diff --git a/0567-Fix-booting-with-fips-1-on-SLES-15.patch b/0567-Fix-booting-with-fips-1-on-SLES-15.patch new file mode 100644 index 0000000..d36c71b --- /dev/null +++ b/0567-Fix-booting-with-fips-1-on-SLES-15.patch @@ -0,0 +1,55 @@ +From c3f2e356ca15c32123334764c014df264d72f149 Mon Sep 17 00:00:00 2001 +From: Daniel Molkentin +Date: Wed, 25 Apr 2018 18:43:46 +0200 +Subject: [PATCH] Fix booting with fips=1 on SLES 15 + +Also, add some documentation on how FIPS actually works. + +Reference: bsc#1074984 +--- + modules.d/01fips/module-setup.sh | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index 709cfc85..178bae17 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -13,6 +13,12 @@ depends() { + # called by dracut + installkernel() { + local _fipsmodules _mod ++ # The FIPS process requires that crypto primitives should perform a power-up self test. They must not be loaded and ++ # used prior to successful completion. FIPS140-2, section 4.9 mandates that during power-up, crypto algorithms should ++ # perform self tests, displaying an error if any one of them fails. ++ ++ # dracut implements this by first compiling a blacklist (provided by the kernel in newer distros) and then ++ # load the modules in that list one by one in a controlled manner, aborting on failure. + if [[ -f "${srcmods}/modules.fips" ]]; then + _fipsmodules="$(cat "${srcmods}/modules.fips")" + else +@@ -28,6 +34,7 @@ installkernel() { + _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper twofish_x86_64 twofish_common blowfish_generic " + _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc " + _fipsmodules+="algif_hash af_alg crypto_user " ++ _fipsmodules+="sha3_generic " + fi + + mkdir -m 0755 -p "${initdir}/etc/modprobe.d" +@@ -52,10 +59,10 @@ install() { + inst_libdir_file \ + fipscheck .fipscheck.hmac \ + libfipscheck.so.1 \ +- .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac \ +- libcrypto.so.1.0.0 libssl.so.1.0.0 \ +- .libcrypto.so.1.0.0.hmac .libssl.so.1.0.0.hmac \ +- .libcryptsetup.so.4.5.0.hmac .libcryptsetup.so.4.hmac \ ++ .libfipscheck.so.1.hmac .libfipscheck.so.1.2.1.hmac \ ++ libcrypto.so.1.1 libssl.so.1.1 \ ++ .libcrypto.so.1.1.hmac .libssl.so.1.1.hmac \ ++ .libcryptsetup.so.12.1.0.hmac .libcryptsetup.so.12.hmac \ + .libgcrypt.so.20.hmac \ + libfreeblpriv3.so libfreeblpriv3.chk + +-- +2.13.6 + diff --git a/dracut.changes b/dracut.changes index b808fc8..53f1215 100644 --- a/dracut.changes +++ b/dracut.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Apr 25 16:50:06 UTC 2018 - daniel.molkentin@suse.com + +- 01fips: fix FIPS mode on SLES 15 (bsc#1074984) + * adds 0567-Fix-booting-with-fips-1-on-SLES-15.patch + ------------------------------------------------------------------- Thu Apr 19 11:51:07 UTC 2018 - daniel.molkentin@suse.com diff --git a/dracut.spec b/dracut.spec index bc689a0..04367d3 100644 --- a/dracut.spec +++ b/dracut.spec @@ -388,6 +388,8 @@ Patch564: 0564-40network-Always-set-the-gw-variable.patch Patch565: 0565-90kernel-modules-Include-Intel-Volume-Management-Dev.patch # Patch specific to SUSE, not upstream Patch566: 0566-95nfs-If-no-server-is-configured-read-BOOTSERVERADDR.patch +# Patch specific to SUSE, upstream only documentation +Patch567: 0567-Fix-booting-with-fips-1-on-SLES-15.patch BuildRequires: asciidoc BuildRequires: bash @@ -677,6 +679,7 @@ chmod a+x modules.d/95qeth_rules/module-setup.sh %patch564 -p1 %patch565 -p1 %patch566 -p1 +%patch567 -p1 %build %configure\