|
|
ab0e4d |
From d8c0b10b15940d88a28acbcf93354e4da0babb8d Mon Sep 17 00:00:00 2001
|
|
|
ab0e4d |
From: Kairui Song <kasong@redhat.com>
|
|
|
ab0e4d |
Date: Wed, 10 Jun 2020 15:57:20 +0800
|
|
|
ab0e4d |
Subject: [PATCH] dracut.sh: FIPS workaround for openssl-libs on Fedora/RHEL
|
|
|
ab0e4d |
|
|
|
ab0e4d |
On Fedora/RHEL, libcryto will verify both itself and libssl on start, if
|
|
|
ab0e4d |
libssl is missing, FIPS self test will fail. However libssl is not a
|
|
|
ab0e4d |
dependency of libcryto so dracut will not install it, unless some other
|
|
|
ab0e4d |
binary or library pulls it in. Systemd requires libssl, so in most cases
|
|
|
ab0e4d |
it just worked, but could fail in some corner cases where systemd is not
|
|
|
ab0e4d |
used.
|
|
|
ab0e4d |
|
|
|
ab0e4d |
Signed-off-by: Kairui Song <kasong@redhat.com>
|
|
|
ab0e4d |
(cherry picked from commit 5a4c3469338410b6aea9452994b4b0af1ba59be7)
|
|
|
ab0e4d |
|
|
|
ab0e4d |
Resolves: #1841077
|
|
|
ab0e4d |
---
|
|
|
ab0e4d |
dracut.sh | 11 +++++++++++
|
|
|
ab0e4d |
1 file changed, 11 insertions(+)
|
|
|
ab0e4d |
|
|
|
ab0e4d |
diff --git a/dracut.sh b/dracut.sh
|
|
|
ab0e4d |
index 4c5176a1..86e95449 100755
|
|
|
ab0e4d |
--- a/dracut.sh
|
|
|
ab0e4d |
+++ b/dracut.sh
|
|
|
ab0e4d |
@@ -1840,6 +1840,17 @@ if [[ $kernel_only != yes ]]; then
|
|
|
ab0e4d |
break 2
|
|
|
ab0e4d |
done
|
|
|
ab0e4d |
done
|
|
|
ab0e4d |
+
|
|
|
ab0e4d |
+ # FIPS workaround for Fedora/RHEL: libcrypto needs libssl when FIPS is enabled
|
|
|
ab0e4d |
+ if [[ $DRACUT_FIPS_MODE ]]; then
|
|
|
ab0e4d |
+ for _dir in $libdirs; do
|
|
|
ab0e4d |
+ for _f in "$dracutsysrootdir$_dir/libcrypto.so"*; do
|
|
|
ab0e4d |
+ [[ -e "$_f" ]] || continue
|
|
|
ab0e4d |
+ inst_libdir_file -o "libssl.so*"
|
|
|
ab0e4d |
+ break 2
|
|
|
ab0e4d |
+ done
|
|
|
ab0e4d |
+ done
|
|
|
ab0e4d |
+ fi
|
|
|
ab0e4d |
fi
|
|
|
ab0e4d |
|
|
|
ab0e4d |
if [[ $do_strip = yes ]] && ! [[ $DRACUT_FIPS_MODE ]]; then
|
|
|
ab0e4d |
|