File 0527-switch-fips-checking-to-use-the-libkcapi-based-fipsc.patch of Package dracut.12460

From 3a1abe58f68fbdee31f7370314432ff903954daa Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.de>
Date: Thu, 13 Jul 2017 16:56:14 +0200
Subject: [PATCH] switch fips checking to use the libkcapi based fipscheck
 toolset.

---
 modules.d/01fips/fips.sh         | 19 ++++++++++++++++---
 modules.d/01fips/module-setup.sh | 10 ++++++++++
 suse/dracut.spec                 |  1 +
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index ddf03994..081dba95 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -57,9 +57,15 @@ do_rhevh_check()
 {
     KERNEL=$(uname -r)
     kpath=${1}
-
+    FIPSCHECK=/usr/lib64/libkcapi/fipscheck
+    if [ ! -f $FIPSCHECK ]; then
+        FIPSCHECK=/usr/lib/libkcapi/fipscheck
+    fi
+    if [ ! -f $FIPSCHECK ]; then
+        FIPSCHECK=/usr/bin/fipscheck
+    fi
     # If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
-    if fipscheck $NEWROOT/boot/vmlinuz-${KERNEL} ; then
+    if $FIPSCHECK $NEWROOT/boot/vmlinuz-${KERNEL} ; then
         warn "HMAC sum mismatch"
         return 1
     fi
@@ -81,6 +87,13 @@ do_fips()
     fi
 
     KERNEL=$(uname -r)
+    FIPSCHECK=/usr/lib64/libkcapi/fipscheck
+    if [ ! -f $FIPSCHECK ]; then
+        FIPSCHECK=/usr/lib/libkcapi/fipscheck
+    fi
+    if [ ! -f $FIPSCHECK ]; then
+        FIPSCHECK=/usr/bin/fipscheck
+    fi
 
     if ! [ -e "/boot/.${_vmname}-${KERNEL}.hmac" ]; then
         warn "/boot/.${_vmname}-${KERNEL}.hmac does not exist"
@@ -134,7 +147,7 @@ do_fips()
     elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
         do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
     else
-        fipscheck "/boot/${_vmname}-${KERNEL}" || return 1
+        $FIPSCHECK "/boot/${_vmname}-${KERNEL}" || return 1
     fi
 
     info "All initrd crypto checks done"
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index beeb2f6d..9e5eca4f 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -24,6 +24,7 @@ installkernel() {
     _fipsmodules+="cast6_generic cast5_generic cast_common sha512_ssse3 serpent_sse2_x86_64 serpent_generic twofish_generic "
     _fipsmodules+="ablk_helper cryptd twofish_x86_64_3way lrw glue_helper twofish_x86_64 twofish_common blowfish_generic "
     _fipsmodules+="blowfish_x86_64 blowfish_common des_generic cbc "
+    _fipsmodules+="algif_hash af_alg crypto_user "
 
     mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
 
@@ -54,9 +55,18 @@ install() {
         .libgcrypt.so.20.hmac \
         libfreeblpriv3.so libfreeblpriv3.chk
 
+    if [ -f /usr/lib64/libkcapi/.fipscheck.hmac ]; then
+        inst_simple /usr/lib64/libkcapi/.fipscheck.hmac
+        inst_simple /usr/lib64/libkcapi/fipscheck
+    else
+        inst_simple /usr/lib/libkcapi/.fipscheck.hmac
+        inst_simple /usr/lib/libkcapi/fipscheck
+    fi
+
     # we do not use prelink at SUSE
     #inst_multiple -o prelink
 
     inst_simple /etc/system-fips
+
 }
 
-- 
2.12.3

openSUSE Build Service is sponsored by