftok.conf 2025-03-12 15:40:01.270213441 +0100 +@@ -0,0 +1 @@ ++d /var/lib/opencryptoki/icsf 770 root pkcs11 - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-swtok.conf opencryptoki-3.24.0/opencryptoki-swtok.conf +--- opencryptoki-3.24.0.me/opencryptoki-swtok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-swtok.conf 2025-03-12 15:40:01.270256492 +0100 +@@ -0,0 +1,3 @@ ++# path mode uid gid age ++d /var/lib/opencryptoki/swtok 770 root pkcs11 - ++d /var/lib/opencryptoki/swtok/TOK_OBJ 770 root pkcs11 - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf opencryptoki-3.24.0/opencryptoki-tpmtok.conf +--- opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-tpmtok.conf 2025-03-12 15:40:01.270339921 +0100 +@@ -0,0 +1 @@ ++d /var/lib/opencryptoki/tpm 770 root pkcs11 - diff --git a/opencryptoki.spec b/opencryptoki.spec index 5a4bbc3..ee70ba5 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,16 +1,25 @@ +%global use_sysusers 1 + Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Version: 3.24.0 -Release: 3%{?dist} +Release: 4%{?dist} License: CPL-1.0 URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz + # fix install problem in buildroot Patch1: opencryptoki-3.24.0-p11sak.patch +# tmpfiles.d config files for image mode +Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch + +# sysuser config file for image mode +Patch3: opencryptoki-3.24.0-sysusers-config.patch + # upstream patches -Patch2: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch -Patch3: opencryptoki-3.24.0-resource-leaks.patch +Patch100: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch +Patch101: opencryptoki-3.24.0-resource-leaks.patch Requires(pre): coreutils Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted) @@ -203,6 +212,28 @@ configured with Enterprise PKCS#11 (EP11) firmware. %install %make_install CHGRP=/bin/true +%if %{use_sysusers} +# Install sysusers.d config file +install -p -D -m 0644 %{name}.sysusers.conf %{buildroot}%{_sysusersdir}/%{name}.sysusers.conf + +# Install tmpfiles.d config files +%ifarch s390 s390x +install -p -D -m 0644 %{name}-icatok.conf %{buildroot}%{_tmpfilesdir}/ +install -p -D -m 0644 %{name}-ep11tok.conf %{buildroot}%{_tmpfilesdir}/ +%endif + +%ifarch s390 s390x x86_64 ppc64le +install -p -D -m 0644 %{name}-ccatok.conf %{buildroot}%{_tmpfilesdir}/ +%endif + +%if 0%{?tmptok} +install -p -D -m 0644 %{name}-tpmtok.conf %{buildroot}%{_tmpfilesdir}/ +%endif + +install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/ +install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/ +%endif + %pre # don't touch opencryptoki.conf even if it is unchanged due to new tokversion @@ -214,8 +245,10 @@ if test $1 -gt 1 && test -f %{cfile} ; then fi %pre libs +%if ! %{use_sysusers} getent group pkcs11 >/dev/null || groupadd -r pkcs11 getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd +%endif exit 0 %post @@ -292,6 +325,9 @@ fi %{_libdir}/pkcs11/PKCS11_API.so %{_libdir}/pkcs11/stdll %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki +%if %{use_sysusers} +%{_sysusersdir}/%{name}.sysusers.conf +%endif %files devel %{_includedir}/%{name}/ @@ -302,6 +338,9 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_SW.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/ +%if %{use_sysusers} +%{_tmpfilesdir}/%{name}-swtok.conf +%endif %if 0%{?tmptok} %files tpmtok @@ -309,6 +348,9 @@ fi %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.* %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/ +%if %{use_sysusers} +%{_tmpfilesdir}/%{name}-tpmtok.conf +%endif %endif %files icsftok @@ -318,6 +360,9 @@ fi %{_libdir}/opencryptoki/stdll/libpkcs11_icsf.* %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/ +%if %{use_sysusers} +%{_tmpfilesdir}/%{name}-icsftok.conf +%endif %ifarch s390 s390x %files icatok @@ -325,6 +370,9 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/ +%if %{use_sysusers} +%{_tmpfilesdir}/%{name}-icatok.conf +%endif %endif %ifarch s390 s390x x86_64 ppc64le @@ -337,6 +385,9 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/ +%if %{use_sysusers} +%{_tmpfilesdir}/%{name}-ccatok.conf +%endif %endif %ifarch s390 s390x @@ -352,10 +403,16 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/ +%if %{use_sysusers} +%{_tmpfilesdir}/%{name}-ep11tok.conf +%endif %endif %changelog +* Wed Mar 19 2025 Than Ngo - 3.24.0-4 +- Resolves: RHEL-77147, opencryptoki doesn't work in image mode + * Tue Nov 26 2024 Than Ngo - 3.24.0-3 - Disable ccatok on aarch64 Related: RHEL-50064