diff --git a/0551-fips-use-lib-modules-uname-r-modules.fips.patch b/0551-fips-use-lib-modules-uname-r-modules.fips.patch new file mode 100644 index 0000000..7416a8f --- /dev/null +++ b/0551-fips-use-lib-modules-uname-r-modules.fips.patch @@ -0,0 +1,52 @@ +From 2a7f2be7475dfaf5090bbafbbf5b7eb3067eef46 Mon Sep 17 00:00:00 2001 +From: Daniel Molkentin +Date: Wed, 10 Jan 2018 11:03:22 +0100 +Subject: [PATCH] fips: use /lib/modules/$(uname -r)/modules.fips + +if /lib/modules/$(uname -r)/modules.fips exists, use that list instead +of the hardcoded dracut module list. + +Backported from upstream's master branch + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index 9e5eca4f..709cfc85 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -13,18 +13,22 @@ depends() { + # called by dracut + installkernel() { + local _fipsmodules _mod +- _fipsmodules="ansi_cprng arc4 authenc ccm " +- _fipsmodules+="ctr cts deflate drbg " +- _fipsmodules+="ecb fcrypt gcm ghash_generic khazad md4 michael_mic rmd128 " +- _fipsmodules+="rmd160 rmd256 rmd320 seed " +- _fipsmodules+="sha512_generic tcrypt tea wp512 xts " +- _fipsmodules+="aes_s390 des_s390 sha256_s390 ghash_s390 sha1_s390 sha512_s390 " +- _fipsmodules+="gf128mul " +- _fipsmodules+="cmac vmac xcbc salsa20_generic salsa20_x86_64 camellia_generic camellia_x86_64 pcbc tgr192 anubis " +- _fipsmodules+="cast6_generic cast5_generic cast_common sha512_ssse3 serpent_sse2_x86_64 serpent_generic twofish_generic " +- _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper twofish_x86_64 twofish_common blowfish_generic " +- _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc " +- _fipsmodules+="algif_hash af_alg crypto_user " ++ if [[ -f "${srcmods}/modules.fips" ]]; then ++ _fipsmodules="$(cat "${srcmods}/modules.fips")" ++ else ++ _fipsmodules="ansi_cprng arc4 authenc ccm " ++ _fipsmodules+="ctr cts deflate drbg " ++ _fipsmodules+="ecb fcrypt gcm ghash_generic khazad md4 michael_mic rmd128 " ++ _fipsmodules+="rmd160 rmd256 rmd320 seed " ++ _fipsmodules+="sha512_generic tcrypt tea wp512 xts " ++ _fipsmodules+="aes_s390 des_s390 sha256_s390 ghash_s390 sha1_s390 sha512_s390 " ++ _fipsmodules+="gf128mul " ++ _fipsmodules+="cmac vmac xcbc salsa20_generic salsa20_x86_64 camellia_generic camellia_x86_64 pcbc tgr192 anubis " ++ _fipsmodules+="cast6_generic cast5_generic cast_common sha512_ssse3 serpent_sse2_x86_64 serpent_generic twofish_generic " ++ _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper twofish_x86_64 twofish_common blowfish_generic " ++ _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc " ++ _fipsmodules+="algif_hash af_alg crypto_user " ++ fi + + mkdir -m 0755 -p "${initdir}/etc/modprobe.d" + +-- +2.13.6 + diff --git a/0552-98integrity-support-validating-the-IMA-policy-file-s.patch b/0552-98integrity-support-validating-the-IMA-policy-file-s.patch new file mode 100644 index 0000000..a6c7ca3 --- /dev/null +++ b/0552-98integrity-support-validating-the-IMA-policy-file-s.patch @@ -0,0 +1,36 @@ +From d31e03d34cc743c6538f532704ec7fc3bc75a03d Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Thu, 13 Oct 2016 16:49:43 -0400 +Subject: [PATCH] 98integrity: support validating the IMA policy file signature + +IMA validates file signatures based on the security.ima xattr. As of +Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy, +the IMA policy pathname can be written, allowing the IMA policy file +signature to be validated. + +This patch first attempts to write the pathname, but on failure falls +back to cat'ing the IMA policy contents . + +Signed-off-by: Stefan Berger +Signed-off-by: Mimi Zohar +--- + modules.d/98integrity/ima-policy-load.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh +index 0061cfff..5460d025 100755 +--- a/modules.d/98integrity/ima-policy-load.sh ++++ b/modules.d/98integrity/ima-policy-load.sh +@@ -30,7 +30,8 @@ load_ima_policy() + # check the existence of the IMA policy file + [ -f "${IMAPOLICYPATH}" ] && { + info "Loading the provided IMA custom policy"; +- cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy; ++ echo -n "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \ ++ cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy + } + + return 0 +-- +2.13.6 + diff --git a/0553-98integrity-support-loading-x509-into-the-trusted-bu.patch b/0553-98integrity-support-loading-x509-into-the-trusted-bu.patch new file mode 100644 index 0000000..cf99726 --- /dev/null +++ b/0553-98integrity-support-loading-x509-into-the-trusted-bu.patch @@ -0,0 +1,58 @@ +From 266d28ad09755c1c7016891f356bb75a9861f77c Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Wed, 24 Jan 2018 16:58:15 +0100 +Subject: [PATCH 1/2] 98integrity: support loading x509 into the + trusted/builtin .evm keyring + +This implements logic analogous to the one already implemented in +ima-keys-load.sh, only for the .evm/_evm keyrings. + +If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel +initially creates and configures .ima and .evm keyrings. These keyrings +only accept x509 certificates that have been signed by a local CA which +belongs to the kernel builtin trusted keyring. + +Thus if such a keyring is already present then additional evm keys +should be loaded into them. If this is not the case then the _evm +keyring needs to be created in userspace and keys will be loaded into +it instead. + +Before this change dracut always created the _evm keyring and loaded +keys into it without considering an existing .evm keyring. In case of +CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be +used by the kernel, however, and EVM digital signatures will not work as +expected. +--- + modules.d/98integrity/evm-enable.sh | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh +index ec4f03bc..a3ba59fd 100755 +--- a/modules.d/98integrity/evm-enable.sh ++++ b/modules.d/98integrity/evm-enable.sh +@@ -76,8 +76,21 @@ load_evm_x509() + return 1 + fi + ++ local evm_pubid ++ local line=$(keyctl describe %keyring:.evm) ++ if [ $? -eq 0 ]; then ++ # the kernel already setup a trusted .evm keyring so use that one ++ evm_pubid=${line%%:*} ++ else ++ # look for an existing regular keyring ++ evm_pubid=`keyctl search @u keyring _evm` ++ if [ -z "${evm_pubid}" ]; then ++ # create a new regular _evm keyring ++ evm_pubid=`keyctl newring _evm @u` ++ fi ++ fi ++ + # load the EVM public key onto the EVM keyring +- evm_pubid=`keyctl newring _evm @u` + EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid}) + [ $? -eq 0 ] || { + info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}"; +-- +2.13.6 + diff --git a/0554-98integrity-support-X.509-only-EVM-configuration.patch b/0554-98integrity-support-X.509-only-EVM-configuration.patch new file mode 100644 index 0000000..e96c77f --- /dev/null +++ b/0554-98integrity-support-X.509-only-EVM-configuration.patch @@ -0,0 +1,46 @@ +From 16d52f692c2add82f54f712a7fc60885536dc39a Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Wed, 24 Jan 2018 17:19:03 +0100 +Subject: [PATCH 2/2] 98integrity: support X.509-only EVM configuration + +Previously if no symmetric key was configured for EVM, then the +initialization process was aborted. It can be a valid use case, however, +to only use EVM digital signatures. In this case only X.509 certificates +need to be loaded. + +With this change EVM initialization will continue if any of the +symmetric or X.509 keys could be loaded. +--- + modules.d/98integrity/evm-enable.sh | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh +index a3ba59fd..5a92b598 100755 +--- a/modules.d/98integrity/evm-enable.sh ++++ b/modules.d/98integrity/evm-enable.sh +@@ -125,11 +125,18 @@ enable_evm() + return 0 + fi + +- # load the EVM encrypted key +- load_evm_key || return 1 ++ local evm_configured ++ ++ # try to load the EVM encrypted key ++ load_evm_key && evm_configured=1 ++ ++ # try to load the EVM public key ++ load_evm_x509 && evm_configured=1 + +- # load the EVM public key, if it exists +- load_evm_x509 ++ # only enable EVM if a key or x509 certificate could be loaded ++ if [ -z "$evm_configured" ]; then ++ return 1 ++ fi + + # initialize EVM + info "Enabling EVM" +-- +2.13.6 + diff --git a/dracut.changes b/dracut.changes index 40e72c6..12bd375 100644 --- a/dracut.changes +++ b/dracut.changes @@ -1,3 +1,37 @@ +------------------------------------------------------------------- +Thu Jan 25 09:19:05 UTC 2018 - daniel.molkentin@suse.com + +- support validating the IMA policy file signature, needed since Kernel 4.7 + * Adds 0552-98integrity-support-validating-the-IMA-policy-file-s.patch + +- IMA: improve support for evm key loading (bsc#1077359, fate#323906) + * Adds 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch + * Adds 0554-98integrity-support-X.509-only-EVM-configuration.patch + +- FIPS: Adjust dependencies to work for cryptsetup 2.0 (bsc#1077070) + +- Added a few more patch annotations + +------------------------------------------------------------------- +Fri Jan 19 15:29:15 UTC 2018 - daniel.molkentin@suse.com + +- Fix typo for ima dependency (evmtcl vs evmctl) (bsc#1073466) + +- Updated Patch annotation regarding their upstream state + +------------------------------------------------------------------- +Wed Jan 10 11:25:13 UTC 2018 - daniel.molkentin@suse.com + +- FIPS: Try to fetch list of fips modules from the kernel's modules dir (bsc#1074984) + * Adds 0551-fips-use-lib-modules-uname-r-modules.fips.patch + +- Annotated patches regarding their upstream state + +------------------------------------------------------------------- +Tue Jan 9 08:08:01 UTC 2018 - daniel.molkentin@suse.com + +- dracut-ima requires evmctl and keyutils (bsc#1073466) + ------------------------------------------------------------------- Fri Dec 15 12:51:39 UTC 2017 - daniel.molkentin@suse.com diff --git a/dracut.spec b/dracut.spec index e00beb1..04cc799 100644 --- a/dracut.spec +++ b/dracut.spec @@ -1,7 +1,7 @@ # # spec file for package dracut # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -36,7 +36,7 @@ Source6: dracut-installkernel Source7: 99-debug.conf Source8: s390x_persistent_device.conf -#Network: +# Network, none are upstream yet: Patch12: 0012-40network-Fix-race-condition-when-wait-for-networks.patch Patch13: 0013-40network-always-start-netroot-in-ifup.sh.patch Patch15: 0015-40network-replace-dhclient-with-wickedd-dhcp-supplic.patch @@ -59,33 +59,61 @@ Patch169: 0169-network_set_mtu_macaddr_for_dhcp.patch Patch170: 0170-iscsi-skip-ibft-invalid-dhcp.patch #S390 +# Applied upstream as 55c763b1ff37405da390ab1ef5765683f3a7838e Patch16: 0016-Add-new-s390x-specific-rule-files.patch +# Submitted to upstream as d43cccf5885a84d688a3b526d5fc57865369da57 Patch21: 0021-95dcssblk-Add-new-module-for-DCSS-block-devices.patch +# Submitted to upstream as d0c97fdf4c33bb422f0a13a8752751d3054de143 Patch56: 0056-81cio_ignore-handle-cio_ignore-commandline.patch +# Applied upstream as 856d039ba4716ba080fc8d823b3329a4470a60ef Patch75: 0075-95dasd_rules-enable-parsing-of-rd.dasd-commandline-p.patch +# Applied upstream as 5d1ea2d72616ec7ed9cf5e1f3bc99d7d5bc4f003 Patch76: 0076-Correctly-set-cio_ignore-for-dynamic-s390-rules.patch +# Applied upstream as e5d21b80c054235114c4167e0bf7769aa698b4d4 Patch79: 0079-95dasd_rules-fixup-rd.dasd-parsing.patch +# Applied upstream as 13626413107b67ab493ccfc4f6a1c6bef228a74e Patch80: 0080-95dasd_rules-print-out-rd.dasd-commandline.patch +# Applied upstream as 6f1b5c0dabe57259d7e67ab9b643b11b70deb388 Patch81: 0081-95dasd_mod-do-not-set-module-parameters-if-dasd_cio_.patch +# Applied upstream as 9be4be7aa72af312c6b0588ddb008da7632612bc Patch83: 0083-95zfcp_rules-Fixup-rd.zfcp-parsing.patch +# Applied upstream as 624f173cbd49b7389577aac10a887f16d4f89b7a Patch85: 0085-95zfcp_rules-print-out-rd.zfcp-commandline-parameter.patch +# Applied upstream as c8e531239bf314ae532ca1bc820285250a3b35d7 Patch86: 0086-95zfcp_rules-Auto-generate-udev-rule-for-ipl-device.patch +# Applied upstream as bd355f8643555762acf02c6dd6179b683cd0a6aa Patch87: 0087-95dasd_rules-Auto-generate-udev-rule-for-ipl-device.patch +# Submitted to upstream as 73f89bbadbd61ffb4cb485e11b630571185b7ef2 Patch88: 0088-91zipl-Add-new-module-to-update-s390x-configuration.patch +# Applied upstream as 2600b54c187e5668f5b55d5d73f49e99c7b33212 Patch107: 0107-Fixup-typo-firmare-instead-of-firmware.patch +# Submitted to upstream as 73f89bbadbd61ffb4cb485e11b630571185b7ef2 Patch108: 0108-91zipl-Store-commandline-correctly.patch +# Applied upstream as 05bf32097201c24c56dc6bb7a59a428293247d61 Patch109: 0109-95dasd_rules-Store-all-devices-in-commandline.patch +# Applied upstream as 3a8ba440265696ce1279dc12eb5a7acda14c1712 Patch110: 0110-95zfcp_rules-Store-all-devices-in-commandline.patch +# Submitted to upstream as d118e9d94050ea65cb4514dda5fda10ef30275fe Patch113: 0113-91zipl-Install-script-as-executable.patch +# Submitted to upstream as 403f2c3e1dbb681c27b1279b9d023449cfc6d007 Patch114: 0114-91zipl-Translate-ext2-3-into-ext4.patch +# TODO: Apply upstream, already incorporated where original patches have been upstreamed Patch116: 0116-Mark-scripts-as-executable.patch +# Applied upstream as cf9c8c5fe3fdb899b57c25867bf54b74adc3272f Patch117: 0117-95dasd_rules-Enable-the-device-before-checking-devic.patch +# Applied upstream as 5e7bbe43a349a9d3ef0300c61f62a49a2e44c0a0 Patch118: 0118-95zfcp_rules-Enable-the-device-before-checking-devic.patch +# Applied upstream as 5f923256e33893bead8233852a741a4b0036f709 Patch123: 0123-95zfcp_rules-fix-typo-in-module_setup.patch +# Submitted to upstream as 33260dac6e0980da2d6577a29d83644b6637745c Patch157: 0157-Add-boot-zipl-to-host-devs-if-it-is-a-mount-point.patch +# Submitted to upstream as 8bae047a4e096e69a34c520dae15458e210eecdb Patch160: 0160-s390-update_active_devices_initrd.patch +# Applied upstream as c8aa1d949aecaf146b0a0e1ce269f69e6048dc5a Patch161: 0161-95zfcp_rules-simplified-rd.zfcp-commandline-for-NPIV.patch +# Applied upstream as e5bf1cecd635897e5f2c8ae373494d33af3b1996 Patch188: 0188-95dasd_rules-Install-collect-udev-helper-binary.patch +# TODO: Apply upstream (??) Patch506: 0506-Boot-on-s390x-with-fips-1-on-the-kernel-commnad-line.patch #FIPS @@ -99,25 +127,35 @@ Patch509: 0509-01fips-Remove-zlib-module-as-requirement.patch Patch510: 0510-01fips-Some-modules-use-separators-other-than.patch Patch511: 0511-01fips-ensure-fips-initialization-succeeds-on-s390-x.patch -# Others +# Others, partly SUSE specific. Not submitted unless annotated otherwise + +# Submitted to upstream as 7ce2872be28a5463757651cc30049c3f4e81559a Patch20: 0020-00warpclock-Set-correct-timezone.patch Patch58: 0058-dracut-add-warning-when-including-unsupported-module.patch Patch59: 0059-99suse-Add-SUSE-specific-initrd-parsing.patch +# TODO: This should not be a patch, but be removed in the install section Patch90: 0090-dracut-caps-Remove-whole-caps-module.patch Patch91: 0091-dracut-biosdevname-In-SUSE-biosdevname-package-is-in.patch Patch121: 0121-Adjust-initramfs-kernel.img-to-SUSE-default-initrd-k.patch Patch130: 0130-nfs-Always-add-all-kernel-modules-for-kdump.patch +# Applied upstream as c3b6970394ad677f05a42bef420bf34b1d0652e0 Patch144: 0144-90crypt-Fixed-crypttab_contains-to-also-work-with-de.patch Patch150: 0150-Find-kernel-modules-in-extra-and-weak-updates-path-a.patch Patch158: 0158-Add-SUSE-kernel-module-dependencies-in-etc-modprobe.patch Patch163: 0163-Install-etc-sysconfig-console-to-see-specific-fonts.patch +# TODO: Verify: Should be obsolete due to fixes in systemd Patch164: 0164-Fix-initramfs-ver.img-vs-initrd-ver-in-dracut-initra.patch +# Submitted as a check to upstream as 446654703742e6c1d7b1134a7d73b2bf7ce20cda Patch168: 0168-remove_plymouth_logo_file.patch +# Applied upstream as 251afd36b2be35b7b27011b6f90b5ab3bbbbff84 Patch180: 0180-i18n_add_correct_fontmaps.patch +# Applied upstream as dcacd2b072c301a51c114256e8bb696346879a2b Patch182: 0182-fix-include-parsing.patch +# Applied upstream as d53bb5c01737270049fde82559ae72aae1943b81 Patch183: 0183-fix_add_drivers_hang.patch # iscsiadm +# TODO: Apply all patches in this section upstream Patch190: 0190-replace-iscsistart-with-systemd-service-files.patch Patch191: 0191-static_network_setup_return_zero.patch Patch192: 0192-iscsi_set_boot_protocol_from_ifcfg.patch @@ -128,31 +166,58 @@ Patch198: 0198-95iscsi-set-rd.iscsi.firmware-for-qla4xxx-sessions.patch Patch199: 0199-rd-iscsi-waitnet-default-false.patch # Submit mainline asap + +# Applied upstream as 5c84d51b3f258af9035a4031c6b482103adea4d9 Patch128: 0128-90lvm-Install-dm-snapshot-module.patch +# Applied upstream as d12ce1da8551c065616f81f158b6425b20ee191c Patch200: 0200-dracut_fix_multipath_without_config.patch +# Applied upstream as f5c10673de18d84f3b054df9a68ffa8d43f9571c Patch201: 0201-fix_nfs_with_ip_instead_of_hostname.patch +# TODO: Apply upstream Patch202: 0202-dracut_dmraid_use_udev.patch +# TODO: Check if still an issue with C-style insmod logic Patch203: 0203-no-fail-builtin-module.patch +# Applied upstream as 51d2436c22d64e45376c64ad3b6c90c48cc88d78 Patch204: 0204-mkinitrd-fix-monster.patch +# TODO: Apply upstream Patch205: 0205-mdraid_ignore_hostonly.patch +# Applied upstream as 8602e5986702f6118f8b30f1053a45af1df892bd Patch206: 0206-nfs_dns_alias.patch +# Applied upstream as 43819af68c7789ec932c25e699c56889fdf7276c Patch207: 0207-handle_module_aliases.patch +# TODO: Possibly made redundant by changes done by upstream Patch208: 0208-no_forced_virtnet.patch +# Applied upstream as 9fd3e045d5b41ba5cf9fb0c51db9750ce0e530d8 Patch209: 0209-fix_modules_load_d_hostonly.patch +# Applied upstream as 22836a092191c1abc0e04e4c6d68856f2603d6e8 Patch210: 0210-add_fcoe_uefi_check.patch +# Applied upstream as 6b96b50d2cd92d6598240e6061a81b29b889ecdd Patch212: 0212-fcoe_reorder_init_path.patch +# Applied upstream as 18729719a7091c35ffe377b21b860a60a352def8 Patch213: 0213-Fix-wrong-keymap-inclusion.patch +# Applied upstream as d066fcc3fb9080ffff412c8dc5177ca1dcc08e75 Patch214: 0214-95fcoe-Do-not-overwrite-FCoE-configuration.patch +# Applied upstream as 1279a9e1a0a28107e0a240ab344f700b465c96b3 by upstream Patch215: 0215-95fcoe-Do-not-complain-about-missing-etc-hba.conf.patch +# Applied upstream as d71c9ee286def5d1a5e90f549b65e21d0f18c9ac Patch216: 0216-95fcoe-silence-lldpad-warnings.patch +# Applied upstream as c75196e11ec4325fc76bb11aeb884ceade62df48 Patch217: 0217-95fcoe-Allow-to-specify-the-FCoE-mode-via-the-fcoe-p.patch +# Probably not upstreamable? Patch218: 0218-40network-allow-persistent-interface-names.patch +# Applied upstream as 164760f4b075ff564c349cb40d1fa308c139432d Patch219: 0219-95fcoe-use-interface-names-instead-of-MAC-addresses.patch +# Applied upstream as 2aac3194100b903740bb9057aed71a35ce92a2e3 Patch220: 0220-95fcoe-always-set-AUTO_VLAN-for-fcoemon.patch +# Applied upstream as a3f91db4768451a10fbbc3e28270c29e1368df6c Patch221: 0221-95fcoe-Add-shutdown-script.patch +# Applied upstream as 07e635748342aa70a76bc1a2237339f6a897d841 Patch222: 0222-90dm-Fixup-shutdown-script.patch +# Applied upstream as 870591acec41e854071129e7bf834cdfe43ae716 Patch223: 0223-90dm-fixup-dependency-cycle-between-MD-and-DM-shutdo.patch +# TODO: Apply upstream Patch224: 0224-95iscsi-setup-bnx2i-offload-connections-properly.patch +# Applied upstream as part of 36a8b2e3058518255dbd39e33bf2c72b7889cfae Patch225: 0225-95fcoe-do-not-start-fcoemon-twice.patch # SUSE-specific fixes @@ -173,68 +238,130 @@ Patch313: 0313-90mdraid-Use-stock-MD-rules-to-assemble-RAID-arrays.patch Patch314: 0314-nfs_do_not_pass_ifname_for_bonding_devices.patch # New features/improvements +# TODO: Apply upstream Patch402: 0402-driver-fail-summary.patch +# Applied upstream as 10f06425a597ca797b8efbf45e8838c4d30651e9 Patch403: 0403-95lunmask-Add-module-to-handle-LUN-masking.patch +# Applied upstream as 1f8a7ae799effed1e57033167beca4281389391c Patch404: 0404-dracut-emergency-optionally-print-fs-help.patch # Workarounds/Patches no longer relevant in 045 Patch450: 0450-Strip-NUL-bytes-in-stream-before-push-in-string.patch +# Patch from upstream: d4efc0aeeecc470d9a267b7f3c130f472488905c Patch451: 0451-systemd-initrd-add-initrd-root-device.target.patch +# Applied upstream as 9ffab3f3a5105691b4b640649c3a99e3cce39c1a Patch452: 0452-Always-try-to-add-pinctrl-cherryview.patch +# Applied upstream as 7957bd01b097507a601495ed7cd2c8480c2af67b Patch453: 0453-Resolve-symbolic-links-for-i-and-k-parameters-bsc-90.patch +# Applied upstream as e69da98de1a4175fb3c745570471fc3a7d567a33 Patch454: 0454-Add-md4-and-arc4-modules-for-ntlm.patch # On top patches/fixes which have to be applied late +# Applied upstream as 8b0791fa010cf7e5fde3a37a8c2bb6d6f1264f59 Patch500: 0500-Reset-IFS-variable.patch +# Applied upstream as e0c3b0793f92c24d442f543a755aed8cc218ab20 Patch501: 0501-dasd_fix_ssid_bigger_zero.patch +# TODO: Apply upstream Patch502: 0502-persistent_device_policy_param_enhance.patch +# Applied upstream as 0db98910a11c12a454eac4c8e86dc7a7bbc764a4 Patch503: 0503-dracut.sh-create-the-initramfs-non-world-readable-al.patch +# TODO: Apply upstream Patch504: 0504-ibft-fix-boot-flag-check.patch +# Applied upstream as f1c790495baa017ec48b266a33b0dd558e760dde Patch505: 0505-Allow-booting-from-degraded-MD-RAID-arrays.patch +# Applied upstream as 649619f6a5775d1c94d9c4f3fec627c747633275 Patch507: 0507-Set-TaskMax-inifinite-for-the-emergency-shell.patch +# Applied upstream as 8008d47fafcecd27c456215e910be33a23546519 Patch508: 0508-90multipath-start-before-local-fs-pre.target.patch +# Applied upstream as 8b6d136e625cb538f8845e858b37e9f6c67a5f1c Patch512: 0512-Make-binutils-optional-when-elfutils-are-available.patch +# TODO: Apply upstream Patch513: 0513-Fix-regression-caused-by-6f9bf2b8ac436259bdccb110545.patch +# Applied upstream as 4a739be99c409719e76078ece55e7ba3c817b054 Patch514: 0514-man-make-the-k-option-clear-using-mkinitrd.patch +# Reverted later. Do not submit! Patch515: 0515-90kernel-modules-also-add-block-device-driver-revers.patch +# Applied upstream as 7cf2c21798b537a5553ecc23df5ce8cfda631e9c Patch516: 0516-mkinitrd-suse.sh-Fix-prefix-calculation.patch +# Applied upstream as fd13d5d4d50dd837be393c4b7dc1859237f6daac Patch517: 0517-95fcoe-fixup-fcoe-genrules.sh-for-VN2VN-mode.patch +# Fixed more generically in upstream as feaaee4278077dd67fe24acebfbe47ba20738955 Patch518: 0518-90kernel-modules-Fix-backlight-on-Cherrytrail-device.patch +# TODO: Apply upstream if correct Patch519: 0519-90kernel-modules-Ensure-phy-drivers-are-loaded-in-in.patch +# TODO: Check if still relevant and apply upstream Patch520: 0520-Ignore-module-resolution-errors.patch +# TODO: Apply upstream Patch521: 0521-Ensure-udev-persistent-storage-compat-rules-get-crea.patch +# TODO: belongs with FIPS commits Patch522: 0522-Fix-typo-from-commit-3f1cdb520.patch +# Applied upstream as e3189ab1235748cda136b564668b697d1c87847b Patch523: 0523-98dracut-systemd-Fix-module-force-loading-with-syste.patch +# Fixes SUSE Patch Patch524: 0524-Suppress-nonsensical-error-message-bsc-1032029.patch +# Applied from upstream commit 106255afd46ea2be1d035aca0c5695186a3f2c41 Patch525: 0525-backport-bail-out-if-module-directory-does-not-exist.patch +# TODO: apply upstream Patch526: 0526-iscsiroot-call-handle_firmware-only-for-non-iface-in.patch +# TODO: belongs with FIPS commits Patch527: 0527-switch-fips-checking-to-use-the-libkcapi-based-fipsc.patch +# TODO: apply upstream Patch528: 0528-Ensure-dracut.sh-responds-properly-to-hostonly_cmdli.patch +# Applied from upstream commit 8261d2367ee673e24d03306b9623f4f3070dae5b Patch529: 0529-systemd-add-missing-.slice-unit.patch +# Applied from upstream commit eddca3c9c24e4cb9c5def0b98920e36b16fafaac Patch530: 0530-dracut-systemd-dracut-cmdline-ask-fix-dracut-kernel-.patch +# Applied from upstream commit c000a21c25bd436f2b3cc2076cb7025cc82d2807 Patch531: 0531-dracut-systemd-.service-conflict-with-shutdown-targe.patch +# Do not submit, reverts bogus patch Patch532: 0532-List-drivers-rather-than-looking-for-reverse-depende.patch +# TODO: check if still relevant Patch533: 0533-instmods-check-modules.builtin-in-srcmods.patch +# Applied upstream as 348935e3b65b5058e65f66682df6a5b184eaacb2 Patch534: 0534-ssh-client-Include-nss_-libraries.patch +# Applied upstream as e316ae0e4309726b2c067a70ac41f7b22011c063 Patch535: 0535-Sync-initramfs-after-creation.patch +# TODO: apply upstream Patch536: 0536-90multipath-drop-67-kpartx-compat.rules.patch +# TODO: check how to submit upstream Patch537: 0537-dracut-init.sh-ignore-crc32.ko-in-builtin-test.patch +# Applied upstream as afe4e2844ffa7c06160434430f0ce9e493c112e0 Patch538: 0538-Enable-core-dumps-with-systemd-from-initrd.patch +# Not eligable for submit, unless specfile gets submitted Patch539: 0539-Add-IMA-functionality-fate-323289.patch +# Applied from upstream commit 551cc3694e32be97084b1f198f76f4daf908d503 Patch540: 0540-Check-the-proper-variable-for-a-custom-IMA-keys-dire.patch # SLE and Leap have persistent net names, but not Factory/TW -%if 0%{?suse_version} && ! 0%{?sle_version} +%if 0%{?suse_version} && ! 0%{?sle_version} +# TODO: Unsure if this can be sumbmitted Patch541: 0541-Make-sure-70-persistent-net.rules-is-included-in-ini.patch %endif +# Applied upstream as 9f2916cce13d584610295e001394274e823c3f15 Patch542: 0542-Include-crc32c-intel-module-when-using-btrfs.patch +# Applied upstream as b36d322bd2ccb6ef4eb31384c86a75572184bba1 Patch543: 0543-Remove-00systemd-bootchart.patch +# TODO: Check if still relevant Patch544: 0544-40network-Make-ip-dhcp-work.patch +# More generic fix upstream Patch545: 0545-Add-early-microcode-support-for-AMD-family-16h.patch +# More generic fix upstream Patch546: 0546-Support-Microcode-Updates-for-AMD-CPU-Family-0x17.patch +# Applied upstream as df96cccc8f562f8aeab7c09248c204f21ed42c4a Patch547: 0547-Fix-task-limit-in-emergency.service-the-same-change-.patch +# Applied upstream as 36a8b2e3058518255dbd39e33bf2c72b7889cfae Patch548: 0548-95fcoe-Switch-back-to-using-fipvlan-for-bnx2fc.patch +# Same patch applied by upstream: 3966a1e1ee0e3d27197258f446f54b683c415208 Patch549: 0549-fcoe-up-Increase-sleeptime-to-13s.patch +# Applied upstream as fd13d5d4d50dd837be393c4b7dc1859237f6daac Patch550: 0550-95fcoe-add-timeout-initqueue-entries.patch +# Patch adopted from upstream commit 7c29d205f4bfb465f1618fdb8984798522c8eb4a +Patch551: 0551-fips-use-lib-modules-uname-r-modules.fips.patch +# Patch adopted from upstream commit 479b5cd94f16052cf6ea28d0e8abba2b926fff83 +Patch552: 0552-98integrity-support-validating-the-IMA-policy-file-s.patch +# Patch submitted to upstream as 9e451d4770ec3a98816fcf97fdd745d6af135336 +Patch553: 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch +# Patch submitted to upstream as cb2c9a4338ddc15d55c6c524276a1807bec23485 +Patch554: 0554-98integrity-support-X.509-only-EVM-configuration.patch BuildRequires: asciidoc BuildRequires: bash @@ -282,7 +409,7 @@ Group: System/Base Requires(post): coreutils Requires: %{name} = %{version}-%{release} Requires: fipscheck -Requires: libcryptsetup4-hmac +Requires: libcryptsetup12-hmac Requires: libgcrypt20-hmac Requires: libkcapi-tools @@ -295,6 +422,8 @@ and its cryptography during startup. Summary: Dracut modules to build a dracut initramfs with IMA Group: System/Base Requires: %{name} = %{version}-%{release} +Requires: evmctl +Requires: keyutils %description ima This package requires everything which is needed to build an @@ -505,6 +634,10 @@ chmod a+x modules.d/91zipl/install_zipl_cmdline.sh %patch548 -p1 %patch549 -p1 %patch550 -p1 +%patch551 -p1 +%patch552 -p1 +%patch553 -p1 +%patch554 -p1 %build %configure\