Hello community, here is the log from the commit of package dracut for openSUSE:Factory checked in at 2020-01-18 12:14:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dracut (Old) and /work/SRC/openSUSE:Factory/.dracut.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dracut" Sat Jan 18 12:14:25 2020 rev:148 rq:764321 version:049+git118.a6090e2f Changes: -------- --- /work/SRC/openSUSE:Factory/dracut/dracut.changes 2019-12-23 22:36:09.697786935 +0100 +++ /work/SRC/openSUSE:Factory/.dracut.new.26092/dracut.changes 2020-01-18 12:16:16.651079265 +0100 @@ -1,0 +2,12 @@ +Tue Jan 14 14:22:25 UTC 2020 - daniel.molken...@suse.com + +- Update to version 049+git118.a6090e2f: + * Implement support for verifying the boot with fipscheck (bsc#1158530) + +------------------------------------------------------------------- +Thu Jan 09 10:11:10 UTC 2020 - daniel.molken...@suse.com + +- Update to version 049+git117.d3206e79: + * Remove purge-kernels scripts and service (jsc#SLE-10162) + +------------------------------------------------------------------- Old: ---- dracut-049+git116.e9995c78.obscpio dracut-049+git116.e9995c78.tar.xz New: ---- dracut-049+git118.a6090e2f.obscpio dracut-049+git118.a6090e2f.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dracut.spec ++++++ --- /var/tmp/diff_new_pack.9wgcLA/_old 2020-01-18 12:16:19.375080726 +0100 +++ /var/tmp/diff_new_pack.9wgcLA/_new 2020-01-18 12:16:19.379080728 +0100 @@ -1,7 +1,7 @@ # # spec file for package dracut # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define dracutlibdir %{_prefix}/lib/dracut Name: dracut -Version: 049+git116.e9995c78 +Version: 049+git118.a6090e2f Release: 0 Summary: Initramfs generator using udev License: GPL-2.0-or-later AND LGPL-2.1-or-later @@ -158,9 +158,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 0644 dracut.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/dracut -install -D -m 0755 suse/purge-kernels %{buildroot}/sbin/purge-kernels -install -m 644 suse/purge-kernels.service %{buildroot}/%{_unitdir}/purge-kernels.service - install -D -m 0755 suse/dracut-installkernel %{buildroot}/sbin/installkernel %if 0%{?suse_version} @@ -172,10 +169,8 @@ %endif %pre -%service_add_pre purge-kernels.service %post -%service_add_post purge-kernels.service # check whether /var/run has been converted to a symlink [ -L /var/run ] || sed -i '/GRUB_CMDLINE_LINUX_DEFAULT.*/s/"$/ rd.convertfs"/' /etc/default/grub || : [ -L /var/run ] || cat >>/etc/dracut.conf.d/05-convertfs.conf<<EOF @@ -196,10 +191,8 @@ %{?regenerate_initrd_post} %preun -%service_del_preun purge-kernels.service %postun -%service_del_postun purge-kernels.service %{?regenerate_initrd_post} %postun fips @@ -245,7 +238,6 @@ %doc README HACKING TODO AUTHORS NEWS dracut.html dracut.png dracut.svg %{_bindir}/dracut %{_bindir}/lsinitrd -/sbin/purge-kernels /sbin/installkernel /sbin/mkinitrd /sbin/mkinitrd_setup ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.9wgcLA/_old 2020-01-18 12:16:19.419080749 +0100 +++ /var/tmp/diff_new_pack.9wgcLA/_new 2020-01-18 12:16:19.423080752 +0100 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/opensuse/dracut.git</param> - <param name="changesrevision">e9995c7853e61de8513b41a302d465ddb1586a20</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">a6090e2f68a4ca727005b1de8a45bf474a782008</param></service></servicedata> \ No newline at end of file ++++++ dracut-049+git116.e9995c78.obscpio -> dracut-049+git118.a6090e2f.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-049+git116.e9995c78/modules.d/01fips/fips.sh new/dracut-049+git118.a6090e2f/modules.d/01fips/fips.sh --- old/dracut-049+git116.e9995c78/modules.d/01fips/fips.sh 2019-12-10 09:43:14.000000000 +0100 +++ new/dracut-049+git118.a6090e2f/modules.d/01fips/fips.sh 2020-01-14 15:18:42.000000000 +0100 @@ -1,4 +1,17 @@ -#!/bin/sh +#!/bin/bash + +# find fipscheck, prefer kernel-based version +fipscheck() +{ + FIPSCHECK=/usr/lib64/libkcapi/fipscheck + if [ ! -f $FIPSCHECK ]; then + FIPSCHECK=/usr/lib/libkcapi/fipscheck + fi + if [ ! -f $FIPSCHECK ]; then + FIPSCHECK=/usr/bin/fipscheck + fi + echo $FIPSCHECK +} mount_boot() { @@ -65,6 +78,7 @@ warn "HMAC sum mismatch" return 1 fi + info "rhevh_check OK" return 0 } @@ -75,6 +89,12 @@ local _s local _v local _module + local _arch=$(uname -m) + local _vmname=vmlinuz + + if [ "$_arch" = "s390x" ]; then + _vmname=image + fi KERNEL=$(uname -r) @@ -93,6 +113,22 @@ _found=1 break done </proc/crypto + # If we find some hardware specific modules and cannot load them + # it is not a problem, proceed. + if [ "$_found" = "0" ]; then + if [ "$_module" != "${_module%intel}" \ + -o "$_module" != "${_module%ssse3}" \ + -o "$_module" != "${_module%x86_64}" \ + -o "$_module" != "${_module%z90}" \ + -o "$_module" != "${_module%s390}" \ + -o "$_module" == "twofish_x86_64_3way" \ + -o "$_module" == "ablk_helper" \ + -o "$_module" == "glue_helper" \ + ]; then + _found=1 + fi + fi + [ "$_found" = "0" ] && cat /tmp/fips.modprobe_err >&2 && return 1 fi fi @@ -114,14 +150,14 @@ BOOT_IMAGE_PATH="${BOOT_IMAGE%${BOOT_IMAGE_NAME}}" if [ -z "$BOOT_IMAGE_NAME" ]; then - BOOT_IMAGE_NAME="vmlinuz-${KERNEL}" + BOOT_IMAGE_NAME="${_vmname}-${KERNEL}" elif ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE}" ]; then #if /boot is not a separate partition BOOT_IMAGE might start with /boot BOOT_IMAGE_PATH=${BOOT_IMAGE_PATH#"/boot"} #on some achitectures BOOT_IMAGE does not contain path to kernel #so if we can't find anything, let's treat it in the same way as if it was empty if ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then - BOOT_IMAGE_NAME="vmlinuz-${KERNEL}" + BOOT_IMAGE_NAME="${_vmname}-${KERNEL}" BOOT_IMAGE_PATH="" fi fi @@ -132,7 +168,12 @@ return 1 fi - sha512hmac -c "${BOOT_IMAGE_HMAC}" || return 1 + if [ -n "$(fipscheck)" ]; then + $(fipscheck) -c ${BOOT_IMAGE_HMAC} ${BOOT_IMAGE} || return 1 + else + warn "Could not find fipscheck to verify MACs" + return 1 + fi fi info "All initrd crypto checks done" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-049+git116.e9995c78/modules.d/01fips/module-setup.sh new/dracut-049+git118.a6090e2f/modules.d/01fips/module-setup.sh --- old/dracut-049+git116.e9995c78/modules.d/01fips/module-setup.sh 2019-12-10 09:43:14.000000000 +0100 +++ new/dracut-049+git118.a6090e2f/modules.d/01fips/module-setup.sh 2020-01-14 15:18:42.000000000 +0100 @@ -23,6 +23,10 @@ _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 " _fipsmodules+="crc32c crct10dif ghash " + # Hashes, platform specific: + _fipsmodules+="sha512-ssse3 sha1-ssse3 sha256-ssse3 " + _fipsmodules+="ghash-clmulni-intel " + # Ciphers: _fipsmodules+="cipher_null des3_ede aes " @@ -66,7 +70,11 @@ inst_hook pre-pivot 01 "$moddir/fips-noboot.sh" inst_script "$moddir/fips.sh" /sbin/fips.sh - inst_multiple sha512hmac rmmod insmod mount uname umount + inst_multiple rmmod insmod mount uname umount + inst_multiple -o sha512hmac \ + fipscheck \ + /usr/lib64/libkcapi/fipscheck \ + /usr/lib/libkcapi/fipscheck inst_simple /etc/system-fips [ -c ${initdir}/dev/random ] || mknod ${initdir}/dev/random c 1 8 \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-049+git116.e9995c78/suse/dracut.spec new/dracut-049+git118.a6090e2f/suse/dracut.spec --- old/dracut-049+git116.e9995c78/suse/dracut.spec 2019-12-10 09:43:14.000000000 +0100 +++ new/dracut-049+git118.a6090e2f/suse/dracut.spec 2020-01-14 15:18:42.000000000 +0100 @@ -158,9 +158,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 0644 dracut.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/dracut -install -D -m 0755 suse/purge-kernels %{buildroot}/sbin/purge-kernels -install -m 644 suse/purge-kernels.service %{buildroot}/%{_unitdir}/purge-kernels.service - install -D -m 0755 suse/dracut-installkernel %{buildroot}/sbin/installkernel %if 0%{?suse_version} @@ -172,10 +169,8 @@ %endif %pre -%service_add_pre purge-kernels.service %post -%service_add_post purge-kernels.service # check whether /var/run has been converted to a symlink [ -L /var/run ] || sed -i '/GRUB_CMDLINE_LINUX_DEFAULT.*/s/"$/ rd.convertfs"/' /etc/default/grub || : [ -L /var/run ] || cat >>/etc/dracut.conf.d/05-convertfs.conf<<EOF @@ -196,10 +191,8 @@ %{?regenerate_initrd_post} %preun -%service_del_preun purge-kernels.service %postun -%service_del_postun purge-kernels.service %{?regenerate_initrd_post} %postun fips @@ -245,7 +238,6 @@ %doc README HACKING TODO AUTHORS NEWS dracut.html dracut.png dracut.svg %{_bindir}/dracut %{_bindir}/lsinitrd -/sbin/purge-kernels /sbin/installkernel /sbin/mkinitrd /sbin/mkinitrd_setup diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-049+git116.e9995c78/suse/purge-kernels new/dracut-049+git118.a6090e2f/suse/purge-kernels --- old/dracut-049+git116.e9995c78/suse/purge-kernels 2019-12-10 09:43:14.000000000 +0100 +++ new/dracut-049+git118.a6090e2f/suse/purge-kernels 1970-01-01 01:00:00.000000000 +0100 @@ -1,403 +0,0 @@ -#!/usr/bin/perl - -use strict; -use warnings; - -use Getopt::Long; - -sub usage { - print "Usage: $0 [--test]\n"; - print "Reads list of kernels to keep from /etc/zypp/zypp.conf:multiversion.kernels\n"; - print "kernels can be given as <version>, latest(-N), running, oldest(+N).\n"; -} - -# arch/flavor => version-release => [ subpackages ] -my %kernels; - -my @keep_spec; -my ($want_running, $running_version, $running_flavor); - -# do not actually delete anything -my $test_only; - -# undocumented debugging options -my ($fake_config, $fake_rpm_qa, $fake_uname_r, $fake_uname_m); - -sub get_config_line { - my $file = "/etc/zypp/zypp.conf"; - - if ($fake_config) { - return $fake_config; - } - if (!-e $file) { - print STDERR "$0: /etc/zypp/zypp.conf does not exist, exiting.\n"; - exit 0; - } - open(my $fh, '<', $file) or die "$0: $file: $!\n"; - while (<$fh>) { - chomp; - next unless /^\s*multiversion\.kernels\b/; - s/^[^=]*=\s*//; - close($fh); - return $_; - } - close($fh); - return ""; -} - -sub load_config { - my @kernels; - - @kernels = split(/,\s*/, get_config_line()); - for my $kernel (@kernels) { - if ($kernel =~ /^\s*(latest|oldest|running)(\s*[-+]\s*\d+)?\s*$/) { - my $new = { whence => $1, offset => $2 || 0 }; - $new->{offset} =~ s/\s*//g; - if ($new->{whence} eq "running") { - $want_running = 1; - } - push (@keep_spec, $new); - } elsif ($kernel =~ /^\d+\.\d+/) { - my $new = { version => $kernel }; - push (@keep_spec, $new); - } elsif ($kernel =~ /^\s*$/) { - next; - } else { - print STDERR "$0: Ignoring unknow kernel specification in\n"; - print STDERR "/etc/zypp/zypp.conf:multiversion.kernels: $kernel\n"; - } - } -} - -sub add_package { - my ($name, $vr, $arch) = @_; - (my $flavor = $name) =~ s/^kernel-//; - - #print STDERR "add_package: $name $vr $arch\n"; - if ($name eq "kernel-firmware" || $name eq "kernel-coverage") { - return; - } - # Put all subpackages into the same group, except for - # kernel-source-{vanilla,rt}, which are packages on their own - if ($flavor !~ /^source/) { - $flavor =~ s/-.*//; # XXX: No dashes in flavor names - } - # kernel-devel is a subpackage of kernel-source - $flavor =~ s/^devel/source/; - $kernels{"$arch/$flavor"} ||= {}; - $kernels{"$arch/$flavor"}{$vr} ||= []; - push(@{$kernels{"$arch/$flavor"}{$vr}}, "$name-$vr.$arch"); -} - -sub load_packages { - my $pipe; - - if ($fake_rpm_qa) { - open($pipe, '<', $fake_rpm_qa) or die "$fake_rpm_qa: $!\n"; - } else { - open($pipe, '-|', 'rpm', '-qa', '--qf', - '%{n} %{v}-%{r} %{arch}\n', 'kernel-*') or die "rpm: $!\n"; - } - while (<$pipe>) { - chomp; - my ($name, $vr, $arch) = split; - add_package($name, $vr, $arch); - } - close($pipe) -} - -sub sort_versions { - my @versions = @_; - - pipe (my $read, my $write); - my $pid = fork(); - if (!defined($pid)) { - die "Cannot fork: $!\n"; - } elsif ($pid == 0) { - # child - close($read); - open STDOUT, '>&', $write; - open(my $fh, '|-', "/usr/lib/rpm/rpmsort") or die "/usr/lib/rpm/rpmsort: $!\n"; - print $fh join("\n", @versions), "\n"; - close($fh); - die "rpmsort failed ($?)\n" if $? != 0; - - exit 0; - } - # parent - close($write); - @versions = <$read>; - chomp @versions; - close($read); - waitpid($pid, 0); - die "rpmsort failed ($?)\n" if $? != 0; - - return @versions; -} - -# return true if VER1 == VER2 or VER1 == (VER2 minus rebuild counter) -sub version_match { - my ($ver1, $ver2) = @_; - - return 1 if $ver1 eq $ver2; - - # copied from kernel-source/rpm/kernel-spec-macros - $ver2 =~ s/\.[0-9]+($|\.[^.]*[^.0-9][^.]*$)/$1/; - return $ver1 eq $ver2; -} - -sub list_old_versions { - my ($flavor) = @_; - - my $is_source = $flavor =~ /\/(source|syms)/; - my $kernels = $kernels{$flavor}; - my @versions = sort_versions(keys(%$kernels)); - my %idx = ( - oldest => 0, - latest => scalar(@versions) - 1, - ); - if ($want_running && ($running_flavor eq $flavor || $is_source)) { - for (my $i = scalar(@versions) - 1; $i >= 0; $i--) { - if (version_match($running_version, $versions[$i])) { - $idx{running} = $i; - last; - } - } - if (!exists($idx{running}) && !$is_source) { - print STDERR "$0: Running kernel $running_version-$running_flavor not installed.\n"; - print "NOT removing any packages for flavor $flavor.\n"; - return; - } - } - my %delete = map { $_ => 1 } @versions; - for my $keep (@keep_spec) { - if ($keep->{version}) { - for my $ver (@versions) { - if (version_match($keep->{version}, $ver)) { - $delete{$ver} = 0; - } - } - } elsif ($keep->{whence}) { - next unless exists($idx{$keep->{whence}}); - my $idx = $idx{$keep->{whence}}; - $idx += $keep->{offset}; - next unless $idx >= 0 && $idx < scalar(@versions); - $delete{$versions[$idx]} = 0; - } else { - die "??"; - } - } - return grep { $delete{$_} } @versions; -} - -sub package_exists { - my ($version, $archs, $flavors) = @_; - - for my $arch (@$archs) { - for my $flavor (@$flavors) { - my $config = "$arch/$flavor"; - if (exists($kernels{$config}) - && exists($kernels{$config}->{$version})) { - return 1; - } - } - } - return 0; -} - -sub list_old_packages { - my (@packages, @archs, @flavors); - my (@syms_flavors, @binary_flavors, @source_configs); - - # there are some inter-dependencies among the kernel packages, - # so we have to be careful - my %t = map { s:/.*::; $_ => 1 } keys(%kernels); - @archs = sort(keys(%t)); - %t = map { s:.*/::; $_ => 1 } keys(%kernels); - @flavors = sort(keys(%t)); - @syms_flavors = grep { /^syms/ } @flavors; - @binary_flavors = grep { !/^(source|syms)/ } @flavors; - @source_configs = grep { /\/source/ } sort(keys(%kernels)); - - for my $arch (@archs) { - for my $flavor (@syms_flavors) { - my $config = "$arch/$flavor"; - next unless exists($kernels{$config}); - my @versions = list_old_versions($config); - for my $ver (@versions) { - push(@packages, @{$kernels{$config}->{$ver}}); - delete($kernels{$config}->{$ver}); - } - } - for my $flavor (@binary_flavors) { - my $config = "$arch/$flavor"; - next unless exists($kernels{$config}); - my @versions = list_old_versions($config); - for my $ver (@versions) { - my @pacs = @{$kernels{$config}->{$ver}}; - my $remove_all = 1; - # do not remove kernel-$flavor-devel-$ver - # if kernel-syms-$ver still exists - if (grep { /-devel$/ } @pacs) { - my $syms = "syms"; - if ($flavor =~ /^rt/) { - $syms = "syms-rt"; - } - if (exists($kernels{$syms}->{$ver})) { - $remove_all = 0; - @pacs = grep { !/-devel$/ } - @pacs; - } - } - push(@packages, @pacs); - if ($remove_all) { - delete($kernels{$config}->{$ver}); - } - } - } - } - for my $config (@source_configs) { - my @versions = list_old_versions($config); - for my $ver (@versions) { - # Remove kernel-{devel,source} only if no other package - # of the same version exists - next if package_exists($ver, \@archs, \@binary_flavors); - push(@packages, @{$kernels{$config}->{$ver}}); - } - } - return @packages; -} - -sub find_package { - my $name = shift @_; - my $version = shift @_; - my @packages = @_; - my $expr = "^" . quotemeta("$name-$version"); - my @found = grep { $_ =~ $expr } @packages; - return @found if @found; - $expr = "^" . quotemeta($name) . " = " . quotemeta($version) . "\$"; - @found = grep { - my @provides = qx/rpm -q --provides $_/; - chomp (@provides); - grep { $_ =~ $expr} @provides; - } @packages; - return @found; -} - -# Try to remove a list of packages. -# -# If there is a KMP or livepatch depending on the package remove it as well. If -# there is another package depending on the kernel keep the kernel. If there is -# a package that depends on a KMP keep the KMP and a kernel required to use the -# KMP. -# In each step a KMP or livepatch may be added or a package which cannot be -# removed due to dependencies is marked as taboo and removed from the list. -# -# Finish when packages uninstall successfully or we can't find any packages to -# add or remove from the list to make it uninstallable. - -sub remove_packages { - my @packages = @_; - my %taboo_packages; - - while (1) { - pipe(my $read, my $write); - my $pid = fork(); - if (!defined($pid)) { - die "Cannot fork: $!\n"; - } elsif($pid == 0) { - # child - close($read); - open STDOUT, '>&', $write; - open STDERR, '>&', $write; - $ENV{LC_ALL} = "C"; - my @cmd = qw(rpm -e); - push(@cmd, "--test") if $test_only; - exec(@cmd, @packages) or die "rpm: $!\n"; - } - # parent - close($write); - my @out = <$read>; - chomp @out; - close($read); - waitpid($pid, 0); - if ($? == 0) { - print "Removed:\n ", join("\n ", @packages), "\n"; - return 1; - } - my $retry = 0; - my %old_packages = map { $_ => 1 } @packages; - my %new_packages; - for (@out) { - if (/ is needed by \(installed\) (kernel-syms-.*|kgraft-patch-.*|kernel-livepatch-.*|.*-kmp-.*)/ && - !$old_packages{$1} && !$taboo_packages{$1}) { - push(@packages, $1) unless $new_packages{$1}; - $new_packages{$1} = 1; - $retry = 1; - } elsif (/([^ \t]*) = ([^ \t]*) is needed by \(installed\) /) { - my @unremovable = find_package($1, $2, @packages); - my $match = $unremovable[$#unremovable]; - if ($match) { - print STDERR "$0: $_\n"; - print STDERR "$0: Keeping $1 = $2 ($match)\n"; - @packages = grep { $_ !~ $match } @packages; - $taboo_packages{$match} = 1; - $retry = 1; - last; # Only remove one package providing the dependency from the list - } - } - } - if (!$retry) { - print STDERR join("\n", @out), "\n"; - print STDERR "$0: giving up.\n"; - return 0; - } - } -} - -if (!GetOptions( - "h|help" => sub { usage(); exit; }, - "--test" => \$test_only, - "--fake-config=s" => \$fake_config, - "--fake-rpm-qa=s" => \$fake_rpm_qa, - "--fake-uname-r=s" => \$fake_uname_r, - "--fake-uname-m=s" => \$fake_uname_m)) { - usage(); - exit 1; -} -load_config(); -if (!@keep_spec) { - print STDERR "$0: multiversion.kernels not configured in /etc/zypp/zypp.conf, exiting.\n"; - exit 0; -} - -load_packages(); -if ($want_running) { - $running_version = $fake_uname_r ? $fake_uname_r : `uname -r`; - chomp($running_version); - ($running_flavor = $running_version) =~ s/.*-//; - $running_version =~ s/-[^-]*$//; - (my $release = $running_version) =~ s/.*-//; - $running_version =~ s/-[^-]*$//; - - # copied from kernel-source/rpm/mkspec - $running_version =~ s/\.0-rc/.rc/; - $running_version =~ s/-rc\d+//; - $running_version =~ s/-/./g; - - $running_version .= "-$release"; - - my $arch = $fake_uname_m ? $fake_uname_m : `uname -m`; - chomp($arch); - $arch =~ s/^i.86$/i586/; - $running_flavor = "$arch/$running_flavor"; -} -my @remove = list_old_packages(); -if (!@remove) { - print STDERR "$0: Nothing to do.\n"; - exit 0; -} -if (remove_packages(@remove)) { - exit 0; -} -exit 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-049+git116.e9995c78/suse/purge-kernels.service new/dracut-049+git118.a6090e2f/suse/purge-kernels.service --- old/dracut-049+git116.e9995c78/suse/purge-kernels.service 2019-12-10 09:43:14.000000000 +0100 +++ new/dracut-049+git118.a6090e2f/suse/purge-kernels.service 1970-01-01 01:00:00.000000000 +0100 @@ -1,15 +0,0 @@ -[Unit] -Description=Purge old kernels -After=local-fs.target -ConditionPathExists=/boot/do_purge_kernels -ConditionPathIsReadWrite=/ - -[Service] -Type=oneshot -Nice=19 -IOSchedulingClass=idle -ExecStartPre=/bin/rm -f /boot/do_purge_kernels -ExecStart=/sbin/purge-kernels - -[Install] -WantedBy=multi-user.target ++++++ dracut-049+git116.e9995c78.tar.xz -> dracut-049+git118.a6090e2f.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-049+git116.e9995c78/modules.d/01fips/fips.sh new/dracut-049+git118.a6090e2f/modules.d/01fips/fips.sh --- old/dracut-049+git116.e9995c78/modules.d/01fips/fips.sh 2019-12-10 09:43:14.000000000 +0100 +++ new/dracut-049+git118.a6090e2f/modules.d/01fips/fips.sh 2020-01-14 15:18:42.000000000 +0100 @@ -1,4 +1,17 @@ -#!/bin/sh +#!/bin/bash + +# find fipscheck, prefer kernel-based version +fipscheck() +{ + FIPSCHECK=/usr/lib64/libkcapi/fipscheck + if [ ! -f $FIPSCHECK ]; then + FIPSCHECK=/usr/lib/libkcapi/fipscheck + fi + if [ ! -f $FIPSCHECK ]; then + FIPSCHECK=/usr/bin/fipscheck + fi + echo $FIPSCHECK +} mount_boot() { @@ -65,6 +78,7 @@ warn "HMAC sum mismatch" return 1 fi + info "rhevh_check OK" return 0 } @@ -75,6 +89,12 @@ local _s local _v local _module + local _arch=$(uname -m) + local _vmname=vmlinuz + + if [ "$_arch" = "s390x" ]; then + _vmname=image + fi KERNEL=$(uname -r) @@ -93,6 +113,22 @@ _found=1 break done </proc/crypto + # If we find some hardware specific modules and cannot load them + # it is not a problem, proceed. + if [ "$_found" = "0" ]; then + if [ "$_module" != "${_module%intel}" \ + -o "$_module" != "${_module%ssse3}" \ + -o "$_module" != "${_module%x86_64}" \ + -o "$_module" != "${_module%z90}" \ + -o "$_module" != "${_module%s390}" \ + -o "$_module" == "twofish_x86_64_3way" \ + -o "$_module" == "ablk_helper" \ + -o "$_module" == "glue_helper" \ + ]; then + _found=1 + fi + fi + [ "$_found" = "0" ] && cat /tmp/fips.modprobe_err >&2 && return 1 fi fi @@ -114,14 +150,14 @@ BOOT_IMAGE_PATH="${BOOT_IMAGE%${BOOT_IMAGE_NAME}}" if [ -z "$BOOT_IMAGE_NAME" ]; then - BOOT_IMAGE_NAME="vmlinuz-${KERNEL}" + BOOT_IMAGE_NAME="${_vmname}-${KERNEL}" elif ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE}" ]; then #if /boot is not a separate partition BOOT_IMAGE might start with /boot BOOT_IMAGE_PATH=${BOOT_IMAGE_PATH#"/boot"} #on some achitectures BOOT_IMAGE does not contain path to kernel #so if we can't find anything, let's treat it in the same way as if it was empty if ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE_NAME}" ]; then - BOOT_IMAGE_NAME="vmlinuz-${KERNEL}" + BOOT_IMAGE_NAME="${_vmname}-${KERNEL}" BOOT_IMAGE_PATH="" fi fi @@ -132,7 +168,12 @@ return 1 fi - sha512hmac -c "${BOOT_IMAGE_HMAC}" || return 1 + if [ -n "$(fipscheck)" ]; then + $(fipscheck) -c ${BOOT_IMAGE_HMAC} ${BOOT_IMAGE} || return 1 + else + warn "Could not find fipscheck to verify MACs" + return 1 + fi fi info "All initrd crypto checks done" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-049+git116.e9995c78/modules.d/01fips/module-setup.sh new/dracut-049+git118.a6090e2f/modules.d/01fips/module-setup.sh --- old/dracut-049+git116.e9995c78/modules.d/01fips/module-setup.sh 2019-12-10 09:43:14.000000000 +0100 +++ new/dracut-049+git118.a6090e2f/modules.d/01fips/module-setup.sh 2020-01-14 15:18:42.000000000 +0100 @@ -23,6 +23,10 @@ _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 " _fipsmodules+="crc32c crct10dif ghash " + # Hashes, platform specific: + _fipsmodules+="sha512-ssse3 sha1-ssse3 sha256-ssse3 " + _fipsmodules+="ghash-clmulni-intel " + # Ciphers: _fipsmodules+="cipher_null des3_ede aes " @@ -66,7 +70,11 @@ inst_hook pre-pivot 01 "$moddir/fips-noboot.sh" inst_script "$moddir/fips.sh" /sbin/fips.sh - inst_multiple sha512hmac rmmod insmod mount uname umount + inst_multiple rmmod insmod mount uname umount + inst_multiple -o sha512hmac \ + fipscheck \ + /usr/lib64/libkcapi/fipscheck \ + /usr/lib/libkcapi/fipscheck inst_simple /etc/system-fips [ -c ${initdir}/dev/random ] || mknod ${initdir}/dev/random c 1 8 \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-049+git116.e9995c78/suse/dracut.spec new/dracut-049+git118.a6090e2f/suse/dracut.spec --- old/dracut-049+git116.e9995c78/suse/dracut.spec 2019-12-10 09:43:14.000000000 +0100 +++ new/dracut-049+git118.a6090e2f/suse/dracut.spec 2020-01-14 15:18:42.000000000 +0100 @@ -158,9 +158,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 0644 dracut.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/dracut -install -D -m 0755 suse/purge-kernels %{buildroot}/sbin/purge-kernels -install -m 644 suse/purge-kernels.service %{buildroot}/%{_unitdir}/purge-kernels.service - install -D -m 0755 suse/dracut-installkernel %{buildroot}/sbin/installkernel %if 0%{?suse_version} @@ -172,10 +169,8 @@ %endif %pre -%service_add_pre purge-kernels.service %post -%service_add_post purge-kernels.service # check whether /var/run has been converted to a symlink [ -L /var/run ] || sed -i '/GRUB_CMDLINE_LINUX_DEFAULT.*/s/"$/ rd.convertfs"/' /etc/default/grub || : [ -L /var/run ] || cat >>/etc/dracut.conf.d/05-convertfs.conf<<EOF @@ -196,10 +191,8 @@ %{?regenerate_initrd_post} %preun -%service_del_preun purge-kernels.service %postun -%service_del_postun purge-kernels.service %{?regenerate_initrd_post} %postun fips @@ -245,7 +238,6 @@ %doc README HACKING TODO AUTHORS NEWS dracut.html dracut.png dracut.svg %{_bindir}/dracut %{_bindir}/lsinitrd -/sbin/purge-kernels /sbin/installkernel /sbin/mkinitrd /sbin/mkinitrd_setup diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-049+git116.e9995c78/suse/purge-kernels new/dracut-049+git118.a6090e2f/suse/purge-kernels --- old/dracut-049+git116.e9995c78/suse/purge-kernels 2019-12-10 09:43:14.000000000 +0100 +++ new/dracut-049+git118.a6090e2f/suse/purge-kernels 1970-01-01 01:00:00.000000000 +0100 @@ -1,403 +0,0 @@ -#!/usr/bin/perl - -use strict; -use warnings; - -use Getopt::Long; - -sub usage { - print "Usage: $0 [--test]\n"; - print "Reads list of kernels to keep from /etc/zypp/zypp.conf:multiversion.kernels\n"; - print "kernels can be given as <version>, latest(-N), running, oldest(+N).\n"; -} - -# arch/flavor => version-release => [ subpackages ] -my %kernels; - -my @keep_spec; -my ($want_running, $running_version, $running_flavor); - -# do not actually delete anything -my $test_only; - -# undocumented debugging options -my ($fake_config, $fake_rpm_qa, $fake_uname_r, $fake_uname_m); - -sub get_config_line { - my $file = "/etc/zypp/zypp.conf"; - - if ($fake_config) { - return $fake_config; - } - if (!-e $file) { - print STDERR "$0: /etc/zypp/zypp.conf does not exist, exiting.\n"; - exit 0; - } - open(my $fh, '<', $file) or die "$0: $file: $!\n"; - while (<$fh>) { - chomp; - next unless /^\s*multiversion\.kernels\b/; - s/^[^=]*=\s*//; - close($fh); - return $_; - } - close($fh); - return ""; -} - -sub load_config { - my @kernels; - - @kernels = split(/,\s*/, get_config_line()); - for my $kernel (@kernels) { - if ($kernel =~ /^\s*(latest|oldest|running)(\s*[-+]\s*\d+)?\s*$/) { - my $new = { whence => $1, offset => $2 || 0 }; - $new->{offset} =~ s/\s*//g; - if ($new->{whence} eq "running") { - $want_running = 1; - } - push (@keep_spec, $new); - } elsif ($kernel =~ /^\d+\.\d+/) { - my $new = { version => $kernel }; - push (@keep_spec, $new); - } elsif ($kernel =~ /^\s*$/) { - next; - } else { - print STDERR "$0: Ignoring unknow kernel specification in\n"; - print STDERR "/etc/zypp/zypp.conf:multiversion.kernels: $kernel\n"; - } - } -} - -sub add_package { - my ($name, $vr, $arch) = @_; - (my $flavor = $name) =~ s/^kernel-//; - - #print STDERR "add_package: $name $vr $arch\n"; - if ($name eq "kernel-firmware" || $name eq "kernel-coverage") { - return; - } - # Put all subpackages into the same group, except for - # kernel-source-{vanilla,rt}, which are packages on their own - if ($flavor !~ /^source/) { - $flavor =~ s/-.*//; # XXX: No dashes in flavor names - } - # kernel-devel is a subpackage of kernel-source - $flavor =~ s/^devel/source/; - $kernels{"$arch/$flavor"} ||= {}; - $kernels{"$arch/$flavor"}{$vr} ||= []; - push(@{$kernels{"$arch/$flavor"}{$vr}}, "$name-$vr.$arch"); -} - -sub load_packages { - my $pipe; - - if ($fake_rpm_qa) { - open($pipe, '<', $fake_rpm_qa) or die "$fake_rpm_qa: $!\n"; - } else { - open($pipe, '-|', 'rpm', '-qa', '--qf', - '%{n} %{v}-%{r} %{arch}\n', 'kernel-*') or die "rpm: $!\n"; - } - while (<$pipe>) { - chomp; - my ($name, $vr, $arch) = split; - add_package($name, $vr, $arch); - } - close($pipe) -} - -sub sort_versions { - my @versions = @_; - - pipe (my $read, my $write); - my $pid = fork(); - if (!defined($pid)) { - die "Cannot fork: $!\n"; - } elsif ($pid == 0) { - # child - close($read); - open STDOUT, '>&', $write; - open(my $fh, '|-', "/usr/lib/rpm/rpmsort") or die "/usr/lib/rpm/rpmsort: $!\n"; - print $fh join("\n", @versions), "\n"; - close($fh); - die "rpmsort failed ($?)\n" if $? != 0; - - exit 0; - } - # parent - close($write); - @versions = <$read>; - chomp @versions; - close($read); - waitpid($pid, 0); - die "rpmsort failed ($?)\n" if $? != 0; - - return @versions; -} - -# return true if VER1 == VER2 or VER1 == (VER2 minus rebuild counter) -sub version_match { - my ($ver1, $ver2) = @_; - - return 1 if $ver1 eq $ver2; - - # copied from kernel-source/rpm/kernel-spec-macros - $ver2 =~ s/\.[0-9]+($|\.[^.]*[^.0-9][^.]*$)/$1/; - return $ver1 eq $ver2; -} - -sub list_old_versions { - my ($flavor) = @_; - - my $is_source = $flavor =~ /\/(source|syms)/; - my $kernels = $kernels{$flavor}; - my @versions = sort_versions(keys(%$kernels)); - my %idx = ( - oldest => 0, - latest => scalar(@versions) - 1, - ); - if ($want_running && ($running_flavor eq $flavor || $is_source)) { - for (my $i = scalar(@versions) - 1; $i >= 0; $i--) { - if (version_match($running_version, $versions[$i])) { - $idx{running} = $i; - last; - } - } - if (!exists($idx{running}) && !$is_source) { - print STDERR "$0: Running kernel $running_version-$running_flavor not installed.\n"; - print "NOT removing any packages for flavor $flavor.\n"; - return; - } - } - my %delete = map { $_ => 1 } @versions; - for my $keep (@keep_spec) { - if ($keep->{version}) { - for my $ver (@versions) { - if (version_match($keep->{version}, $ver)) { - $delete{$ver} = 0; - } - } - } elsif ($keep->{whence}) { - next unless exists($idx{$keep->{whence}}); - my $idx = $idx{$keep->{whence}}; - $idx += $keep->{offset}; - next unless $idx >= 0 && $idx < scalar(@versions); - $delete{$versions[$idx]} = 0; - } else { - die "??"; - } - } - return grep { $delete{$_} } @versions; -} - -sub package_exists { - my ($version, $archs, $flavors) = @_; - - for my $arch (@$archs) { - for my $flavor (@$flavors) { - my $config = "$arch/$flavor"; - if (exists($kernels{$config}) - && exists($kernels{$config}->{$version})) { - return 1; - } - } - } - return 0; -} - -sub list_old_packages { - my (@packages, @archs, @flavors); - my (@syms_flavors, @binary_flavors, @source_configs); - - # there are some inter-dependencies among the kernel packages, - # so we have to be careful - my %t = map { s:/.*::; $_ => 1 } keys(%kernels); - @archs = sort(keys(%t)); - %t = map { s:.*/::; $_ => 1 } keys(%kernels); - @flavors = sort(keys(%t)); - @syms_flavors = grep { /^syms/ } @flavors; - @binary_flavors = grep { !/^(source|syms)/ } @flavors; - @source_configs = grep { /\/source/ } sort(keys(%kernels)); - - for my $arch (@archs) { - for my $flavor (@syms_flavors) { - my $config = "$arch/$flavor"; - next unless exists($kernels{$config}); - my @versions = list_old_versions($config); - for my $ver (@versions) { - push(@packages, @{$kernels{$config}->{$ver}}); - delete($kernels{$config}->{$ver}); - } - } - for my $flavor (@binary_flavors) { - my $config = "$arch/$flavor"; - next unless exists($kernels{$config}); - my @versions = list_old_versions($config); - for my $ver (@versions) { - my @pacs = @{$kernels{$config}->{$ver}}; - my $remove_all = 1; - # do not remove kernel-$flavor-devel-$ver - # if kernel-syms-$ver still exists - if (grep { /-devel$/ } @pacs) { - my $syms = "syms"; - if ($flavor =~ /^rt/) { - $syms = "syms-rt"; - } - if (exists($kernels{$syms}->{$ver})) { - $remove_all = 0; - @pacs = grep { !/-devel$/ } - @pacs; - } - } - push(@packages, @pacs); - if ($remove_all) { - delete($kernels{$config}->{$ver}); - } - } - } - } - for my $config (@source_configs) { - my @versions = list_old_versions($config); - for my $ver (@versions) { - # Remove kernel-{devel,source} only if no other package - # of the same version exists - next if package_exists($ver, \@archs, \@binary_flavors); - push(@packages, @{$kernels{$config}->{$ver}}); - } - } - return @packages; -} - -sub find_package { - my $name = shift @_; - my $version = shift @_; - my @packages = @_; - my $expr = "^" . quotemeta("$name-$version"); - my @found = grep { $_ =~ $expr } @packages; - return @found if @found; - $expr = "^" . quotemeta($name) . " = " . quotemeta($version) . "\$"; - @found = grep { - my @provides = qx/rpm -q --provides $_/; - chomp (@provides); - grep { $_ =~ $expr} @provides; - } @packages; - return @found; -} - -# Try to remove a list of packages. -# -# If there is a KMP or livepatch depending on the package remove it as well. If -# there is another package depending on the kernel keep the kernel. If there is -# a package that depends on a KMP keep the KMP and a kernel required to use the -# KMP. -# In each step a KMP or livepatch may be added or a package which cannot be -# removed due to dependencies is marked as taboo and removed from the list. -# -# Finish when packages uninstall successfully or we can't find any packages to -# add or remove from the list to make it uninstallable. - -sub remove_packages { - my @packages = @_; - my %taboo_packages; - - while (1) { - pipe(my $read, my $write); - my $pid = fork(); - if (!defined($pid)) { - die "Cannot fork: $!\n"; - } elsif($pid == 0) { - # child - close($read); - open STDOUT, '>&', $write; - open STDERR, '>&', $write; - $ENV{LC_ALL} = "C"; - my @cmd = qw(rpm -e); - push(@cmd, "--test") if $test_only; - exec(@cmd, @packages) or die "rpm: $!\n"; - } - # parent - close($write); - my @out = <$read>; - chomp @out; - close($read); - waitpid($pid, 0); - if ($? == 0) { - print "Removed:\n ", join("\n ", @packages), "\n"; - return 1; - } - my $retry = 0; - my %old_packages = map { $_ => 1 } @packages; - my %new_packages; - for (@out) { - if (/ is needed by \(installed\) (kernel-syms-.*|kgraft-patch-.*|kernel-livepatch-.*|.*-kmp-.*)/ && - !$old_packages{$1} && !$taboo_packages{$1}) { - push(@packages, $1) unless $new_packages{$1}; - $new_packages{$1} = 1; - $retry = 1; - } elsif (/([^ \t]*) = ([^ \t]*) is needed by \(installed\) /) { - my @unremovable = find_package($1, $2, @packages); - my $match = $unremovable[$#unremovable]; - if ($match) { - print STDERR "$0: $_\n"; - print STDERR "$0: Keeping $1 = $2 ($match)\n"; - @packages = grep { $_ !~ $match } @packages; - $taboo_packages{$match} = 1; - $retry = 1; - last; # Only remove one package providing the dependency from the list - } - } - } - if (!$retry) { - print STDERR join("\n", @out), "\n"; - print STDERR "$0: giving up.\n"; - return 0; - } - } -} - -if (!GetOptions( - "h|help" => sub { usage(); exit; }, - "--test" => \$test_only, - "--fake-config=s" => \$fake_config, - "--fake-rpm-qa=s" => \$fake_rpm_qa, - "--fake-uname-r=s" => \$fake_uname_r, - "--fake-uname-m=s" => \$fake_uname_m)) { - usage(); - exit 1; -} -load_config(); -if (!@keep_spec) { - print STDERR "$0: multiversion.kernels not configured in /etc/zypp/zypp.conf, exiting.\n"; - exit 0; -} - -load_packages(); -if ($want_running) { - $running_version = $fake_uname_r ? $fake_uname_r : `uname -r`; - chomp($running_version); - ($running_flavor = $running_version) =~ s/.*-//; - $running_version =~ s/-[^-]*$//; - (my $release = $running_version) =~ s/.*-//; - $running_version =~ s/-[^-]*$//; - - # copied from kernel-source/rpm/mkspec - $running_version =~ s/\.0-rc/.rc/; - $running_version =~ s/-rc\d+//; - $running_version =~ s/-/./g; - - $running_version .= "-$release"; - - my $arch = $fake_uname_m ? $fake_uname_m : `uname -m`; - chomp($arch); - $arch =~ s/^i.86$/i586/; - $running_flavor = "$arch/$running_flavor"; -} -my @remove = list_old_packages(); -if (!@remove) { - print STDERR "$0: Nothing to do.\n"; - exit 0; -} -if (remove_packages(@remove)) { - exit 0; -} -exit 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-049+git116.e9995c78/suse/purge-kernels.service new/dracut-049+git118.a6090e2f/suse/purge-kernels.service --- old/dracut-049+git116.e9995c78/suse/purge-kernels.service 2019-12-10 09:43:14.000000000 +0100 +++ new/dracut-049+git118.a6090e2f/suse/purge-kernels.service 1970-01-01 01:00:00.000000000 +0100 @@ -1,15 +0,0 @@ -[Unit] -Description=Purge old kernels -After=local-fs.target -ConditionPathExists=/boot/do_purge_kernels -ConditionPathIsReadWrite=/ - -[Service] -Type=oneshot -Nice=19 -IOSchedulingClass=idle -ExecStartPre=/bin/rm -f /boot/do_purge_kernels -ExecStart=/sbin/purge-kernels - -[Install] -WantedBy=multi-user.target ++++++ dracut.obsinfo ++++++ --- /var/tmp/diff_new_pack.9wgcLA/_old 2020-01-18 12:16:19.867080990 +0100 +++ /var/tmp/diff_new_pack.9wgcLA/_new 2020-01-18 12:16:19.871080991 +0100 @@ -1,5 +1,5 @@ name: dracut -version: 049+git116.e9995c78 -mtime: 1575967394 -commit: e9995c7853e61de8513b41a302d465ddb1586a20 +version: 049+git118.a6090e2f +mtime: 1579011522 +commit: a6090e2f68a4ca727005b1de8a45bf474a782008