pool/haveged
SHA256
12
0
Fork 1
Code Issues Pull Requests Activity

- Update to 1.9.19:

Browse Source 
* Added --time_interval N to add entropy unconditionally every N
    seconds.
  * Synchronize haveged instances during switch root.
  * 90-haveged.rules: fix warnings reported by udevadm verify.
- Introduce haveged-once.service.
  * This new service is meant to be called from initrd, and it uses
    the '--once' flag.
  * Haveged is executed, and then exits, raising the entropy levels
    during very early boot.
    Once / is mounted and 'systemd switch-root' is called, then the
    regular haveged.service is invoked.
  * Fix for bsc#1165294 and bsc#1222296.
- Improve haveged-dracut.module, so that haveged is called only once
  from initrd.

OBS-URL: https://build.opensuse.org/package/show/security/haveged?expand=0&rev=151
This commit is contained in:
Martin Schreiner
2024-10-29 20:31:40 +00:00
committed by Git OBS Bridge
commit f3e5d1945b
13 changed files with 977 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.osc

5
90-haveged.rules Normal file
View File

@@ -0,0 +1,5 @@
# Start the haveged service as soon as the random device is available
# to avoid starting other services while starved of entropy
ACTION=="add", KERNEL=="random" , SUBSYSTEM=="mem", TAG+="systemd", ENV{SYSTEMD_WANTS}+="haveged.service"

16
harden_haveged.service.patch Normal file
View File

@@ -0,0 +1,16 @@
Index: haveged-1.9.14/contrib/Fedora/haveged.service
===================================================================
--- haveged-1.9.14.orig/contrib/Fedora/haveged.service
+++ haveged-1.9.14/contrib/Fedora/haveged.service
@@ -24,6 +24,11 @@ ProtectKernelLogs=true
ProtectKernelModules=true
RestrictNamespaces=true
RestrictRealtime=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectClock=true
+ProtectControlGroups=true
+# end of automatic additions
LockPersonality=true
MemoryDenyWriteExecute=true

3
haveged-1.9.18.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b835fa02b52ee7d06276e028571cadcb14d08f5e5a4b5767adf81451f70561c7
size 495798

3
haveged-1.9.19.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:acbb05776668657012273be9bb3310e3140b79959aa4538e4cca8d30d40c0b8f
size 507441

20
haveged-dracut.module Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# /usr/lib/dracut/modules.d/98haveged/module-setup.sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
# called by dracut
depends() {
return 0
}
installkernel() {
return 0
}
# called by dracut
install() {
inst_multiple -o /usr/sbin/haveged $systemdsystemunitdir/haveged-once.service
mkdir -p "$initdir/$systemdsystemunitdir/sysinit.target.wants"
ln_r "$systemdsystemunitdir/haveged-once.service" "$systemdsystemunitdir/sysinit.target.wants/haveged-once.service"
}

39
haveged-no-syslog.patch Normal file
View File

@@ -0,0 +1,39 @@
Index: haveged-1.9.8/src/haveged.c
===================================================================
--- haveged-1.9.8.orig/src/haveged.c
+++ haveged-1.9.8/src/haveged.c
@@ -480,8 +480,10 @@ static void daemonize( /* RETURN: no
void) /* IN: nothing */
{
FILE *fh;
+#if 0
openlog(params->daemon, LOG_CONS, LOG_DAEMON);
syslog(LOG_NOTICE, "%s starting up", params->daemon);
+#endif
if (daemon(0, 0) == -1)
error_exit("Cannot fork into the background");
fh = fopen(params->pid_file, "w");
@@ -692,7 +694,9 @@ void error_exit( /* RETURN: no
#ifndef NO_DAEMON
if (params->detached!=0) {
unlink(params->pid_file);
+#if 0
syslog(LOG_INFO, "%s: %s", params->daemon, buffer);
+#endif
}
else
#endif
@@ -802,11 +806,13 @@ static void print_msg( /* RETURN: no
va_list ap;
va_start(ap, format);
snprintf(buffer, sizeof(buffer), "%s: %s", params->daemon, format);
+#if 0
#ifndef NO_DAEMON
if (params->detached != 0)
vsyslog(LOG_INFO, buffer, ap);
else
#endif
+#endif
vfprintf(stderr, buffer, ap);
va_end(ap);
}

28
haveged-once.service Normal file
View File

@@ -0,0 +1,28 @@
[Unit]
Description=Entropy Daemon based on the HAVEGE algorithm
Documentation=man:haveged(8) http://www.issihosts.com/haveged/
ConditionVirtualization=!container
[Service]
Type=oneshot
ExecStart=/usr/sbin/haveged -w 1024 -v 1 -F --once
SuccessExitStatus=137 143
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_CHROOT
PrivateNetwork=yes
SecureBits=noroot-locked
# Don't set PrivateTmp=true as it can cause an ordering cycle
PrivateTmp=false
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions

627
haveged.changes Normal file
View File

@@ -0,0 +1,627 @@
-------------------------------------------------------------------
Tue Oct 29 18:28:04 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
- Update to 1.9.19:
* Added --time_interval N to add entropy unconditionally every N
seconds.
* Synchronize haveged instances during switch root.
* 90-haveged.rules: fix warnings reported by udevadm verify.
- Introduce haveged-once.service.
* This new service is meant to be called from initrd, and it uses
the '--once' flag.
* Haveged is executed, and then exits, raising the entropy levels
during very early boot.
Once / is mounted and 'systemd switch-root' is called, then the
regular haveged.service is invoked.
* Fix for bsc#1165294 and bsc#1222296.
- Improve haveged-dracut.module, so that haveged is called only once
from initrd.
-------------------------------------------------------------------
Fri Oct 27 13:04:10 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Remove haveged-switch-root.service because it's implemented incorrectly and
neither upstream don't know how to fix it (#77). On the other hand, without
this service haveged will be started from scratch after switch root so it's
hopefully no big deal. Also remove patch for bsc#1203079 as it's considered
as a security threat because of creating fixed name file in world-writable
directory. [jsc#PED-6184, bsc#1206699]
* Remove
- haveged-switch-root.service
- haveged-switch-root.patch
-------------------------------------------------------------------
Fri Dec 2 12:24:35 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>
- Synchronize haveged instances during switching root (bsc#1203079)
* Add haveged-switch-root.patch
-------------------------------------------------------------------
Sun Apr 24 20:37:45 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 1.9.18:
* Round bits up and target full pool size [Jason A. Donenfeld]
* Specify right kernel commit in README [Jason A. Donenfeld]
-------------------------------------------------------------------
Tue Feb 15 15:22:09 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>
- Update to v1.9.17:
* Added new verbose mode [Jirka Hladky]
* haveged-once.service - use @SBIN_DIR@ instead of hard-coded path [Jirka Hladky]
- Changes for version v1.9.16:
* Allow newuname syscall [Jirka Hladky]
* Fix: haveged cannot be run as an application if also running as a daemon [Günther Brunthaler]
* Add entropy unconditionally at the start and then every 60 seconds [Jirka Hladky]
* New parameter --once to refill entropy once and quit immediately [Jirka Hladky]
* Added haveged-once.service to provide entropy once (intended for initramfs) [Jirka Hladky]
- Changes for version v1.9.15:
* Check for sys/auxv.h before using it. [Peter Seiderer]
* fix build on uclibc (origin/pr/58) [Pierre-Jean Texier]
* Improved make check tests [Jirka Hladky]
* Removed old init.d files. Configs are under contrib directory [Jirka Hladky]
* Support for Linux kernel LRNG patch set
-------------------------------------------------------------------
Mon Nov 22 08:14:39 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Remove ProtectKernelTunables hardening, causes the service to fail
(boo#1192921)
-------------------------------------------------------------------
Tue Nov 2 08:18:49 UTC 2021 - Marcus Meissner <meissner@suse.com>
- revert last change, e.g. for VMs where we are not being fed entropy
from the host or similar setups.
--------------------------------------------------------------------
Mon Oct 11 13:26:52 UTC 2021 - Cristian Rodríguez <crrodriguez@opensuse.org>
- Improvements on the linux kernel random subsystem have made
the haveged service/daemon obsolete, remove the service files,
initrd modules and udev rules, the other components
are still useful.
-------------------------------------------------------------------
Tue Sep 21 12:15:06 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_haveged.service.patch
Modified:
* haveged-switch-root.service
* haveged.service
-------------------------------------------------------------------
Mon Jan 4 08:28:40 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
- Update to 1.9.14:
* made enttest configurable
* havegecmd.c - new command added to close the communication socket
- Drop haveged-conditional-enttest.patch
-------------------------------------------------------------------
Tue Jun 30 07:07:57 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
- Update to 1.9.13:
* added support for --version [Jirka Hladky]
* updated systemd service file [Jirka Hladky]
* fix a memory leak in havege_destroy [Anakin Zhang]
* updated version reported by program [Jirka Hladky]
* fix ordering cycle with private tmp [Christian Hesse]
* Updated systemd service file [Nicolas Braud-Santoni]
* Bump soname [Nicolas Braud-Santoni]
* Fix crash on shutdown in threaded mode [Sergei Trofimovich]
* Fix compilation with --enable-threads [Lars Wendler]
-------------------------------------------------------------------
Tue May 26 10:49:29 UTC 2020 - Martin Pluskal <mpluskal@suse.com>
- Update to version 1.9.8:
* Fix for Unresolved symbol error_exit in libhavege #20 by pld-gitsync [Jirka Hladky]
* order after systemd-tmpfiles-setup-dev.service (origin/pr/21) [Christian Hesse]
* use systemd security features [Christian Hesse]
* do not run in container [Christian Hesse]
* do not use carriage return in line break [Christian Hesse]
* Fixed invalid UTF-8 codes in ChangeLog [Jirka Hladky]
- Changes for version 1.9.5:
* Added test for /dev/random symlink [Jirka Hladky]
* Update to automake 1.16 [Jirka Hladky]
* Fix segv at start [Andrew]
* Fixed built issue on Cygwin [jbaker6953]
* Fix segfault on arm machines (origin/pr/7) [Natanael Copa]
* init.d/Makefile.am - add missing dependency [Jackie Huang]
* service.redhat - update PIDFile [Pierre-Jean Texier]
* Fix type mismatch in get_poolsize [Andreas Schwab]
* Fixup upstream changelog [Nicolas Braud-Santoni]
* Remove support for CPUID on ia64 (origin/pr/19) [Jeremy Bobbio]
* Output some progress during CUSUM and RANDOM EXCURSION test [Sven Hartge]
* Diagnostics capture mode now works correctly [Ethan Rahn]
- Drop upstream patches:
* f2193587.patch
* get-poolsize.patch
-------------------------------------------------------------------
Tue Jul 30 08:25:59 UTC 2019 - Andreas Schwab <schwab@suse.de>
- get-poolsize.patch: Fix type mismatch in get_poolsize that breaks error
checking (bsc#1111047)
-------------------------------------------------------------------
Wed Sep 19 09:27:15 UTC 2018 - Dr. Werner Fink <werner@suse.de>
- Add patch f2193587.patch from github pull request (bsc#1134351)
* Fix segfault on arm machines which do not eport the cache size
or say it is -1 in sysfs
- Refresh patches
-------------------------------------------------------------------
Tue Sep 11 15:29:33 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
- Use noun phrase for summary. Grammar fixes to description.
-------------------------------------------------------------------
Tue Sep 11 11:00:13 UTC 2018 - Martin Pluskal <mpluskal@suse.com>
- Update to version 1.9.4:
* Avoid misleading message if cmd socket is in use
* Implements a command mode and use it for chroot
- Drop upstreamed patches:
* change-sysroot.patch
- Update project and download url's
-------------------------------------------------------------------
Mon Jul 2 13:37:19 UTC 2018 - werner@suse.de
- Add patch change-sysroot.patch to
move forward to socket communication within private network
- Add haveged-switch-root.service which send the new root location
to running haveged process
-------------------------------------------------------------------
Wed Jun 27 08:51:36 UTC 2018 - werner@suse.de
- Make haveged survive switch root within initrd (boo#1075359)
added change-sysroot.patch
haveged-switch-root.service
-------------------------------------------------------------------
Mon Mar 19 15:32:07 CET 2018 - kukuk@suse.de
- Use %license instead of %doc [bsc#1082318]
-------------------------------------------------------------------
Sun Feb 18 20:27:41 UTC 2018 - avindra@opensuse.org
- update to 1.9.2
* Cross compile fixes
* Limit watermark max to less than pool size to avoid 100% cpu
condition
* Add service.suse init script
- drop fix-enforced-clock-gettime.patch (fixed upstream)
- cleanup with spec-cleaner
-------------------------------------------------------------------
Sun Jun 19 13:16:01 UTC 2016 - jengelh@inai.de
- reset rpm groups
-------------------------------------------------------------------
Fri Jun 17 14:15:05 UTC 2016 - psimons@suse.com
- Add haveged-no-syslog.patch to remedy the potential for deadlocks
when booting the system: journald reads from /dev/random, which
receives entropy from haveged, which in turn logs to syslog
before providing any. Ideally, haveged would provide a proper
command-line flag to disable use of syslog. Will work with
upstream to resolve this in a cleaner way. (bnc#959237)
- Remove "After=systemd-random-seed.service" from systemd service
file to avoid the potential for deadlocks when booting the
system: systemd-random-seed needs /var to read its previous
state; mounting /var needs journald; journald needs entropy; and
entropy is provided by haveged, which needs systemd-random-seed.
(bnc#959237)
-------------------------------------------------------------------
Thu Dec 10 16:20:27 CET 2015 - tiwai@suse.de
- Fix missing dependency on coreutils for initrd macros (boo#958562)
-------------------------------------------------------------------
Fri Oct 9 13:11:27 UTC 2015 - meissner@suse.com
- haveged.service: reverted the dependency on systemd-journald.socket
for now, as it causes a dependency loop. bsc#949728 bsc#950857
-------------------------------------------------------------------
Wed Sep 30 12:15:14 UTC 2015 - meissner@suse.com
- modules-setup.sh should be module-setup.sh in dracut, also 755
- add dependency on systemd-journald.socket to make haveged
really start before journald in the initrd. bsc#898669
-------------------------------------------------------------------
Tue Sep 29 12:30:21 UTC 2015 - dmueller@suse.com
- add fix-enforced-clock-gettime.patch to fix build on generic
platforms like e.g. aarch64, which is only needed due to
our (non-recommended choice) of using gettime (fate#318370)
-------------------------------------------------------------------
Tue Feb 17 12:53:42 UTC 2015 - meissner@suse.com
- haveged-dracut.module: include haveged into the initrd for
randomness generation. bsc#898669
- haveged.service: adjust so it is started before journald
and also make sure it is shutdown quite late. bsc#898669
- regenerate initrd on installation. bsc#898669
-------------------------------------------------------------------
Fri Aug 29 07:23:34 UTC 2014 - tchvatal@suse.com
- Adjust the service to start early enough for all usecases.
Should fix bnc#892096.
-------------------------------------------------------------------
Tue Jun 10 08:27:54 UTC 2014 - tchvatal@suse.com
- Disable haveged service on containers. bnc#881882
-------------------------------------------------------------------
Mon May 12 10:55:20 UTC 2014 - tchvatal@suse.com
- Disable randomly failing ENT test bnc#876674
- Added patches:
* haveged-conditional-enttest.patch
-------------------------------------------------------------------
Mon May 12 10:49:09 UTC 2014 - tchvatal@suse.com
- Threads seem not to fix the random testsuite fail.
-------------------------------------------------------------------
Sat May 10 03:40:03 UTC 2014 - crrodriguez@opensuse.org
- Fix "stop" of service, the daemon in foreground actually
exits with a weird exit code. workaround this misbehaviour
in the service file.
-------------------------------------------------------------------
Sat May 10 02:34:26 UTC 2014 - crrodriguez@opensuse.org
- revert to non-forking service, "forking" services are racy
and provided by systemd purely for compatibility with old daemons.
see daemon(7) for the rationale. Only "simple" (default) and
"notify" services must be used if possible.
- Also, there is no haveged.conf around, neither such file
is parsed by the daemon at all.
- Start the daemon as soon as the random device is available with
the help of udev, as starting services while starved of entropy
is no good.
-------------------------------------------------------------------
Wed May 7 09:12:26 UTC 2014 - tchvatal@suse.com
- Cleanup with spec-cleaner
- Adapt the service file to be forking and match what it does for
me on Gentoo.
- Disable threads as they seem break some times.
- Capitalize summaries to make rpmlint happy.
-------------------------------------------------------------------
Tue Mar 11 10:21:46 UTC 2014 - dvaleev@suse.com
- Add ppc64le support
- added patches:
* ppc64le.patch
-------------------------------------------------------------------
Tue Feb 18 13:11:01 UTC 2014 - crrodriguez@opensuse.org
- version 1.9.1
* test suite improvements
* man page updates
* a few build tweaks
- restore rchaveged link
-------------------------------------------------------------------
Mon Jan 6 10:28:03 UTC 2014 - mvyskocil@suse.com
- update to 1.8
* Fix return code for signalled termination.
* Update init.d/service.fedora - new return code + simple, not forking
* Add --enable_unitdir as DESTDIR for systemd install
-------------------------------------------------------------------
Mon Jun 17 09:39:07 UTC 2013 - mvyskocil@suse.com
- update to 1.7c
* Correct additional run-time test aligment problems on mips.
* Correct run-time test aligment problems on sparc and mips.
* Correct ppc detection in build
deprecates haveged-ppc.patch
- use correct Group for libhavege1
- haveged-devel requires libhavege1
-------------------------------------------------------------------
Sun May 5 18:46:15 UTC 2013 - crrodriguez@opensuse.org
- Remove PrivateTmp=true here, haveged does not create temporary
files, either directly or indirectly.
-------------------------------------------------------------------
Thu May 2 18:25:33 UTC 2013 - crrodriguez@opensuse.org
- haveged 1.7a
* Correct VPATH issues and modify check target to support
parallel builds and changes in automake 1.13 test harness.
Updated sample spec file and other documentation changes.
-------------------------------------------------------------------
Tue Mar 26 14:19:46 UTC 2013 - mvyskocil@suse.com
- add autoconf to BuildRequires
- explain the need for autoreconf
- tag haveged-ppc.patch
-------------------------------------------------------------------
Wed Mar 20 23:28:42 UTC 2013 - crrodriguez@opensuse.org
- Remove all sysvinit compatibility.
-------------------------------------------------------------------
Mon Jan 21 01:18:16 CET 2013 - ro@suse.de
- spit off devel package (all new files not present before)
- spit off library package to follow shared library policy
- update to 1.7
* Add havege_status_dump() as basis for haveged diagnositics
* Provide sample spec to build haveged and haveged-devel
* Add contrib/build to provide build support
* Modify build to use libtool
* Retname base types to alias stdint.h types to allow 'fixes' if necessary
* Rename all public functions to follow havege_* naming convention
* Sanitize havege.h to be include file for devel package
* Add destroy() to havege for library use.
* Move all remaining static vars to allocated memory.
* Rework include file structure to eliminate include sequence errors.
* Fix (rare) segfault in test0 caused by 1.6 alignment fix
- update to v1.6a
* Fix typo in configure.ac
-------------------------------------------------------------------
Fri Dec 21 11:53:16 UTC 2012 - dvaleev@suse.com
- fix powerpc detection (haveged-ppc.patch)
-------------------------------------------------------------------
Sun Dec 16 02:11:10 UTC 2012 - pascal.bleser@opensuse.org
- update to 1.6:
* make clock_gettime a build option and correct dependencies when used
* fix alignment fault on arm64 in procedure A test0
-------------------------------------------------------------------
Mon Nov 26 20:59:36 UTC 2012 - crrodriguez@opensuse.org
- Current version does support ARM, remove the ExcludeArch
-------------------------------------------------------------------
Mon Sep 24 19:48:16 UTC 2012 - crrodriguez@opensuse.org
- Tight up systemd service file, this daemon does not
need network and can use PrivateNetwork=yes
-------------------------------------------------------------------
Mon Aug 13 13:15:15 UTC 2012 - mvyskocil@suse.cz
- Update to 1.5
* Add online tests based on AIS-31
* Add -p option to specify the pid location.
* Fix -F option to not take argument - i.e. now a switch
* Factor diagnostic methods for capture and inject for better performance
* Fix install target, move to bin and eliminate script if not daemon, now use sysv and systemd templates
- use -F with no arguments in haveged.service
- work-around nist check on i586 by decreasing the size of static array in a test
-------------------------------------------------------------------
Fri May 15 22:46:03 UTC 2012 - aboe@opensuse.org
- Update to version 1.4
* Add s390 architecture. Thanks to Dan Horak and Jiri Hladky
* Add generic architecture with clock_gettime() timer.
* Rewrite collection loop to support multiple instances and new diagnostics
* Rewrite tuning mechanism to add virtual file system mining and correct cpuid bugs
* Add prototype multi-thread collection option
* Reduce collection buffer size to .5MB
* Improve/correct build and install
* Add new invocation options to support new features.
- init script additions $remote_fs added
-------------------------------------------------------------------
Thu Feb 9 21:20:37 UTC 2012 - crrodriguez@opensuse.org
- build with -fpie
-------------------------------------------------------------------
Sat Dec 31 05:09:38 UTC 2011 - crrodriguez@opensuse.org
- Put the haveged binary back in /usr/sbin not in /sbin
-------------------------------------------------------------------
Wed Dec 14 23:42:57 UTC 2011 - crrodriguez@opensuse.org
- Update to version 1.3.0a, PPC fixes.
- Cleanup systemd unit and drop capabiltities there.
-------------------------------------------------------------------
Fri Dec 2 07:26:32 UTC 2011 - coolo@suse.com
- add automake as buildrequire to avoid implicit dependency
-------------------------------------------------------------------
Tue Nov 29 03:21:09 UTC 2011 - crrodriguez@opensuse.org
- Use proper systemd macros
- reduce verbosity level to the minimum
-------------------------------------------------------------------
Tue Nov 22 14:24:33 UTC 2011 - crrodriguez@opensuse.org
- Use Service type "simple" in systemd unit
-------------------------------------------------------------------
Tue Nov 1 17:46:35 CET 2011 - ro@suse.de
- fix build on ia64, s390, s390x
-------------------------------------------------------------------
Tue Oct 25 08:37:28 UTC 2011 - pascal.bleser@opensuse.org
- update to 1.3:
* reorganized to allow its collection mechanism to be better accessed
directly through the file system: includes the option to suppress the
daemon interface in the build for circumstances where /dev/random is
unavailable or its use is inappropriate
-------------------------------------------------------------------
Sat Oct 1 14:55:05 UTC 2011 - crrodriguez@opensuse.org
- There is no support for arm targets here, may be fixable
later.
-------------------------------------------------------------------
Sun Jul 24 19:23:34 UTC 2011 - crrodriguez@opensuse.org
- Update to version 1.2.
-------------------------------------------------------------------
Mon Jun 6 11:45:47 UTC 2011 - k0da@opensuse.org
- fix ppc64 build
-------------------------------------------------------------------
Mon Jun 6 10:11:20 UTC 2011 - adrian@suse.de
- fix URL to source tar ball
-------------------------------------------------------------------
Sat May 7 20:06:23 UTC 2011 - crrodriguez@opensuse.org
- Update to version 1.1, upstream version where the bugs
present in old versions have been fixed in different ways.
-------------------------------------------------------------------
Tue Mar 1 10:03:17 CET 2011 - meissner@suse.de
- avoid unnecessary services. bnc#675841
also the start should be mediated by YaST or kiwi depending
on presence of a virtualization environment, not by the package
itself.
-------------------------------------------------------------------
Tue Jan 4 23:14:52 UTC 2011 - cristian.rodriguez@opensuse.org
- Update to version 0.9_git201101042303
* fix wrong usage of strdupa
- fix build in older distros that have no XZ
-------------------------------------------------------------------
Tue Jan 4 17:18:34 UTC 2011 - cristian.rodriguez@opensuse.org
- Fix build in older distros
- run spec cleaner
-------------------------------------------------------------------
Tue Dec 7 21:26:31 UTC 2010 - coolo@novell.com
- prereq init script syslog
-------------------------------------------------------------------
Thu Nov 25 22:04:37 UTC 2010 - cristian.rodriguez@opensuse.org
- Use gcc's __cpuid instead of homegrown asm.
-------------------------------------------------------------------
Tue Nov 23 23:37:48 UTC 2010 - cristian.rodriguez@opensuse.org
- Fix optimization problem, actually a bug in inline asm
code. avoid using it, instead try hard to use either
GCC builtins or properly corrected inline asm.
Thanks Richard for pointing to the right solution.
-------------------------------------------------------------------
Sat Nov 6 00:00:24 UTC 2010 - aj@suse.de
- Package /lib/systemd/system/ and /lib/systemd to fix build
-------------------------------------------------------------------
Fri Nov 5 14:23:53 UTC 2010 - cristian.rodriguez@opensuse.org
- Link with full RELRO (-Wl,-z,relro,-z,now)
-------------------------------------------------------------------
Wed Nov 3 20:50:59 UTC 2010 - cristian.rodriguez@opensuse.org
- add systemd support
-------------------------------------------------------------------
Fri Sep 24 16:14:20 UTC 2010 - cristian.rodriguez@opensuse.org
- Drop as much capabilitites as possible using libcap-ng
-------------------------------------------------------------------
Sat Jul 31 23:55:20 UTC 2010 - cristian.rodriguez@opensuse.org
- I meant Enhances not Supplements
-------------------------------------------------------------------
Fri Jul 30 22:18:23 UTC 2010 - cristian.rodriguez@opensuse.org
- Implement hack to start by default only in VMs
-------------------------------------------------------------------
Tue Jul 27 22:02:20 UTC 2010 - cristian.rodriguez@opensuse.org
- Run the complete test suite (for the paranoid)
- use O_CLOEXEC on fds
-------------------------------------------------------------------
Tue Jul 20 21:27:49 UTC 2010 - cristian.rodriguez@opensuse.org
- enable daemon by default
- add a few Supplements so the it gets installed automatically.
-------------------------------------------------------------------
Sun Jul 18 21:25:16 UTC 2010 - cristian.rodriguez@opensuse.org
- add proper Requires(pre)
-------------------------------------------------------------------
Fri Jul 16 17:30:31 UTC 2010 - cristian.rodriguez@opensuse.org
- build with no optimization, there are reports saying it
may crash with -O1 like http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563938
-------------------------------------------------------------------
Thu Jul 15 17:37:11 UTC 2010 - cristian.rodriguez@opensuse.org
- move deamon to /sbin
- tune the spec file
- add a SUSE standard init script
-------------------------------------------------------------------
Fri May 28 14:03:54 CEST 2010 - meissner@suse.de
- haveged 0.9
Gather entropy by doing calculation and looking
at secondary high resolution processor information
(tsc, cache misses etc.)

31
haveged.service Normal file
View File

@@ -0,0 +1,31 @@
[Unit]
Description=Entropy Daemon based on the HAVEGE algorithm
Documentation=man:haveged(8) http://www.issihosts.com/haveged/
DefaultDependencies=no
ConditionVirtualization=!container
#Conflicts=shutdown.target
# Don't wait for systemd-random-seed.service, leads to deadlock with fips=1
#After=systemd-random-seed.service
Before=sysinit.target shutdown.target systemd-journald.service
[Service]
ExecStart=/usr/sbin/haveged -w 1024 -v 0 -F
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_CHROOT
PrivateNetwork=yes
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Restart=always
SuccessExitStatus=137 143
[Install]
WantedBy=sysinit.target

164
haveged.spec Normal file
View File

@@ -0,0 +1,164 @@
#
# spec file for package haveged
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%{!?_udevrulesdir: %global _udevrulesdir %(pkg-config --variable=udevdir udev)/rules.d }
Name: haveged
Version: 1.9.19
Release: 0
Summary: Daemon for feeding entropy into the random pool
License: GPL-3.0-only
Group: System/Daemons
URL: https://github.com/jirka-h/haveged
Source0: https://github.com/jirka-h/haveged/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source2: %{name}.service
Source3: %{name}-once.service
Source4: 90-haveged.rules
Source5: haveged-dracut.module
Patch0: ppc64le.patch
# PATCH-FIX-UPSTREAM: don't write to syslog at startup to avoid deadlocks psimons@suse.com bnc#959237
Patch2: haveged-no-syslog.patch
Patch3: harden_haveged.service.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: pkgconfig(systemd)
BuildRequires: pkgconfig(udev)
Requires(post): coreutils
Requires(postun): coreutils
Enhances: apache2
Enhances: gpg2
Enhances: openssl
Enhances: openvpn
Enhances: php5
Enhances: smtp_daemon
Enhances: systemd
%{?systemd_requires}
%description
The haveged daemon feeds the Linux entropy pool with random
numbers generated from hidden processor state.
For more information, see http://www.issihosts.com/haveged/ .
%package devel
Summary: Haveged development files
Group: Development/Libraries/C and C++
Requires: libhavege2 = %{version}
%description devel
Headers and for the haveged library
This package contains the haveged implementation of the HAVEGE
algorithm and supporting features.
%package -n libhavege2
Summary: Haveged interface library
Group: System/Libraries
%description -n libhavege2
Shared object for the haveged library.
This package contains the haveged implementation of the HAVEGE
algorithm and supporting features.
%prep
%autosetup -p1
%build
autoreconf -fvi
export CFLAGS="%{optflags} -fpie -D_DEFAULT_SOURCE -D_GNU_SOURCE"
export LDFLAGS="-Wl,-z,relro,-z,now -pie"
# ENT randomly fails so disable the test
%configure \
--disable-static \
--disable-enttest \
--enable-nistest \
--enable-daemon \
--enable-clock_gettime
make %{?_smp_mflags}
%check
#XXX: nist test is killed by SIGKILL with static int random_pool1[_32MB] on
# 32bit. Let change it to _08MB to avoid the test beeing killed, even if I
# am not sure allocate of 128M is prohibited
%ifarch %{ix86}
sed -i 's/\[_32MB\]/[_08MB]/' nist/nist.c
%endif
make %{?_smp_mflags} check
%install
%make_install
install -Dpm 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service
install -Dpm 0644 %{SOURCE3} %{buildroot}%{_unitdir}/%{name}-once.service
install -Dpm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/90-%{name}.rules
install -Dpm 0755 %{SOURCE5} %{buildroot}%{_prefix}/lib/dracut/modules.d/98%{name}/module-setup.sh
rm -f %{buildroot}%{_libdir}/libhavege.*a
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
%post
%{?udev_rules_update:%udev_rules_update}
%service_add_post %{name}.service
%service_add_post %{name}-once.service
%{?regenerate_initrd_post}
%postun
%service_del_postun %{name}.service
%service_del_postun %{name}-once.service
%{?regenerate_initrd_post}
%posttrans
%{?regenerate_initrd_posttrans}
%pre
%service_add_pre %{name}.service
%service_add_pre %{name}-once.service
%preun
%service_del_preun %{name}.service
%service_del_preun %{name}-once.service
%post -n libhavege2 -p /sbin/ldconfig
%postun -n libhavege2 -p /sbin/ldconfig
%files
%license COPYING
%{_sbindir}/rc%{name}
%{_sbindir}/%{name}
%{_mandir}/man8/%{name}.8%{?ext_man}
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}-once.service
%{_udevrulesdir}/90-%{name}.rules
%dir %{_prefix}/lib/dracut
%dir %{_prefix}/lib/dracut/modules.d
%dir %{_prefix}/lib/dracut/modules.d/98%{name}
%{_prefix}/lib/dracut/modules.d/98%{name}/module-setup.sh
%files devel
%license COPYING
%{_mandir}/man3/libhavege.3%{?ext_man}
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/havege.h
%doc contrib/build/havege_sample.c
%{_libdir}/*.so
%files -n libhavege2
%license COPYING
%{_libdir}/*.so.*
%changelog

17
ppc64le.patch Normal file
View File

@@ -0,0 +1,17 @@
Index: haveged-1.9.1/configure.ac
===================================================================
---
haveged-1.9.4/configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- haveged-1.9.4/configure.ac
+++ haveged-1.9.4/configure.ac 2018-09-19 09:23:01.331419209 +0000
@@ -170,7 +170,7 @@ case "$host" in
AC_DEFINE(HAVE_ISA_IA64, 1, [Define to 1 for ia64])
;;
- powerpc-*|pcc-*|powerpc64-*|ppc64-*)
+ powerpc-*|pcc-*|powerpc64*|ppc64*)
AC_DEFINE(HAVE_ISA_PPC, 1, [Define to 1 for ppc])
;;