diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch index 6dedf84..6e1b524 100644 --- a/crypto-policies-FIPS.patch +++ b/crypto-policies-FIPS.patch @@ -1,206 +1,173 @@ -Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup +Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup =================================================================== ---- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup -+++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup -@@ -7,6 +7,7 @@ enable_fips= - check=0 - boot_config=1 - err_if_disabled=0 -+fips_install_complete=0 - output_text=1 - - is_ostree_system=0 -@@ -75,109 +76,74 @@ if test "$is_ostree_system" = 1 && test - exit 1 +--- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup ++++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup +@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then + exit 1 fi -- --if [ "$(id -u)" != 0 ]; then -- echo "You must be root to run $(basename $0)" -- exit 1 --fi -- -- --# Detect 1: kernel FIPS flag --fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) -- --# Detect 2: initramfs fips module presence; not always can be done --initramfs_fips_module=0 --initramfs_inspectable=0 --if test -d /boot -a -x /usr/bin/lsinitrd; then -- initramfs_inspectable=1 -- if lsinitrd -m 2>/dev/null | grep -Fxq fips; then -- initramfs_fips_module=1 -+if test "$enable_fips" = 1 ; then -+ # Check the required FIPS modules are installed -+ if test ! -x "$(command -v grubby)" -o ! -f /usr/share/doc/packages/patterns/fips.txt -o ! -f /etc/dracut.conf.d/40-fips.conf; then -+ cond_echo "Installation of FIPS modules is not complete." -+ cond_echo "Please, install grubby and the fips pattern." -+ exit 1 - fi ++# This check must be done as root, otherwise it will fail. ++is_transactional_system=0 ++if test ! -w /usr ; then ++ is_transactional_system=1 ++fi ++ ++# We don't handle the setup on transactional systems as the process is ++# quite different and involves several reboots. ++if test "$is_transactional_system" = 1 && test "$check" = 0 ; then ++ cond_echo -n "Cannot handle transactional systems. " ++ cond_echo "Please, refer to the fips-mode-setup man pages for more information." ++ exit 1 ++fi + + # Detect 1: kernel FIPS flag + fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) +@@ -203,9 +216,22 @@ else + fi fi --# Detect 3: crypto-policy base policy --current_policy="$(cat /etc/crypto-policies/state/current)" --base_policy="$(echo $current_policy| cut -f 1 -d :)" --if test "$base_policy" == "FIPS" ; then -- base_policy_is_fips=1 --else -- base_policy_is_fips=0 -+if test "$enable_fips" = 1 ; then -+ if test ! -d /boot -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd -f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then -+ fips_install_complete=1 +-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +- echo "The grubby command is missing, please configure the bootloader manually." +- boot_config=0 ++if test "$boot_config" = 1 ; then ++ # Install required packages: patterns-base-fips and perl-Bootloader ++ if test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test ! -x "$(command -v pbl)" && \ ++ test "$enable_fips" = 1; then ++ zypper -n install patterns-base-fips perl-Bootloader ++ elif test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test "$enable_fips" = 1 ; then ++ zypper -n install patterns-base-fips ++ elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++ fi ++ if test $? != 0 ; then ++ echo "The pbl command or the fips pattern are missing, please configure the bootloader manually." ++ boot_config=0 + fi fi -- - if test $check = 1 ; then -- # Look for signs for both enabling and disabling FIPS mode -- fips_positive=0 -- fips_negative=0 -- -- # Display 1: kernel FIPS flag -- cond_echo "FIPS mode is $(enable2txt $fips_kernel_enabled)." -- -- # Display 2: initramfs fips module -- if test "$initramfs_inspectable" = 1 ; then -- cond_echo -n "Initramfs fips module is " -- cond_echo "$(enable2txt $initramfs_fips_module)." -- fi -- -- # Display 3: active crypto-policy -- cond_echo -n "The current crypto policy ($current_policy) " -- if test "$base_policy_is_fips" == 1 ; then -- cond_echo 'is based on the FIPS policy.' -- else -- cond_echo -n 'neither is the FIPS policy ' -- cond_echo 'nor is based on the FIPS policy.' -- fi -- -- # Decide 1: kernel FIPS flag -- if test "$fips_kernel_enabled" = 1 ; then -- fips_positive=1 -- else -- fips_negative=1 -- fi -- -- # Decide 2: initramfs module presence -- if test "$initramfs_inspectable" = 1 ; then -- if test "$initramfs_fips_module" = 1 ; then -- fips_positive=1 + echo "FIPS mode will be $(enable2txt $enable_fips)." +@@ -216,15 +242,19 @@ if test $boot_config = 0 ; then + echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" + echo "and reboot the system for the setting to take effect." + else +- grubby --update-kernel=ALL --args="$fipsopts" +- if test x"$(uname -m)" = xs390x; then +- if command -v zipl >/dev/null; then +- zipl - else -- fips_negative=1 -+ test $fips_install_complete = 0 && cond_echo "Installation of FIPS modules is not complete." -+ fips_enabled=$(cat /proc/sys/crypto/fips_enabled) -+ cond_echo "FIPS mode is $(enable2txt $fips_enabled)." -+ if test "$fips_enabled" = 1 ; then -+ if test $fips_install_complete = 0 ; then -+ cond_echo "Inconsistent state detected." -+ exit 1 -+ fi -+ current="$(cat /etc/crypto-policies/state/current)" -+ if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then -+ cond_echo -n "The current crypto policy ($current) " -+ cond_echo -n 'neither is the FIPS policy ' -+ cond_echo 'nor is based on the FIPS policy.' -+ cond_echo 'Inconsistent state detected.' -+ exit 1 - fi +- echo -n '`zipl` execution has been skipped: ' +- echo '`zipl` not found.' +- fi - fi -- -- # Decide 3: active crypto-policy -- if test "$base_policy_is_fips" = 1 ; then -- fips_positive=1 - else -- fips_negative=1 -- fi -- -- # Make the FIPS mode consistency decision -- if test "$fips_positive" = 1 -a "$fips_negative" = 1 ; then -- cond_echo 'Inconsistent state detected.' -- exit 1 -+ if test $fips_install_complete = 1 ; then -+ cond_echo "Inconsistent state detected." -+ exit 1 -+ fi -+ current="$(cat /etc/crypto-policies/state/current)" -+ if test "$(echo $current | cut -f 1 -d :)" == "FIPS" ; then -+ cond_echo -n "The current crypto policy ($current) " -+ cond_echo -n 'is based on the FIPS policy, ' -+ cond_echo 'but FIPS mode is not enabled.' -+ cond_echo 'Inconsistent state detected.' -+ exit 1 -+ fi - fi -- -- # Error out if `--is-enabled` was passed and FIPS mode is not enabled -- if test "$fips_positive" = 0 -a "$err_if_disabled" = 1 ; then -- cond_echo 'FIPS mode is not enabled.' -+ if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1; then - exit 2 - fi -- ++ pbl --add-option "$fipsopts" ++ grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all ++ ++ # grubby --update-kernel=ALL --args="$fipsopts" ++ # if test x"$(uname -m)" = xs390x; then ++ # if command -v zipl >/dev/null; then ++ # zipl ++ # else ++ # echo -n '`zipl` execution has been skipped: ' ++ # echo '`zipl` not found.' ++ # fi ++ # fi ++ + echo "Please reboot the system for the setting to take effect." + fi + +Index: fedora-crypto-policies-20230614.5f3458e/fips-finish-install +=================================================================== +--- fedora-crypto-policies-20230614.5f3458e.orig/fips-finish-install ++++ fedora-crypto-policies-20230614.5f3458e/fips-finish-install +@@ -23,7 +23,16 @@ fi + + umask 022 + +-trap "rm -f $dracut_cfg" ERR ++# trap "rm -f $dracut_cfg" ERR ++ ++# Install required packages: patterns-base-fips and perl-Bootloader ++if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then ++ zypper -n install patterns-base-fips perl-Bootloader ++elif test ! -f $dracut_cfg ; then ++ zypper -n install patterns-base-fips ++elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++fi + + if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then + # No dracut configuration or boot directory present, do not try to modify it. +@@ -32,23 +41,23 @@ if test ! -d $dracut_cfg_d -o ! -d /boot exit 0 fi -+if [ "$(id -u)" != 0 ]; then -+ echo "You must be root to run $(basename $0)" -+ exit 1 -+fi - - if test $enable_fips = 1 ; then -- if test "$initramfs_fips_module" = 0 ; then -+ if test $fips_install_complete = 1 ; then - fips-finish-install --complete - if test $? != 0 ; then -- echo "Installation of FIPS modules could not be completed." -+ echo "Installation of FIPS modules could not be completed." - exit 1 - fi - fi -- if test "$base_policy_is_fips" == 1 ; then -- cond_echo -n 'Preserving current FIPS-based policy ' -- cond_echo "${current_policy}." -+ target="$(cat /etc/crypto-policies/state/current)" -+ if test "$(echo $target | cut -f 1 -d :)" == "FIPS" ; then -+ cond_echo "Preserving current FIPS-based policy ${target}." - cond_echo -n 'Please review the subpolicies to ensure they ' - cond_echo 'only restrict, not relax the FIPS policy.' - else -@@ -196,11 +162,11 @@ if test x"$boot_device" = x ; then - boot_device_opt=" boot=UUID=" - boot_config=0 - else -- if test "$boot_device" = / ; then -- boot_device_opt="" -- else -- boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)" -- fi -+ if test "$boot_device" = / ; then -+ boot_device_opt="" -+ else -+ boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)" -+ fi - fi - - if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then -Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt +-cat >$dracut_cfg </dev/null; then +- zipl +- else +- echo '`zipl` execution has been skipped: `zipl` not found.' +- fi +-fi ++# cat >$dracut_cfg </dev/null; then ++# zipl ++# else ++# echo '`zipl` execution has been skipped: `zipl` not found.' ++# fi ++# fi +Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup.8.txt =================================================================== ---- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup.8.txt -+++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt -@@ -39,8 +39,15 @@ system crypto policy to FIPS - (unless the policy has already been set to FIPS plus subpolicies on top, - in which case the currently active subpolicies is retained). - -+Some required FIPS modules (grubby, fips pattern) might not be -+installed by default. These can be installed in SUSE/openSUSE with -+the following command: -+ -+ zypper in -y grubby && zypper in -y -t pattern fips -+ - Then the command modifies the boot loader configuration to add - 'fips=1' and 'boot=' options to the kernel command line. -+Note that, grubby could show a harmless warning about leaked file descriptors. - +--- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup.8.txt ++++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup.8.txt +@@ -45,6 +45,23 @@ Then the command modifies the boot loade When disabling the system FIPS mode the system crypto policy is switched to DEFAULT and the kernel command line option 'fips=0' is set. + ++On transactional systems, enabling the system in FIPS mode with the ++fips-mode-setup tool is not implemented. To enable the FIPS mode in these ++systems requires the following steps: ++ ++ 1.- Install the FIPS pattern on a running system: ++ # transactional-update pkg install -t pattern microos-fips ++ ++ 2.- Reboot your system. ++ ++ 3.- Add the kernel command line parameter fips=1 to the boot loader ++ configuration. To do so, edit the file /etc/default/grub and add ++ fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable. ++ ++ 4.- After logging in to the system, run: ++ # transactional-update grub.cfg ++ ++ 5.- Reboot your system. + + [[options]] + OPTIONS diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch index d5e2eb0..c4f8a21 100644 --- a/crypto-policies-policygenerators.patch +++ b/crypto-policies-policygenerators.patch @@ -1,13 +1,13 @@ -Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py +Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py =================================================================== ---- fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/__init__.py -+++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py +--- fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/__init__.py ++++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py @@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator from .java import JavaGenerator from .java import JavaSystemGenerator from .krb5 import KRB5Generator -from .libreswan import LibreswanGenerator -+#from .libreswan import LibreswanGenerator ++# from .libreswan import LibreswanGenerator from .libssh import LibsshGenerator from .nss import NSSGenerator from .openssh import OpenSSHClientGenerator @@ -16,17 +16,16 @@ Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__. from .openssl import OpenSSLGenerator -from .sequoia import SequoiaGenerator -from .sequoia import RPMSequoiaGenerator -+#from .sequoia import SequoiaGenerator -+#from .sequoia import RPMSequoiaGenerator ++# from .sequoia import SequoiaGenerator ++# from .sequoia import RPMSequoiaGenerator __all__ = [ 'BindGenerator', -@@ -24,13 +24,13 @@ __all__ = [ +@@ -24,13 +24,14 @@ __all__ = [ 'JavaGenerator', 'JavaSystemGenerator', 'KRB5Generator', - 'LibreswanGenerator', -+# 'LibreswanGenerator', 'LibsshGenerator', 'NSSGenerator', 'OpenSSHClientGenerator', @@ -35,6 +34,8 @@ Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__. 'OpenSSLGenerator', - 'SequoiaGenerator', - 'RPMSequoiaGenerator', + ] ++ ++# 'LibreswanGenerator', +# 'SequoiaGenerator', +# 'RPMSequoiaGenerator', - ] diff --git a/crypto-policies-pylint.patch b/crypto-policies-pylint.patch new file mode 100644 index 0000000..717f30a --- /dev/null +++ b/crypto-policies-pylint.patch @@ -0,0 +1,15 @@ +Index: fedora-crypto-policies-20230614.5f3458e/Makefile +=================================================================== +--- fedora-crypto-policies-20230614.5f3458e.orig/Makefile ++++ fedora-crypto-policies-20230614.5f3458e/Makefile +@@ -44,8 +44,8 @@ runflake8: + @find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8 + + runpylint: +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc python +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc tests ++ PYTHONPATH=. pylint --rcfile=pylintrc python ++ PYTHONPATH=. pylint --rcfile=pylintrc tests + @echo "[ OK ]" + + runcodespell: diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz index 81e15c2..aa32641 100644 --- a/crypto-policies.7.gz +++ b/crypto-policies.7.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:5eceb5b5a5360d08e1f85163bea95bdb84c748e1e3836765b400773d42bba1c9 +oid sha256:6071a2f41678232b63d27d3f1bbd73915f85159fda78f71ae8a63d8bdce388e0 size 6937 diff --git a/crypto-policies.changes b/crypto-policies.changes index 451d982..0de8af0 100644 --- a/crypto-policies.changes +++ b/crypto-policies.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal + +- Tests: Fix pylint versioning for TW and fix the parsing of the + policygenerators to account for the commented lines correctly. + * Add crypto-policies-pylint.patch + * Rebase crypto-policies-policygenerators.patch + +------------------------------------------------------------------- +Tue Aug 1 12:23:33 UTC 2023 - Pedro Monreal + +- FIPS: Adapt the fips-mode-setup script to use the pbl command + from the perl-Bootloader package to replace grubby. Add a note + for transactional systems [jsc#PED-4578]. + * Rebase crypto-policies-FIPS.patch + ------------------------------------------------------------------- Fri Jul 14 14:59:06 UTC 2023 - Marcus Meissner diff --git a/crypto-policies.spec b/crypto-policies.spec index 684d8fa..0116b1b 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -51,8 +51,10 @@ Patch2: crypto-policies-policygenerators.patch Patch3: crypto-policies-supported.patch #PATCH-FIX-OPENSUSE Revert a breaking change that introduces rh-allow-sha1-signatures Patch4: crypto-policies-revert-rh-allow-sha1-signatures.patch -#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for TW -Patch5: crypto-policies-FIPS.patch +#PATCH-FIX-OPENSUSE Remove version for pylint from Makefile +Patch5: crypto-policies-pylint.patch +#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578] +Patch6: crypto-policies-FIPS.patch BuildRequires: python3-base >= 3.6 # The sequoia stuff needs python3-toml, removed until needed # BuildRequires: python3-toml @@ -62,10 +64,12 @@ BuildRequires: asciidoc %if %{with testsuite} # The following packages are needed for the testsuite BuildRequires: bind +BuildRequires: codespell BuildRequires: gnutls >= 3.6.0 BuildRequires: java-devel BuildRequires: krb5-devel BuildRequires: libxslt +#BuildRequires: mozilla-nss-tools BuildRequires: openssl BuildRequires: perl BuildRequires: python3-coverage @@ -79,9 +83,9 @@ BuildRequires: perl(File::Which) BuildRequires: perl(File::pushd) %endif Recommends: crypto-policies-scripts -Conflicts: gnutls < 3.7.0 +Conflicts: gnutls < 3.7.3 #Conflicts: libreswan < 3.28 -Conflicts: nss < 3.44.0 +Conflicts: nss < 3.90.0 #Conflicts: openssh < 8.2p1 #!BuildIgnore: crypto-policies BuildArch: noarch @@ -94,7 +98,7 @@ such as SSL/TLS libraries. %package scripts Summary: Tool to switch between crypto policies Requires: %{name} = %{version}-%{release} -Recommends: grubby +Recommends: perl-Bootloader %description scripts This package provides a tool update-crypto-policies, which applies @@ -141,11 +145,11 @@ install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/conf touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol -%if %{without manbuild} -# Install the manpages from defined sources mkdir -p -m 755 %{buildroot}%{_mandir}/ mkdir -p -m 755 %{buildroot}%{_mandir}/man7/ mkdir -p -m 755 %{buildroot}%{_mandir}/man8/ +%if %{without manbuild} +# Install the manpages from defined sources cp %{SOURCE2} %{buildroot}%{_mandir}/man7/ cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/ %endif @@ -181,7 +185,8 @@ install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies %check %if %{with testsuite} export OPENSSL_CONF='' -%make_build test test-install test-fips-setup || : +%make_build test +%make_build test-install test-fips-setup || : %endif %post -p diff --git a/fips-finish-install.8.gz b/fips-finish-install.8.gz index 7459f19..3767c05 100644 --- a/fips-finish-install.8.gz +++ b/fips-finish-install.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b0c4844eb573ddb5517d78c0e2e663066413ef3807dfa63df5ee43c0fefe1582 +oid sha256:3036b9fde1e86342746075d825d23eab12ee54228ebae9b6746e93bd51e3ada8 size 825 diff --git a/fips-mode-setup.8.gz b/fips-mode-setup.8.gz index cc679da..e73a349 100644 --- a/fips-mode-setup.8.gz +++ b/fips-mode-setup.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:af453be70b0971f4e4139eec3b669bee3b5195df2d7c28853d3fd4c4006cbb1b -size 1542 +oid sha256:b29d2ba880077b33ef73932ca13ef88581e66288c4277a610aff9afa3a354b59 +size 1648 diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz index 5dd3484..6d4a2e2 100644 --- a/update-crypto-policies.8.gz +++ b/update-crypto-policies.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:cad2a9da340059b6ba7b84c9646a85f113cb8781d55c0ea5c8aa0422ea632c3c +oid sha256:950fcd3d9729c215baaa0dddb9434b01f02addca6aa4a4404a8d2ad65ef53598 size 4154