Accepting request 1108344 from home:pmonrealgonzalez:branches:security:tls

- Tests: Fix pylint versioning for TW and fix the parsing of the policygenerators to account for the commented lines correctly. * Add crypto-policies-pylint.patch * Rebase crypto-policies-policygenerators.patch - FIPS: Adapt the fips-mode-setup script to use the pbl command from the perl-Bootloader package to replace grubby. Add a note for transactional systems [jsc#PED-4578]. * Rebase crypto-policies-FIPS.patch OBS-URL: https://build.opensuse.org/request/show/1108344 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=21
2023-09-04 07:42:24 +00:00 · 2023-09-04 07:42:24 +00:00 · f16e5f47af
commit f16e5f47af
parent c840e031b3
9 changed files with 216 additions and 212 deletions
--- a/crypto-policies-FIPS.patch
+++ b/crypto-policies-FIPS.patch
@ -1,206 +1,173 @@
-Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup
+Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
 ===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup
+--- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup
-+++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup
+++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
-@@ -7,6 +7,7 @@ enable_fips=
+@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then
- check=0
+ 	exit 1
 boot_config=1
 err_if_disabled=0
 +fips_install_complete=0
 output_text=1
 is_ostree_system=0
@@ -75,109 +76,74 @@ if test "$is_ostree_system" = 1 && test
     exit 1
 fi
-
+# This check must be done as root, otherwise it will fail.
-if [ "$(id -u)" != 0 ]; then
+is_transactional_system=0
-	echo "You must be root to run $(basename $0)"
+if test ! -w /usr ; then
-	exit 1
+	is_transactional_system=1
-fi
+fi
-
+
-
+# We don't handle the setup on transactional systems as the process is
-# Detect 1: kernel FIPS flag
+# quite different and involves several reboots.
-fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
+if test "$is_transactional_system" = 1 && test "$check" = 0 ; then
-
+    cond_echo -n "Cannot handle transactional systems. "
-# Detect 2: initramfs fips module presence; not always can be done
+    cond_echo "Please, refer to the fips-mode-setup man pages for more information."
-initramfs_fips_module=0
+    exit 1
-initramfs_inspectable=0
+fi
-if test -d /boot -a -x /usr/bin/lsinitrd; then
+ 
-	initramfs_inspectable=1
+ # Detect 1: kernel FIPS flag
-	if lsinitrd -m 2>/dev/null | grep -Fxq fips; then
+ fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
-		initramfs_fips_module=1
+@@ -203,9 +216,22 @@ else
-+if test "$enable_fips" = 1 ; then
+         fi
 +	# Check the required FIPS modules are installed
 +	if test ! -x "$(command -v grubby)" -o ! -f /usr/share/doc/packages/patterns/fips.txt -o ! -f /etc/dracut.conf.d/40-fips.conf; then
 +		cond_echo "Installation of FIPS modules is not complete."
 +		cond_echo "Please, install grubby and the fips pattern."
 +		exit 1
 	fi
 fi
-# Detect 3: crypto-policy base policy
+-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
-current_policy="$(cat /etc/crypto-policies/state/current)"
+-	echo "The grubby command is missing, please configure the bootloader manually."
-base_policy="$(echo $current_policy| cut -f 1 -d :)"
+-	boot_config=0
-if test "$base_policy" == "FIPS" ; then
+if test "$boot_config" = 1 ; then
-	base_policy_is_fips=1
+	# Install required packages: patterns-base-fips and perl-Bootloader
-else
+	if test ! -f /etc/dracut.conf.d/40-fips.conf && \
-	base_policy_is_fips=0
+		test ! -x "$(command -v pbl)" && \
-+if test "$enable_fips" = 1 ; then
+		test "$enable_fips" = 1; then
-+	if test ! -d /boot -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd -f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then
+		zypper -n install patterns-base-fips perl-Bootloader
-+	fips_install_complete=1
+	elif test ! -f /etc/dracut.conf.d/40-fips.conf && \
 +		test "$enable_fips" = 1 ; then
 +		zypper -n install patterns-base-fips
 +	elif test ! -x "$(command -v pbl)" ; then
 +		zypper -n install perl-Bootloader
 +	fi
 +	if test $? != 0 ; then
 +		echo "The pbl command or the fips pattern are missing, please configure the bootloader manually."
 +		boot_config=0
 +	fi
 fi
-
+ echo "FIPS mode will be $(enable2txt $enable_fips)."
- if test $check = 1 ; then
+@@ -216,15 +242,19 @@ if test $boot_config = 0 ; then
-	# Look for signs for both enabling and disabling FIPS mode
+ 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
-	fips_positive=0
+ 	echo "and reboot the system for the setting to take effect."
-	fips_negative=0
+ else
-
+-	grubby --update-kernel=ALL --args="$fipsopts"
-	# Display 1: kernel FIPS flag
+-	if test x"$(uname -m)" = xs390x; then
-	cond_echo "FIPS mode is $(enable2txt $fips_kernel_enabled)."
+-		if command -v zipl >/dev/null; then
-
+-			zipl
 -	# Display 2: initramfs fips module
 -	if test "$initramfs_inspectable" = 1 ; then
 -		cond_echo -n "Initramfs fips module is "
 -		cond_echo "$(enable2txt $initramfs_fips_module)."
 -	fi
 -
 -	# Display 3: active crypto-policy
 -	cond_echo -n "The current crypto policy ($current_policy) "
 -	if test "$base_policy_is_fips" == 1 ; then
 -		cond_echo 'is based on the FIPS policy.'
 -	else
 -		cond_echo -n 'neither is the FIPS policy '
 -		cond_echo 'nor is based on the FIPS policy.'
 -	fi
 -
 -	# Decide 1: kernel FIPS flag
 -	if test "$fips_kernel_enabled" = 1 ; then
 -		fips_positive=1
 -	else
 -		fips_negative=1
 -	fi
 -
 -	# Decide 2: initramfs module presence
 -	if test "$initramfs_inspectable" = 1 ; then
 -		if test "$initramfs_fips_module" = 1 ; then
 -			fips_positive=1
 -		else
-			fips_negative=1
+-			echo -n '`zipl` execution has been skipped: '
-+	test $fips_install_complete = 0 && cond_echo "Installation of FIPS modules is not complete."
+-			echo '`zipl` not found.'
-+	fips_enabled=$(cat /proc/sys/crypto/fips_enabled)
+-		fi
 +	cond_echo "FIPS mode is $(enable2txt $fips_enabled)."
 +	if test "$fips_enabled" = 1 ; then
 +		if test $fips_install_complete = 0 ; then
 +			cond_echo "Inconsistent state detected."
 +			exit 1
 +		fi
 +		current="$(cat /etc/crypto-policies/state/current)"
 +		if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then
 +			cond_echo -n "The current crypto policy ($current) "
 +			cond_echo -n 'neither is the FIPS policy '
 +			cond_echo 'nor is based on the FIPS policy.'
 +			cond_echo 'Inconsistent state detected.'
 +			exit 1
 		fi
 -	fi
-
+	pbl --add-option "$fipsopts"
-	# Decide 3: active crypto-policy
+	grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all
-	if test "$base_policy_is_fips" = 1 ; then
+
-		fips_positive=1
+	# grubby --update-kernel=ALL --args="$fipsopts"
- 	else
+	# if test x"$(uname -m)" = xs390x; then
-		fips_negative=1
+	# 	if command -v zipl >/dev/null; then
-	fi
+	# 		zipl
-
+	# 	else
-	# Make the FIPS mode consistency decision
+	# 		echo -n '`zipl` execution has been skipped: '
-	if test "$fips_positive" = 1 -a "$fips_negative" = 1 ; then
+	# 		echo '`zipl` not found.'
-		cond_echo 'Inconsistent state detected.'
+	# 	fi
-		exit 1
+	# fi
-+		if test $fips_install_complete = 1 ; then
+
-+			cond_echo "Inconsistent state detected."
+ 	echo "Please reboot the system for the setting to take effect."
-+			exit 1
+ fi
-+		fi
+ 
-+		current="$(cat /etc/crypto-policies/state/current)"
+Index: fedora-crypto-policies-20230614.5f3458e/fips-finish-install
-+		if test "$(echo $current | cut -f 1 -d :)" == "FIPS" ; then
+===================================================================
-+			cond_echo -n "The current crypto policy ($current) "
+--- fedora-crypto-policies-20230614.5f3458e.orig/fips-finish-install
-+			cond_echo -n 'is based on the FIPS policy, '
+++ fedora-crypto-policies-20230614.5f3458e/fips-finish-install
-+			cond_echo 'but FIPS mode is not enabled.'
+@@ -23,7 +23,16 @@ fi
-+			cond_echo 'Inconsistent state detected.'
+ 
-+			exit 1
+ umask 022
-+		fi
+ 
- 	fi
+-trap "rm -f $dracut_cfg" ERR
-
+# trap "rm -f $dracut_cfg" ERR
-	# Error out if `--is-enabled` was passed and FIPS mode is not enabled
+
-	if test "$fips_positive" = 0 -a "$err_if_disabled" = 1 ; then
+# Install required packages: patterns-base-fips and perl-Bootloader
-		cond_echo 'FIPS mode is not enabled.'
+if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then
-+	if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1; then
+	zypper -n install patterns-base-fips perl-Bootloader
- 		exit 2
+elif test ! -f $dracut_cfg ; then
- 	fi
+	zypper -n install patterns-base-fips
-
+elif test ! -x "$(command -v pbl)" ; then
 +	zypper -n install perl-Bootloader
 +fi
 if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then
 	# No dracut configuration or boot directory present, do not try to modify it.
@@ -32,23 +41,23 @@ if test ! -d $dracut_cfg_d -o ! -d /boot
 	exit 0
 fi
-+if [ "$(id -u)" != 0 ]; then
+-cat >$dracut_cfg <<EOF
-+	echo "You must be root to run $(basename $0)"
+-# turn on fips module
-+	exit 1
+-
-+fi
+-add_dracutmodules+=" fips "
- 
+-EOF
- if test $enable_fips = 1 ; then
+-
-	if test "$initramfs_fips_module" = 0 ; then
+-echo "Kernel initramdisks are being regenerated. This might take some time."
-+	if test $fips_install_complete = 1 ; then
+-
- 		fips-finish-install --complete
+-dracut -f --regenerate-all
- 		if test $? != 0 ; then
+-
-			echo "Installation of FIPS modules could not be completed."
+-# This is supposed to be a fast and safe operation that's always good to run.
-+	 		echo "Installation of FIPS modules could not be completed."
+-# Regenerating an initrd and skipping it might render the system unbootable
- 			exit 1
+-# (RHBZ#2013195).
- 		fi
+-if test x"$(uname -m)" = xs390x; then
- 	fi
+-	if command -v zipl >/dev/null; then
-	if test "$base_policy_is_fips" == 1 ; then
+-		zipl
-		cond_echo -n 'Preserving current FIPS-based policy '
+-	else
-		cond_echo "${current_policy}."
+-		echo '`zipl` execution has been skipped: `zipl` not found.'
-+	target="$(cat /etc/crypto-policies/state/current)"
+-	fi
-+	if test "$(echo $target | cut -f 1 -d :)" == "FIPS" ; then
+-fi
-+	    cond_echo "Preserving current FIPS-based policy ${target}."
+# cat >$dracut_cfg <<EOF
- 		cond_echo -n 'Please review the subpolicies to ensure they '
+# # turn on fips module
- 		cond_echo 'only restrict, not relax the FIPS policy.'
+#
- 	else
+# add_dracutmodules+=" fips "
-@@ -196,11 +162,11 @@ if test x"$boot_device" = x ; then
+# EOF
- 	boot_device_opt=" boot=UUID=<your-boot-device-uuid>"
+#
- 	boot_config=0
+# echo "Kernel initramdisks are being regenerated. This might take some time."
- else
+#
-        if test "$boot_device" = / ; then
+# dracut -f --regenerate-all
-            boot_device_opt=""
+#
-        else
+# # This is supposed to be a fast and safe operation that's always good to run.
-            boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)"
+# # Regenerating an initrd and skipping it might render the system unbootable
-        fi
+# # (RHBZ#2013195).
-+	if test "$boot_device" = / ; then
+# if test x"$(uname -m)" = xs390x; then
-+		boot_device_opt=""
+# 	if command -v zipl >/dev/null; then
-+	else
+# 		zipl
-+		boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)"
+# 	else
-+	fi
+# 		echo '`zipl` execution has been skipped: `zipl` not found.'
- fi
+# 	fi
- 
+# fi
- if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
+Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup.8.txt
 Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt
 ===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup.8.txt
+--- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup.8.txt
-+++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt
+++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup.8.txt
-@@ -39,8 +39,15 @@ system crypto policy to FIPS
+@@ -45,6 +45,23 @@ Then the command modifies the boot loade
 (unless the policy has already been set to FIPS plus subpolicies on top,
 in which case the currently active subpolicies is retained).
 +Some required FIPS modules (grubby, fips pattern) might not be
 +installed by default. These can be installed in SUSE/openSUSE with
 +the following command:
 +
 +    zypper in -y grubby && zypper in -y -t pattern fips
 +
 Then the command modifies the boot loader configuration to add
 'fips=1' and 'boot=<boot-device>' options to the kernel command line.
 +Note that, grubby could show a harmless warning about leaked file descriptors.
 When disabling the system FIPS mode the system crypto policy is switched
 to DEFAULT and the kernel command line option 'fips=0' is set.
 +On transactional systems, enabling the system in FIPS mode with the
 +fips-mode-setup tool is not implemented. To enable the FIPS mode in these
 +systems requires the following steps:
 +
 +	1.- Install the FIPS pattern on a running system:
 +	    # transactional-update pkg install -t pattern microos-fips
 +
 +	2.- Reboot your system.
 +
 +	3.- Add the kernel command line parameter fips=1 to the boot loader
 +	    configuration. To do so, edit the file /etc/default/grub and add
 +	    fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable.
 +
 +	4.- After logging in to the system, run:
 +	    # transactional-update grub.cfg
 +
 +	5.- Reboot your system.
 [[options]]
 OPTIONS
--- a/crypto-policies-policygenerators.patch
+++ b/crypto-policies-policygenerators.patch
@ -1,13 +1,13 @@
-Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
+Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py
 ===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/__init__.py
+--- fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/__init__.py
-+++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
+++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py
@@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator
 from .java import JavaGenerator
 from .java import JavaSystemGenerator
 from .krb5 import KRB5Generator
 -from .libreswan import LibreswanGenerator
-+#from .libreswan import LibreswanGenerator
+# from .libreswan import LibreswanGenerator
 from .libssh import LibsshGenerator
 from .nss import NSSGenerator
 from .openssh import OpenSSHClientGenerator
@ -16,17 +16,16 @@ Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.
 from .openssl import OpenSSLGenerator
 -from .sequoia import SequoiaGenerator
 -from .sequoia import RPMSequoiaGenerator
-+#from .sequoia import SequoiaGenerator
+# from .sequoia import SequoiaGenerator
-+#from .sequoia import RPMSequoiaGenerator
+# from .sequoia import RPMSequoiaGenerator
 __all__ = [
     'BindGenerator',
-@@ -24,13 +24,13 @@ __all__ = [
+@@ -24,13 +24,14 @@ __all__ = [
     'JavaGenerator',
     'JavaSystemGenerator',
     'KRB5Generator',
 -    'LibreswanGenerator',
 +#    'LibreswanGenerator',
     'LibsshGenerator',
     'NSSGenerator',
     'OpenSSHClientGenerator',
@ -35,6 +34,8 @@ Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.
     'OpenSSLGenerator',
 -    'SequoiaGenerator',
 -    'RPMSequoiaGenerator',
 ]
 +
 +#    'LibreswanGenerator',
 +#    'SequoiaGenerator',
 +#    'RPMSequoiaGenerator',
 ]
--- a/crypto-policies-pylint.patch
+++ b/crypto-policies-pylint.patch
@ -0,0 +1,15 @@
 Index: fedora-crypto-policies-20230614.5f3458e/Makefile
 ===================================================================
 --- fedora-crypto-policies-20230614.5f3458e.orig/Makefile
 +++ fedora-crypto-policies-20230614.5f3458e/Makefile
@@ -44,8 +44,8 @@ runflake8:
 	@find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8
 runpylint:
 -	PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc python
 -	PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc tests
 +	PYTHONPATH=. pylint --rcfile=pylintrc python
 +	PYTHONPATH=. pylint --rcfile=pylintrc tests
 	@echo "[ OK ]"
 runcodespell:
--- a/crypto-policies.7.gz
+++ b/crypto-policies.7.gz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:5eceb5b5a5360d08e1f85163bea95bdb84c748e1e3836765b400773d42bba1c9
+oid sha256:6071a2f41678232b63d27d3f1bbd73915f85159fda78f71ae8a63d8bdce388e0
 size 6937
--- a/crypto-policies.changes
+++ b/crypto-policies.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
 - Tests: Fix pylint versioning for TW and fix the parsing of the
  policygenerators to account for the commented lines correctly.
  * Add crypto-policies-pylint.patch
  * Rebase crypto-policies-policygenerators.patch
 -------------------------------------------------------------------
 Tue Aug  1 12:23:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
 - FIPS: Adapt the fips-mode-setup script to use the pbl command
  from the perl-Bootloader package to replace grubby. Add a note
  for transactional systems [jsc#PED-4578].
  * Rebase crypto-policies-FIPS.patch
 -------------------------------------------------------------------
 Fri Jul 14 14:59:06 UTC 2023 - Marcus Meissner <meissner@suse.com>
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -51,8 +51,10 @@ Patch2:         crypto-policies-policygenerators.patch
 Patch3:         crypto-policies-supported.patch
 #PATCH-FIX-OPENSUSE Revert a breaking change that introduces rh-allow-sha1-signatures
 Patch4:         crypto-policies-revert-rh-allow-sha1-signatures.patch
-#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for TW
+#PATCH-FIX-OPENSUSE Remove version for pylint from Makefile
-Patch5:         crypto-policies-FIPS.patch
+Patch5:         crypto-policies-pylint.patch
 #PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578]
 Patch6:         crypto-policies-FIPS.patch
 BuildRequires:  python3-base >= 3.6
 # The sequoia stuff needs python3-toml, removed until needed
 # BuildRequires:  python3-toml
@ -62,10 +64,12 @@ BuildRequires:  asciidoc
 %if %{with testsuite}
 # The following packages are needed for the testsuite
 BuildRequires:  bind
 BuildRequires:  codespell
 BuildRequires:  gnutls >= 3.6.0
 BuildRequires:  java-devel
 BuildRequires:  krb5-devel
 BuildRequires:  libxslt
 #BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl
 BuildRequires:  perl
 BuildRequires:  python3-coverage
@ -79,9 +83,9 @@ BuildRequires:  perl(File::Which)
 BuildRequires:  perl(File::pushd)
 %endif
 Recommends:     crypto-policies-scripts
-Conflicts:      gnutls < 3.7.0
+Conflicts:      gnutls < 3.7.3
 #Conflicts:      libreswan < 3.28
-Conflicts:      nss < 3.44.0
+Conflicts:      nss < 3.90.0
 #Conflicts:      openssh < 8.2p1
 #!BuildIgnore:  crypto-policies
 BuildArch:      noarch
@ -94,7 +98,7 @@ such as SSL/TLS libraries.
 %package scripts
 Summary:        Tool to switch between crypto policies
 Requires:       %{name} = %{version}-%{release}
-Recommends:     grubby
+Recommends:     perl-Bootloader
 %description scripts
 This package provides a tool update-crypto-policies, which applies
@ -141,11 +145,11 @@ install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/conf
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
 %if %{without manbuild}
 # Install the manpages from defined sources
 mkdir -p -m 755 %{buildroot}%{_mandir}/
 mkdir -p -m 755 %{buildroot}%{_mandir}/man7/
 mkdir -p -m 755 %{buildroot}%{_mandir}/man8/
 %if %{without manbuild}
 # Install the manpages from defined sources
 cp %{SOURCE2} %{buildroot}%{_mandir}/man7/
 cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/
 %endif
@ -181,7 +185,8 @@ install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
 %check
 %if %{with testsuite}
 export OPENSSL_CONF=''
-%make_build test test-install test-fips-setup || :
+%make_build test
 %make_build test-install test-fips-setup || :
 %endif
 %post -p <lua>
--- a/fips-finish-install.8.gz
+++ b/fips-finish-install.8.gz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b0c4844eb573ddb5517d78c0e2e663066413ef3807dfa63df5ee43c0fefe1582
+oid sha256:3036b9fde1e86342746075d825d23eab12ee54228ebae9b6746e93bd51e3ada8
 size 825
--- a/fips-mode-setup.8.gz
+++ b/fips-mode-setup.8.gz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:af453be70b0971f4e4139eec3b669bee3b5195df2d7c28853d3fd4c4006cbb1b
+oid sha256:b29d2ba880077b33ef73932ca13ef88581e66288c4277a610aff9afa3a354b59
-size 1542
+size 1648
--- a/update-crypto-policies.8.gz
+++ b/update-crypto-policies.8.gz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:cad2a9da340059b6ba7b84c9646a85f113cb8781d55c0ea5c8aa0422ea632c3c
+oid sha256:950fcd3d9729c215baaa0dddb9434b01f02addca6aa4a4404a8d2ad65ef53598
 size 4154