Accepting request 601124 from Base:System

- 01fips: fix FIPS mode on SLES 15 (bsc#1074984)
  * adds 0567-Fix-booting-with-fips-1-on-SLES-15.patch (forwarded request 601123 from dmolkentin)

OBS-URL: https://build.opensuse.org/request/show/601124
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dracut?expand=0&rev=125

0567-Fix-booting-with-fips-1-on-SLES-15.patch

@@ -0,0 +1,55 @@
+From c3f2e356ca15c32123334764c014df264d72f149 Mon Sep 17 00:00:00 2001
+From: Daniel Molkentin <dmolkentin@suse.com>
+Date: Wed, 25 Apr 2018 18:43:46 +0200
+Subject: [PATCH] Fix booting with fips=1 on SLES 15
+
+Also, add some documentation on how FIPS actually works.
+
+Reference: bsc#1074984
+---
+ modules.d/01fips/module-setup.sh | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
+index 709cfc85..178bae17 100755
+--- a/modules.d/01fips/module-setup.sh
++++ b/modules.d/01fips/module-setup.sh
+@@ -13,6 +13,12 @@ depends() {
+ # called by dracut
+ installkernel() {
+     local _fipsmodules _mod
++    # The FIPS process requires that crypto primitives should perform a power-up self test. They must not be loaded and
++    # used prior to successful completion. FIPS140-2, section 4.9 mandates that during power-up, crypto algorithms should
++    # perform self tests, displaying an error if any one of them fails.
++
++    # dracut implements this by first compiling a blacklist (provided by the kernel in newer distros) and then
++    # load the modules in that list one by one in a controlled manner, aborting on failure.
+     if [[ -f "${srcmods}/modules.fips" ]]; then
+         _fipsmodules="$(cat "${srcmods}/modules.fips")"
+     else
+@@ -28,6 +34,7 @@ installkernel() {
+         _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper twofish_x86_64 twofish_common blowfish_generic "
+         _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc "
+         _fipsmodules+="algif_hash af_alg crypto_user "
++        _fipsmodules+="sha3_generic "
+     fi
+ 
+     mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
+@@ -52,10 +59,10 @@ install() {
+     inst_libdir_file \
+         fipscheck .fipscheck.hmac \
+          libfipscheck.so.1 \
+-        .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac \
+-         libcrypto.so.1.0.0       libssl.so.1.0.0 \
+-        .libcrypto.so.1.0.0.hmac .libssl.so.1.0.0.hmac \
+-        .libcryptsetup.so.4.5.0.hmac .libcryptsetup.so.4.hmac \
++        .libfipscheck.so.1.hmac .libfipscheck.so.1.2.1.hmac \
++         libcrypto.so.1.1       libssl.so.1.1 \
++        .libcrypto.so.1.1.hmac .libssl.so.1.1.hmac \
++        .libcryptsetup.so.12.1.0.hmac .libcryptsetup.so.12.hmac \
+         .libgcrypt.so.20.hmac \
+         libfreeblpriv3.so libfreeblpriv3.chk
+ 
+-- 
+2.13.6
+

dracut.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Apr 25 16:50:06 UTC 2018 - daniel.molkentin@suse.com
+
+- 01fips: fix FIPS mode on SLES 15 (bsc#1074984)
+  * adds 0567-Fix-booting-with-fips-1-on-SLES-15.patch
+
 -------------------------------------------------------------------
 Thu Apr 19 11:51:07 UTC 2018 - daniel.molkentin@suse.com
 

dracut.spec

@@ -388,6 +388,8 @@ Patch564:       0564-40network-Always-set-the-gw-variable.patch
 Patch565:       0565-90kernel-modules-Include-Intel-Volume-Management-Dev.patch
 # Patch specific to SUSE, not upstream
 Patch566:       0566-95nfs-If-no-server-is-configured-read-BOOTSERVERADDR.patch
+# Patch specific to SUSE, upstream only documentation
+Patch567:       0567-Fix-booting-with-fips-1-on-SLES-15.patch
 
 BuildRequires:  asciidoc
 BuildRequires:  bash
@@ -677,6 +679,7 @@ chmod a+x modules.d/95qeth_rules/module-setup.sh
 %patch564 -p1
 %patch565 -p1
 %patch566 -p1
+%patch567 -p1
 
 %build
 %configure\