[dracut] dracut-027-39.git20130425
Harald Hoyer
harald at fedoraproject.org
Thu Apr 25 18:35:42 UTC 2013
commit 2e4662341213349f90d98e0aeaf405f387906386
Author: Harald Hoyer <harald at redhat.com>
Date: Thu Apr 25 20:35:25 2013 +0200
dracut-027-39.git20130425
- fix shutdown, if /dev/console is not writeable
- fixed fips mode
Resolves: rhbz#956521
...direct-output-to-dev-console-only-if-it-e.patch | 22 ++++
0037-fixup-3be5d63c2f.patch | 23 ++++
0038-fixed-fips-mode.patch | 131 ++++++++++++++++++++
dracut.spec | 10 ++-
4 files changed, 185 insertions(+), 1 deletions(-)
---
diff --git a/0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch b/0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch
new file mode 100644
index 0000000..c017606
--- /dev/null
+++ b/0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch
@@ -0,0 +1,22 @@
+From 3be5d63c2fe24252fff92ea9c0ad43d4c7e579bd Mon Sep 17 00:00:00 2001
+From: Harald Hoyer <harald at redhat.com>
+Date: Fri, 19 Apr 2013 15:00:20 +0200
+Subject: [PATCH] shutdown: redirect output to /dev/console only if it exists
+
+---
+ modules.d/99shutdown/shutdown.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules.d/99shutdown/shutdown.sh b/modules.d/99shutdown/shutdown.sh
+index 6457cb0..f7b8509 100755
+--- a/modules.d/99shutdown/shutdown.sh
++++ b/modules.d/99shutdown/shutdown.sh
+@@ -8,7 +8,7 @@
+ # Harald Hoyer <harald at redhat.com>
+ ACTION="$1"
+
+-exec </dev/console >>/dev/console 2>>/dev/console
++[ test -w /dev/console ] && exec </dev/console >>/dev/console 2>>/dev/console
+
+ export TERM=linux
+ export PATH=/usr/sbin:/usr/bin:/sbin:/bin
diff --git a/0037-fixup-3be5d63c2f.patch b/0037-fixup-3be5d63c2f.patch
new file mode 100644
index 0000000..983dc28
--- /dev/null
+++ b/0037-fixup-3be5d63c2f.patch
@@ -0,0 +1,23 @@
+From ab42fe38fd1672f83cd3500771caf321ae25080d Mon Sep 17 00:00:00 2001
+From: Harald Hoyer <harald at redhat.com>
+Date: Fri, 19 Apr 2013 15:08:16 +0200
+Subject: [PATCH] fixup 3be5d63c2f
+
+either test or []
+---
+ modules.d/99shutdown/shutdown.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules.d/99shutdown/shutdown.sh b/modules.d/99shutdown/shutdown.sh
+index f7b8509..d6a532b 100755
+--- a/modules.d/99shutdown/shutdown.sh
++++ b/modules.d/99shutdown/shutdown.sh
+@@ -8,7 +8,7 @@
+ # Harald Hoyer <harald at redhat.com>
+ ACTION="$1"
+
+-[ test -w /dev/console ] && exec </dev/console >>/dev/console 2>>/dev/console
++[ -w /dev/console ] && exec </dev/console >>/dev/console 2>>/dev/console
+
+ export TERM=linux
+ export PATH=/usr/sbin:/usr/bin:/sbin:/bin
diff --git a/0038-fixed-fips-mode.patch b/0038-fixed-fips-mode.patch
new file mode 100644
index 0000000..e35b4f3
--- /dev/null
+++ b/0038-fixed-fips-mode.patch
@@ -0,0 +1,131 @@
+From 6f4c2dada400f455cf7ee0afcd6bf41974c712d4 Mon Sep 17 00:00:00 2001
+From: Harald Hoyer <harald at redhat.com>
+Date: Thu, 25 Apr 2013 19:44:01 +0200
+Subject: [PATCH] fixed fips mode
+
+- preserve timestamps
+- copy /lib*/hmaccalc files
+- run sha512hmac after kernel module loading
+- add more fips kernel modules
+---
+ dracut.sh | 2 ++
+ install/dracut-install.c | 10 +++++++++-
+ modules.d/01fips/fips.sh | 7 ++++---
+ modules.d/01fips/module-setup.sh | 8 +++++---
+ modules.d/99base/dracut-lib.sh | 2 +-
+ 5 files changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/dracut.sh b/dracut.sh
+index 586172c..82b4a5f 100755
+--- a/dracut.sh
++++ b/dracut.sh
+@@ -1179,6 +1179,8 @@ if [[ $do_strip = yes ]] ; then
+ -executable -not -path '*/lib/modules/*.ko' -print0 \
+ | while read -r -d $'\0' f; do
+ if ! [[ -e "${f%/*}/.${f##*/}.hmac" ]] \
++ && ! [[ -e "/lib/hmaccalc/${f##*/}.hmac" ]] \
++ && ! [[ -e "/lib64/hmaccalc/${f##*/}.hmac" ]] \
+ && ! [[ -e "/lib/fipscheck/${f##*/}.hmac" ]] \
+ && ! [[ -e "/lib64/fipscheck/${f##*/}.hmac" ]]; then
+ echo -n "$f"; echo -n -e "\000"
+diff --git a/install/dracut-install.c b/install/dracut-install.c
+index 2d0412c..2fad6df 100644
+--- a/install/dracut-install.c
++++ b/install/dracut-install.c
+@@ -214,8 +214,14 @@ static int cp(const char *src, const char *dst)
+ ret = clone_file(dest_desc, source_desc);
+ close(source_desc);
+ if (ret == 0) {
++ struct timeval tv[2];
+ if (fchown(dest_desc, sb.st_uid, sb.st_gid) != 0)
+ fchown(dest_desc, -1, sb.st_gid);
++ tv[0].tv_sec = sb.st_atime;
++ tv[0].tv_usec = 0;
++ tv[1].tv_sec = sb.st_mtime;
++ tv[1].tv_usec = 0;
++ futimes(dest_desc, tv);
+ close(dest_desc);
+ return ret;
+ }
+@@ -230,7 +236,7 @@ static int cp(const char *src, const char *dst)
+ normal_copy:
+ pid = fork();
+ if (pid == 0) {
+- execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode", "-fL", src, dst, NULL);
++ execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode,timestamps", "-fL", src, dst, NULL);
+ _exit(EXIT_FAILURE);
+ }
+
+@@ -350,6 +356,8 @@ static int hmac_install(const char *src, const char *dst, const char *hmacpath)
+ if (!hmacpath) {
+ hmac_install(src, dst, "/lib/fipscheck");
+ hmac_install(src, dst, "/lib64/fipscheck");
++ hmac_install(src, dst, "/lib/hmaccalc");
++ hmac_install(src, dst, "/lib64/hmaccalc");
+ }
+
+ srcpath[dlen] = '\0';
+diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
+index 48ad0e6..ce3e49c 100755
+--- a/modules.d/01fips/fips.sh
++++ b/modules.d/01fips/fips.sh
+@@ -51,7 +51,6 @@ mount_boot()
+
+ do_fips()
+ {
+- info "Checking integrity of kernel"
+ KERNEL=$(uname -r)
+
+ if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
+@@ -59,8 +58,6 @@ do_fips()
+ return 1
+ fi
+
+- sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
+-
+ FIPSMODULES=$(cat /etc/fipsmodules)
+
+ info "Loading and integrity checking all crypto modules"
+@@ -72,6 +69,10 @@ do_fips()
+ info "Self testing crypto algorithms"
+ modprobe tcrypt || return 1
+ rmmod tcrypt
++
++ info "Checking integrity of kernel"
++ sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
++
+ info "All initrd crypto checks done"
+
+ > /tmp/fipsdone
+diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
+index 8953132..a7f5be8 100755
+--- a/modules.d/01fips/module-setup.sh
++++ b/modules.d/01fips/module-setup.sh
+@@ -12,9 +12,11 @@ depends() {
+
+ installkernel() {
+ local _fipsmodules _mod
+- _fipsmodules="aead aes_generic xts aes-x86_64 ansi_cprng cbc ccm chainiv ctr gcm ghash_generic"
+- _fipsmodules+=" des deflate ecb eseqiv hmac seqiv sha256 sha256_generic sha512 sha512_generic"
+- _fipsmodules+=" cryptomgr crypto_null tcrypt dm-mod dm-crypt lzo"
++ _fipsmodules="aead aes_generic aes-x86_64 ansi_cprng arc4 blowfish camellia cast6 cbc ccm "
++ _fipsmodules+="chainiv crc32c cryptomgr crypto_null ctr cts deflate des des3_ede dm-crypt dm-mod "
++ _fipsmodules+="ecb eseqiv fcrypt gcm ghash_generic hmac khazad lzo md4 md5 michael_mic rmd128 "
++ _fipsmodules+="rmd160 rmd256 rmd320 rot13 salsa20 seed seqiv serpent sha1 sha224 sha256 sha256_generic "
++ _fipsmodules+="sha384 sha512 sha512_generic tcrypt tea tnepres twofish wp256 wp384 wp512 xeta xtea xts zlib"
+
+ mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
+
+diff --git a/modules.d/99base/dracut-lib.sh b/modules.d/99base/dracut-lib.sh
+index ae79a82..9bd25f4 100755
+--- a/modules.d/99base/dracut-lib.sh
++++ b/modules.d/99base/dracut-lib.sh
+@@ -384,7 +384,7 @@ die() {
+ echo "warn dracut: FATAL: \"$*\"";
+ echo "warn dracut: Refusing to continue";
+ } >> $hookdir/emergency/01-die.sh
+-
++ [ -d /run/initramfs ] || mkdir -p /run/initramfs
+ > /run/initramfs/.die
+ emergency_shell
+ exit 1
diff --git a/dracut.spec b/dracut.spec
index 5facf0d..bece2ed 100644
--- a/dracut.spec
+++ b/dracut.spec
@@ -10,7 +10,7 @@
Name: dracut
Version: 027
-Release: 36.git20130418%{?dist}
+Release: 39.git20130425%{?dist}
Summary: Initramfs generator using udev
%if 0%{?fedora} || 0%{?rhel}
@@ -64,6 +64,9 @@ Patch32: 0032-.gitignore-ignore-more-files.patch
Patch33: 0033-Makefile-remove-dracut-version.sh-on-clean.patch
Patch34: 0034-base-dracut-lib.sh-do-not-setdebug-if-not-in-initram.patch
Patch35: 0035-dracut-install-error-out-if-ldd-reports-no-execution.patch
+Patch36: 0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch
+Patch37: 0037-fixup-3be5d63c2f.patch
+Patch38: 0038-fixed-fips-mode.patch
BuildRequires: dash bash git
@@ -472,6 +475,11 @@ rm -rf $RPM_BUILD_ROOT
%{dracutlibdir}/dracut.conf.d/02-norescue.conf
%changelog
+* Thu Apr 25 2013 Harald Hoyer <harald at redhat.com> 027-39.git20130425
+- fix shutdown, if /dev/console is not writeable
+- fixed fips mode
+Resolves: rhbz#956521
+
* Thu Apr 18 2013 Harald Hoyer <harald at redhat.com> 027-36.git20130418
- fix initramfs creation on noexec tmpdir
Resolves: rhbz#953426
More information about the scm-commits
mailing list