ab0e4d
From d8c0b10b15940d88a28acbcf93354e4da0babb8d Mon Sep 17 00:00:00 2001
ab0e4d
From: Kairui Song <kasong@redhat.com>
ab0e4d
Date: Wed, 10 Jun 2020 15:57:20 +0800
ab0e4d
Subject: [PATCH] dracut.sh: FIPS workaround for openssl-libs on Fedora/RHEL
ab0e4d
ab0e4d
On Fedora/RHEL, libcryto will verify both itself and libssl on start, if
ab0e4d
libssl is missing, FIPS self test will fail. However libssl is not a
ab0e4d
dependency of libcryto so dracut will not install it, unless some other
ab0e4d
binary or library pulls it in. Systemd requires libssl, so in most cases
ab0e4d
it just worked, but could fail in some corner cases where systemd is not
ab0e4d
used.
ab0e4d
ab0e4d
Signed-off-by: Kairui Song <kasong@redhat.com>
ab0e4d
(cherry picked from commit 5a4c3469338410b6aea9452994b4b0af1ba59be7)
ab0e4d
ab0e4d
Resolves: #1841077
ab0e4d
---
ab0e4d
 dracut.sh | 11 +++++++++++
ab0e4d
 1 file changed, 11 insertions(+)
ab0e4d
ab0e4d
diff --git a/dracut.sh b/dracut.sh
ab0e4d
index 4c5176a1..86e95449 100755
ab0e4d
--- a/dracut.sh
ab0e4d
+++ b/dracut.sh
ab0e4d
@@ -1840,6 +1840,17 @@ if [[ $kernel_only != yes ]]; then
ab0e4d
             break 2
ab0e4d
         done
ab0e4d
     done
ab0e4d
+
ab0e4d
+    # FIPS workaround for Fedora/RHEL: libcrypto needs libssl when FIPS is enabled
ab0e4d
+    if [[ $DRACUT_FIPS_MODE ]]; then
ab0e4d
+      for _dir in $libdirs; do
ab0e4d
+          for _f in "$dracutsysrootdir$_dir/libcrypto.so"*; do
ab0e4d
+              [[ -e "$_f" ]] || continue
ab0e4d
+              inst_libdir_file -o "libssl.so*"
ab0e4d
+              break 2
ab0e4d
+          done
ab0e4d
+      done
ab0e4d
+    fi
ab0e4d
 fi
ab0e4d
 
ab0e4d
 if [[ $do_strip = yes ]] && ! [[ $DRACUT_FIPS_MODE ]]; then
ab0e4d