- Allow multiple configurations per network interface (bnc#887906) Add 0133-Allow-multiple-configurations-per-network-interface-.patch - Remove bootdev warning (bnc#881112) Add 0134-Remove-bootdev-warning-bnc-881112.patch - check for existance of 69-dm-lvm-metad.rules in modules_setup.sh, lvm module (bnc#891791) Add 0135-lvm-Fix-12819a579900b9691e2-check-for-existance-of-6.patch - Moved persistent network rule revert to another file (was not in github): Delete: 0133-Remove-70-persistent-net.rules.patch Add: 0136-Revert-95udev-rules-add-persistent-network-rule.patch - dracut-use-fipscheck-openssl.patch: Switch from Mozilla NSS sha256hmac checking to fipscheck as recommended Add: 0137-Switch-from-Mozilla-NSS-sha256hmac-checking-to-fipsc.patch - warpclock: Do not use warpclock module on S390(x), hwclock does not exist there (bnc#884513) Add 0138-warpclock-Do-not-use-warpclock-module-on-S390-x-hwcl.patch OBS-URL: https://build.opensuse.org/request/show/244813 OBS-URL: https://build.opensuse.org/package/show/Base:System/dracut?expand=0&rev=178
75 lines
2.8 KiB
Diff
75 lines
2.8 KiB
Diff
From 6a85f188d671723ad76bb729307c12e89199b7bd Mon Sep 17 00:00:00 2001
|
|
From: Marcus Meissner <meissner@suse.com>
|
|
Date: Thu, 14 Aug 2014 16:13:55 +0200
|
|
Subject: Switch from Mozilla NSS sha256hmac checking to fipscheck as
|
|
recommended
|
|
|
|
Signed-off-by: Thomas Renninger <trenn@suse.de>
|
|
---
|
|
modules.d/01fips/fips.sh | 6 ++----
|
|
modules.d/01fips/module-setup.sh | 13 +++++++------
|
|
2 files changed, 9 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
|
|
index 07bd1da..19a2d8e 100755
|
|
--- a/modules.d/01fips/fips.sh
|
|
+++ b/modules.d/01fips/fips.sh
|
|
@@ -61,9 +61,7 @@ do_rhevh_check()
|
|
kpath=${1}
|
|
|
|
# If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
|
|
- HMAC_SUM_ORIG=$(cat $NEWROOT/boot/.vmlinuz-${KERNEL}.hmac | while read a b; do printf "%s\n" $a; done)
|
|
- HMAC_SUM_CALC=$(sha512hmac $kpath | while read a b; do printf "%s\n" $a; done || return 1)
|
|
- if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
|
|
+ if fipscheck $NEWROOT/boot/vmlinuz-${KERNEL} ; then
|
|
warn "HMAC sum mismatch"
|
|
return 1
|
|
fi
|
|
@@ -128,7 +126,7 @@ do_fips()
|
|
elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
|
|
do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
|
|
else
|
|
- sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
|
|
+ fipscheck "/boot/vmlinuz-${KERNEL}" || return 1
|
|
fi
|
|
|
|
info "All initrd crypto checks done"
|
|
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
|
|
index 8437e56..009b2ca 100755
|
|
--- a/modules.d/01fips/module-setup.sh
|
|
+++ b/modules.d/01fips/module-setup.sh
|
|
@@ -23,7 +23,7 @@ installkernel() {
|
|
_fipsmodules+="sha512-ssse3 sha1-ssse3 sha256-ssse3 "
|
|
_fipsmodules+="ghash-clmulni-intel "
|
|
|
|
- _fipsmodules+="drbg "
|
|
+ _fipsmodules+="drbg"
|
|
|
|
mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
|
|
|
|
@@ -42,15 +42,16 @@ install() {
|
|
inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
|
|
inst_script "$moddir/fips.sh" /sbin/fips.sh
|
|
|
|
- inst_multiple sha512hmac rmmod insmod mount uname umount fipscheck
|
|
+ inst_multiple rmmod insmod mount uname umount fipscheck strace
|
|
|
|
- inst_libdir_file libsoftokn3.so libsoftokn3.so \
|
|
- libsoftokn3.chk libfreebl3.so libfreebl3.chk \
|
|
- libssl.so 'hmaccalc/sha512hmac.hmac' libssl.so.10 \
|
|
+ inst_libdir_file \
|
|
+ fipscheck .fipscheck.hmac \
|
|
+ libfipscheck.so.1 \
|
|
+ .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac \
|
|
+ libcrypto.so.1.0.0 libssl.so.1.0.0 \
|
|
.libcrypto.so.1.0.0.hmac .libssl.so.1.0.0.hmac \
|
|
.libcryptsetup.so.4.5.0.hmac .libcryptsetup.so.4.hmac \
|
|
.libgcrypt.so.20.hmac \
|
|
- .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac
|
|
|
|
# we do not use prelink at SUSE
|
|
#inst_multiple -o prelink
|
|
--
|
|
1.7.6.1
|
|
|