Thomas Renninger
9f28177407
- Update to dracut mainline version 041. Half of the patches got integrated mainline. Some others have been merged together when it made sense some have been left out, but are still in the repository as they need some special treating and mainline discussion whether/how they get added. These are also not urgently needed, but are debugging patches. I broke the rule here to mention every added/deleted/modified patch as every patch is touched and every 2nd got removed (mainline integrated). I also re-ordered the patches in the PatchXY: area for easier merging them and get them discussed and posted mainline easier, topic by topic. OBS-URL: https://build.opensuse.org/request/show/293267 OBS-URL: https://build.opensuse.org/package/show/Base:System/dracut?expand=0&rev=214
72 lines
3.0 KiB
Diff
72 lines
3.0 KiB
Diff
From 6a85f188d671723ad76bb729307c12e89199b7bd Mon Sep 17 00:00:00 2001
|
|
From: Marcus Meissner <meissner@suse.com>
|
|
Date: Thu, 14 Aug 2014 16:13:55 +0200
|
|
Subject: Switch from Mozilla NSS sha256hmac checking to fipscheck as
|
|
recommended
|
|
|
|
Signed-off-by: Thomas Renninger <trenn@suse.de>
|
|
---
|
|
modules.d/01fips/fips.sh | 6 ++----
|
|
modules.d/01fips/module-setup.sh | 13 +++++++------
|
|
2 files changed, 9 insertions(+), 10 deletions(-)
|
|
|
|
Index: dracut-041/modules.d/01fips/fips.sh
|
|
===================================================================
|
|
--- dracut-041.orig/modules.d/01fips/fips.sh 2015-03-18 13:56:05.453753422 +0100
|
|
+++ dracut-041/modules.d/01fips/fips.sh 2015-03-18 13:59:59.386939913 +0100
|
|
@@ -59,9 +59,7 @@
|
|
kpath=${1}
|
|
|
|
# If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
|
|
- HMAC_SUM_ORIG=$(cat $NEWROOT/boot/.vmlinuz-${KERNEL}.hmac | while read a b; do printf "%s\n" $a; done)
|
|
- HMAC_SUM_CALC=$(sha512hmac $kpath | while read a b; do printf "%s\n" $a; done || return 1)
|
|
- if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
|
|
+ if fipscheck $NEWROOT/boot/vmlinuz-${KERNEL} ; then
|
|
warn "HMAC sum mismatch"
|
|
return 1
|
|
fi
|
|
@@ -126,7 +124,7 @@
|
|
elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
|
|
do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
|
|
else
|
|
- sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
|
|
+ fipscheck "/boot/vmlinuz-${KERNEL}" || return 1
|
|
fi
|
|
|
|
info "All initrd crypto checks done"
|
|
Index: dracut-041/modules.d/01fips/module-setup.sh
|
|
===================================================================
|
|
--- dracut-041.orig/modules.d/01fips/module-setup.sh 2015-03-18 13:56:05.457753647 +0100
|
|
+++ dracut-041/modules.d/01fips/module-setup.sh 2015-03-18 14:10:06.717187740 +0100
|
|
@@ -21,7 +21,7 @@
|
|
_fipsmodules+="sha512-ssse3 sha1-ssse3 sha256-ssse3 "
|
|
_fipsmodules+="ghash-clmulni-intel "
|
|
|
|
- _fipsmodules+="drbg "
|
|
+ _fipsmodules+="drbg"
|
|
|
|
mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
|
|
|
|
@@ -40,15 +40,16 @@
|
|
inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
|
|
inst_script "$moddir/fips.sh" /sbin/fips.sh
|
|
|
|
- inst_multiple sha512hmac rmmod insmod mount uname umount fipscheck
|
|
+ inst_multiple rmmod insmod mount uname umount fipscheck
|
|
|
|
- inst_libdir_file libsoftokn3.so libsoftokn3.so \
|
|
- libsoftokn3.chk libfreebl3.so libfreebl3.chk \
|
|
- libssl.so 'hmaccalc/sha512hmac.hmac' libssl.so.10 \
|
|
+ inst_libdir_file \
|
|
+ fipscheck .fipscheck.hmac \
|
|
+ libfipscheck.so.1 \
|
|
+ .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac \
|
|
+ libcrypto.so.1.0.0 libssl.so.1.0.0 \
|
|
.libcrypto.so.1.0.0.hmac .libssl.so.1.0.0.hmac \
|
|
.libcryptsetup.so.4.5.0.hmac .libcryptsetup.so.4.hmac \
|
|
.libgcrypt.so.20.hmac \
|
|
- .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac
|
|
libfreeblpriv3.so libfreeblpriv3.chk
|
|
|
|
# we do not use prelink at SUSE
|