Update for 9.3
- Fix setting kickstart data Resolves: rhbz#2174296 - Do not set memory limit for LUKS2 when running in FIPS mode Resolves: rhbz#2193096
This commit is contained in:
parent
f0063aa69d
commit
eabe006bbe
68
0013-Fix-setting-kickstart-data.patch
Normal file
68
0013-Fix-setting-kickstart-data.patch
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
From 1af0d3c37a93e431790e641a329a7f34dabf291a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Trefny <vtrefny@redhat.com>
|
||||||
|
Date: Thu, 2 Mar 2023 12:34:42 +0100
|
||||||
|
Subject: [PATCH] Fix setting kickstart data
|
||||||
|
|
||||||
|
When changing our code to PEP8 compliant we also changed some
|
||||||
|
pykickstart properties like onPart by accident. This PR fixes this.
|
||||||
|
|
||||||
|
Resolves: rhbz#2174296
|
||||||
|
---
|
||||||
|
blivet/devices/btrfs.py | 4 ++--
|
||||||
|
blivet/devices/lvm.py | 2 +-
|
||||||
|
blivet/devices/partition.py | 6 +++---
|
||||||
|
3 files changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/blivet/devices/btrfs.py b/blivet/devices/btrfs.py
|
||||||
|
index 1ae6a04d..3f56624e 100644
|
||||||
|
--- a/blivet/devices/btrfs.py
|
||||||
|
+++ b/blivet/devices/btrfs.py
|
||||||
|
@@ -498,8 +498,8 @@ class BTRFSVolumeDevice(BTRFSDevice, ContainerDevice, RaidDevice):
|
||||||
|
|
||||||
|
def populate_ksdata(self, data):
|
||||||
|
super(BTRFSVolumeDevice, self).populate_ksdata(data)
|
||||||
|
- data.data_level = self.data_level.name if self.data_level else None
|
||||||
|
- data.metadata_level = self.metadata_level.name if self.metadata_level else None
|
||||||
|
+ data.dataLevel = self.data_level.name if self.data_level else None
|
||||||
|
+ data.metaDataLevel = self.metadata_level.name if self.metadata_level else None
|
||||||
|
data.devices = ["btrfs.%d" % p.id for p in self.parents]
|
||||||
|
data.preexist = self.exists
|
||||||
|
|
||||||
|
diff --git a/blivet/devices/lvm.py b/blivet/devices/lvm.py
|
||||||
|
index 41358e9b..c3132457 100644
|
||||||
|
--- a/blivet/devices/lvm.py
|
||||||
|
+++ b/blivet/devices/lvm.py
|
||||||
|
@@ -1161,7 +1161,7 @@ class LVMLogicalVolumeBase(DMDevice, RaidDevice):
|
||||||
|
|
||||||
|
if self.req_grow:
|
||||||
|
# base size could be literal or percentage
|
||||||
|
- data.max_size_mb = self.req_max_size.convert_to(MiB)
|
||||||
|
+ data.maxSizeMB = self.req_max_size.convert_to(MiB)
|
||||||
|
elif data.resize:
|
||||||
|
data.size = self.target_size.convert_to(MiB)
|
||||||
|
|
||||||
|
diff --git a/blivet/devices/partition.py b/blivet/devices/partition.py
|
||||||
|
index 89d907c2..0e9250ce 100644
|
||||||
|
--- a/blivet/devices/partition.py
|
||||||
|
+++ b/blivet/devices/partition.py
|
||||||
|
@@ -982,14 +982,14 @@ class PartitionDevice(StorageDevice):
|
||||||
|
data.size = self.req_base_size.round_to_nearest(MiB, rounding=ROUND_DOWN).convert_to(spec=MiB)
|
||||||
|
data.grow = self.req_grow
|
||||||
|
if self.req_grow:
|
||||||
|
- data.max_size_mb = self.req_max_size.convert_to(MiB)
|
||||||
|
+ data.maxSizeMB = self.req_max_size.convert_to(MiB)
|
||||||
|
|
||||||
|
# data.disk = self.disk.name # by-id
|
||||||
|
if self.req_disks and len(self.req_disks) == 1:
|
||||||
|
data.disk = self.disk.name
|
||||||
|
- data.prim_only = self.req_primary
|
||||||
|
+ data.primOnly = self.req_primary
|
||||||
|
else:
|
||||||
|
- data.on_part = self.name # by-id
|
||||||
|
+ data.onPart = self.name # by-id
|
||||||
|
|
||||||
|
if data.resize:
|
||||||
|
# on s390x in particular, fractional sizes are reported, which
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
133
0014-Do-not-set-memory-limit-for-LUKS2-when-running-in-FI.patch
Normal file
133
0014-Do-not-set-memory-limit-for-LUKS2-when-running-in-FI.patch
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
From c2b06150df0b876c7d442097b6c9ca90c9ca2ecc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Trefny <vtrefny@redhat.com>
|
||||||
|
Date: Thu, 4 May 2023 11:35:44 +0200
|
||||||
|
Subject: [PATCH] Do not set memory limit for LUKS2 when running in FIPS mode
|
||||||
|
|
||||||
|
With FIPS enabled LUKS uses pbkdf and not argon so the memory
|
||||||
|
limit is not a valid parameter.
|
||||||
|
|
||||||
|
Resolves: rhbz#2193096
|
||||||
|
---
|
||||||
|
blivet/devicelibs/crypto.py | 11 +++++++
|
||||||
|
blivet/formats/luks.py | 12 ++++----
|
||||||
|
tests/unit_tests/formats_tests/luks_test.py | 30 +++++++++++++++++++
|
||||||
|
.../unit_tests/formats_tests/methods_test.py | 3 +-
|
||||||
|
4 files changed, 50 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/blivet/devicelibs/crypto.py b/blivet/devicelibs/crypto.py
|
||||||
|
index f0caf0f7..68e68db1 100644
|
||||||
|
--- a/blivet/devicelibs/crypto.py
|
||||||
|
+++ b/blivet/devicelibs/crypto.py
|
||||||
|
@@ -21,6 +21,7 @@
|
||||||
|
#
|
||||||
|
|
||||||
|
import hashlib
|
||||||
|
+import os
|
||||||
|
|
||||||
|
import gi
|
||||||
|
gi.require_version("BlockDev", "2.0")
|
||||||
|
@@ -100,3 +101,13 @@ def calculate_integrity_metadata_size(device_size, algorithm=DEFAULT_INTEGRITY_A
|
||||||
|
jsize = (jsize / SECTOR_SIZE + 1) * SECTOR_SIZE # round up to sector
|
||||||
|
|
||||||
|
return msize + jsize
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def is_fips_enabled():
|
||||||
|
+ if not os.path.exists("/proc/sys/crypto/fips_enabled"):
|
||||||
|
+ # if the file doesn't exist, we are definitely not in FIPS mode
|
||||||
|
+ return False
|
||||||
|
+
|
||||||
|
+ with open("/proc/sys/crypto/fips_enabled", "r") as f:
|
||||||
|
+ enabled = f.read()
|
||||||
|
+ return enabled.strip() == "1"
|
||||||
|
diff --git a/blivet/formats/luks.py b/blivet/formats/luks.py
|
||||||
|
index 2637e0c5..adf3c711 100644
|
||||||
|
--- a/blivet/formats/luks.py
|
||||||
|
+++ b/blivet/formats/luks.py
|
||||||
|
@@ -303,11 +303,13 @@ class LUKS(DeviceFormat):
|
||||||
|
if luks_data.pbkdf_args:
|
||||||
|
self.pbkdf_args = luks_data.pbkdf_args
|
||||||
|
else:
|
||||||
|
- mem_limit = crypto.calculate_luks2_max_memory()
|
||||||
|
- if mem_limit:
|
||||||
|
- self.pbkdf_args = LUKS2PBKDFArgs(max_memory_kb=int(mem_limit.convert_to(KiB)))
|
||||||
|
- luks_data.pbkdf_args = self.pbkdf_args
|
||||||
|
- log.info("PBKDF arguments for LUKS2 not specified, using defaults with memory limit %s", mem_limit)
|
||||||
|
+ # argon is not used with FIPS so we don't need to adjust the memory when in FIPS mode
|
||||||
|
+ if not crypto.is_fips_enabled():
|
||||||
|
+ mem_limit = crypto.calculate_luks2_max_memory()
|
||||||
|
+ if mem_limit:
|
||||||
|
+ self.pbkdf_args = LUKS2PBKDFArgs(max_memory_kb=int(mem_limit.convert_to(KiB)))
|
||||||
|
+ luks_data.pbkdf_args = self.pbkdf_args
|
||||||
|
+ log.info("PBKDF arguments for LUKS2 not specified, using defaults with memory limit %s", mem_limit)
|
||||||
|
|
||||||
|
if self.pbkdf_args:
|
||||||
|
pbkdf = blockdev.CryptoLUKSPBKDF(type=self.pbkdf_args.type,
|
||||||
|
diff --git a/tests/unit_tests/formats_tests/luks_test.py b/tests/unit_tests/formats_tests/luks_test.py
|
||||||
|
index ec7b7592..1127e968 100644
|
||||||
|
--- a/tests/unit_tests/formats_tests/luks_test.py
|
||||||
|
+++ b/tests/unit_tests/formats_tests/luks_test.py
|
||||||
|
@@ -6,9 +6,14 @@ except ImportError:
|
||||||
|
import unittest
|
||||||
|
|
||||||
|
from blivet.formats.luks import LUKS
|
||||||
|
+from blivet.size import Size
|
||||||
|
+from blivet.static_data import luks_data
|
||||||
|
|
||||||
|
|
||||||
|
class LUKSNodevTestCase(unittest.TestCase):
|
||||||
|
+ def setUp(self):
|
||||||
|
+ luks_data.pbkdf_args = None
|
||||||
|
+
|
||||||
|
def test_create_discard_option(self):
|
||||||
|
# flags.discard_new=False --> no discard
|
||||||
|
fmt = LUKS(exists=False)
|
||||||
|
@@ -51,6 +56,31 @@ class LUKSNodevTestCase(unittest.TestCase):
|
||||||
|
fmt = LUKS(cipher="aes-cbc-plain64")
|
||||||
|
self.assertEqual(fmt.key_size, 0)
|
||||||
|
|
||||||
|
+ def test_luks2_pbkdf_memory_fips(self):
|
||||||
|
+ fmt = LUKS()
|
||||||
|
+ with patch("blivet.formats.luks.blockdev.crypto") as bd:
|
||||||
|
+ # fips enabled, pbkdf memory should not be set
|
||||||
|
+ with patch("blivet.formats.luks.crypto") as crypto:
|
||||||
|
+ attrs = {"is_fips_enabled.return_value": True,
|
||||||
|
+ "get_optimal_luks_sector_size.return_value": 0,
|
||||||
|
+ "calculate_luks2_max_memory.return_value": Size("256 MiB")}
|
||||||
|
+ crypto.configure_mock(**attrs)
|
||||||
|
+
|
||||||
|
+ fmt._create()
|
||||||
|
+ crypto.calculate_luks2_max_memory.assert_not_called()
|
||||||
|
+ self.assertEqual(bd.luks_format.call_args[1]["extra"].pbkdf.max_memory_kb, 0)
|
||||||
|
+
|
||||||
|
+ # fips disabled, pbkdf memory should be set
|
||||||
|
+ with patch("blivet.formats.luks.crypto") as crypto:
|
||||||
|
+ attrs = {"is_fips_enabled.return_value": False,
|
||||||
|
+ "get_optimal_luks_sector_size.return_value": 0,
|
||||||
|
+ "calculate_luks2_max_memory.return_value": Size("256 MiB")}
|
||||||
|
+ crypto.configure_mock(**attrs)
|
||||||
|
+
|
||||||
|
+ fmt._create()
|
||||||
|
+ crypto.calculate_luks2_max_memory.assert_called()
|
||||||
|
+ self.assertEqual(bd.luks_format.call_args[1]["extra"].pbkdf.max_memory_kb, 256 * 1024)
|
||||||
|
+
|
||||||
|
def test_sector_size(self):
|
||||||
|
fmt = LUKS()
|
||||||
|
self.assertEqual(fmt.luks_sector_size, 512)
|
||||||
|
diff --git a/tests/unit_tests/formats_tests/methods_test.py b/tests/unit_tests/formats_tests/methods_test.py
|
||||||
|
index 2743b7db..5d30c260 100644
|
||||||
|
--- a/tests/unit_tests/formats_tests/methods_test.py
|
||||||
|
+++ b/tests/unit_tests/formats_tests/methods_test.py
|
||||||
|
@@ -366,7 +366,8 @@ class LUKSMethodsTestCase(FormatMethodsTestCase):
|
||||||
|
|
||||||
|
def _test_create_backend(self):
|
||||||
|
self.format.exists = False
|
||||||
|
- self.format.create()
|
||||||
|
+ with patch("blivet.devicelibs.crypto.is_fips_enabled", return_value=False):
|
||||||
|
+ self.format.create()
|
||||||
|
self.assertTrue(self.patches["blockdev"].crypto.luks_format.called) # pylint: disable=no-member
|
||||||
|
|
||||||
|
def _test_setup_backend(self):
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
@ -23,7 +23,7 @@ Version: 3.6.0
|
|||||||
|
|
||||||
#%%global prerelease .b2
|
#%%global prerelease .b2
|
||||||
# prerelease, if defined, should be something like .a1, .b1, .b2.dev1, or .c2
|
# prerelease, if defined, should be something like .a1, .b1, .b2.dev1, or .c2
|
||||||
Release: 6%{?prerelease}%{?dist}
|
Release: 7%{?prerelease}%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
%global realname blivet
|
%global realname blivet
|
||||||
@ -42,6 +42,8 @@ Patch8: 0009-Catch-BlockDevNotImplementedError-for-btrfs-plugin-c.patch
|
|||||||
Patch9: 0010-Add-basic-support-for-NVMe-and-NVMe-Fabrics-devices.patch
|
Patch9: 0010-Add-basic-support-for-NVMe-and-NVMe-Fabrics-devices.patch
|
||||||
Patch10: 0011-Default-to-encryption-sector-size-512-for-LUKS-devic.patch
|
Patch10: 0011-Default-to-encryption-sector-size-512-for-LUKS-devic.patch
|
||||||
Patch11: 0012-Add-support-for-specifying-stripe-size-for-RAID-LVs.patch
|
Patch11: 0012-Add-support-for-specifying-stripe-size-for-RAID-LVs.patch
|
||||||
|
Patch12: 0013-Fix-setting-kickstart-data.patch
|
||||||
|
Patch13: 0014-Do-not-set-memory-limit-for-LUKS2-when-running-in-FI.patch
|
||||||
|
|
||||||
# Versions of required components (done so we make sure the buildrequires
|
# Versions of required components (done so we make sure the buildrequires
|
||||||
# match the requires versions of things).
|
# match the requires versions of things).
|
||||||
@ -205,6 +207,12 @@ configuration.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu May 18 2023 Vojtech Trefny <vtrefny@redhat.com> - 3.6.0-7
|
||||||
|
- Fix setting kickstart data
|
||||||
|
Resolves: rhbz#2174296
|
||||||
|
- Do not set memory limit for LUKS2 when running in FIPS mode
|
||||||
|
Resolves: rhbz#2193096
|
||||||
|
|
||||||
* Tue May 02 2023 Vojtech Trefny <vtrefny@redhat.com> - 3.6.0-6
|
* Tue May 02 2023 Vojtech Trefny <vtrefny@redhat.com> - 3.6.0-6
|
||||||
- Add support for specifying stripe size for RAID LVs
|
- Add support for specifying stripe size for RAID LVs
|
||||||
Resolves: RHEL-327
|
Resolves: RHEL-327
|
||||||
|
Loading…
Reference in New Issue
Block a user