From d98e681a99d3ba81c30fe9b4c1fae8519e1aa5c2 Mon Sep 17 00:00:00 2001 From: srinidhira0 Date: Tue, 3 Nov 2020 06:26:16 +0000 Subject: [PATCH] fipsify: Remove fipsify & photon-checksum-generator - As Linux kernel crypto modules are going to be canisterized, We do not need fipsify package, dracut fipsify module and photon-checksum-generator package to verify the integrity of the kernel crypto canister. Change-Id: Iec858091dfd1a19e4369c042fead7b3cc4c4be5a Signed-off-by: srinidhira0 Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/11350 Reviewed-by: Keerthana K Tested-by: Anish Swaminathan --- SPECS/dracut/dracut.spec | 8 ++-- SPECS/fipsify/fips.conf | 1 - SPECS/fipsify/fipsify.spec | 42 ----------------- SPECS/fipsify/modules.fips | 26 ----------- SPECS/initramfs/initramfs.spec | 6 ++- SPECS/linux/genhmac.inc | 15 ------- SPECS/linux/linux-aws.spec | 44 ++---------------- SPECS/linux/linux-esx.spec | 45 ++----------------- SPECS/linux/linux-secure.spec | 44 ++---------------- SPECS/linux/linux.spec | 44 ++---------------- .../photon-checksum-generator.spec | 38 ---------------- installer/installer.py | 2 +- 12 files changed, 22 insertions(+), 293 deletions(-) delete mode 100644 SPECS/fipsify/fips.conf delete mode 100644 SPECS/fipsify/fipsify.spec delete mode 100644 SPECS/fipsify/modules.fips delete mode 100644 SPECS/linux/genhmac.inc delete mode 100644 SPECS/photon-checksum-generator/photon-checksum-generator.spec diff --git a/SPECS/dracut/dracut.spec b/SPECS/dracut/dracut.spec index d1dfc7d003..f88f12e1f8 100644 --- a/SPECS/dracut/dracut.spec +++ b/SPECS/dracut/dracut.spec @@ -4,7 +4,7 @@ Summary: dracut to create initramfs Name: dracut Version: 050 -Release: 4%{?dist} +Release: 5%{?dist} Group: System Environment/Base # The entire source code is GPLv2+ # except install/* which is LGPLv2+ @@ -19,8 +19,7 @@ Source1: https://www.gnu.org/licenses/lgpl-2.1.txt Patch0: disable-xattr.patch Patch1: fix-initrd-naming-for-photon.patch Patch2: lvm-no-read-only-locking.patch -Patch3: fips-changes.patch -Patch4: fix-hostonly.patch +Patch3: fix-hostonly.patch BuildRequires: bash git BuildRequires: pkg-config @@ -68,6 +67,7 @@ make %{?_smp_mflags} install \ echo "DRACUT_VERSION=%{version}-%{release}" > $RPM_BUILD_ROOT/%{dracutlibdir}/dracut-version.sh +rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/01fips rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/02fips-aesni rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00bootchart @@ -156,6 +156,8 @@ rm -rf -- $RPM_BUILD_ROOT %dir /var/lib/dracut/overlay %changelog +* Tue Nov 03 2020 Srinidhi Rao 050-5 +- Remove fipsify support * Fri Oct 09 2020 Shreenidhi Shedi 050-4 - Fixed hostonly setting logic to generate initrd properly * Mon Oct 05 2020 Susant Sahani 050-3 diff --git a/SPECS/fipsify/fips.conf b/SPECS/fipsify/fips.conf deleted file mode 100644 index 9846d7fc07..0000000000 --- a/SPECS/fipsify/fips.conf +++ /dev/null @@ -1 +0,0 @@ -add_dracutmodules+="fips" diff --git a/SPECS/fipsify/fipsify.spec b/SPECS/fipsify/fipsify.spec deleted file mode 100644 index d27a2279e7..0000000000 --- a/SPECS/fipsify/fipsify.spec +++ /dev/null @@ -1,42 +0,0 @@ -Summary: fipsify - Enable fips, add fips module to initrd and generate hmac files. -Name: fipsify -Version: 1.0 -Release: 2%{?dist} -License: GPLv2+ -URL: http://dl.bintray.com/vmware/photon_sources/1.0/fipsify-1.0.tar.gz -Group: System Environment/Daemons -Vendor: VMware, Inc. -Distribution: Photon -Source0: modules.fips -Source1: fips.conf -Requires: initramfs -Requires: photon-checksum-generator - -%description -Enable fips, add fips module to initrd and generate initrd. - -%install -echo %{buildroot} -install -vdm 755 %{buildroot}/lib/modules/ -cp %{SOURCE0} %{buildroot}/lib/modules/ - -mkdir -p %{buildroot}%{_sysconfdir}/dracut.conf.d -install -D -m644 %{SOURCE1} %{buildroot}%{_sysconfdir}/dracut.conf.d/ - -%postun - -%post - -%clean -rm -rf %{buildroot} - -%files -%defattr(-,root,root) -%{_sysconfdir}/dracut.conf.d/fips.conf -/lib/modules/modules.fips - -%changelog -* Wed Sep 23 2020 Michelle Wang 1.0-2 -- Add sources fipsify-1.0.tar.gz to file OSSTP ticket -* Tue Jan 28 2020 Vikash Bansal 1.0-1 -- Added fipsify package to photon-3.0 diff --git a/SPECS/fipsify/modules.fips b/SPECS/fipsify/modules.fips deleted file mode 100644 index 8c02a2b5df..0000000000 --- a/SPECS/fipsify/modules.fips +++ /dev/null @@ -1,26 +0,0 @@ -aes-x86_64 -aesni-intel -authenc -cryptd -crypto_null -ctr -seqiv -sha512_generic -tcrypt -lrw -xts -ablk_helper -ecb -cbc -des_generic -sha256_generic -algif_skcipher -ccm -cmac -gcm -lzo -ghash-generic -jitterentropy_rng -drbg -ecdh_generic -hmac_generator diff --git a/SPECS/initramfs/initramfs.spec b/SPECS/initramfs/initramfs.spec index fe93499e72..6e9cb06969 100644 --- a/SPECS/initramfs/initramfs.spec +++ b/SPECS/initramfs/initramfs.spec @@ -1,7 +1,7 @@ Summary: initramfs Name: initramfs Version: 2.0 -Release: 5%{?dist} +Release: 6%{?dist} Source0: fscks.conf License: Apache License Group: System Environment/Base @@ -19,7 +19,7 @@ install -D -m644 %{SOURCE0} %{buildroot}%{_sysconfdir}/dracut.conf.d/ install -d -m755 %{buildroot}%{_localstatedir}/lib/initramfs/kernel %define watched_path %{_sbindir} %{_libdir}/udev/rules.d %{_libdir}/systemd/system /lib/modules %{_sysconfdir}/dracut.conf.d -%define watched_pkgs e2fsprogs, systemd, kpartx, device-mapper-multipath fipsify +%define watched_pkgs e2fsprogs, systemd, kpartx, device-mapper-multipath %define removal_action() rm -rf %{_localstatedir}/lib/rpm-state/initramfs @@ -111,6 +111,8 @@ echo "initramfs" %{version}-%{release} "postun" >&2 %dir %{_localstatedir}/lib/initramfs/kernel %changelog +* Tue Nov 03 2020 Srinidhi Rao 2.0-6 +- Remove the trigger for fipsify * Tue Mar 17 2020 Vikash Bansal 2.0-5 - Added trigger for fipsify * Mon Aug 27 2018 Dheeraj Shetty 2.0-4 diff --git a/SPECS/linux/genhmac.inc b/SPECS/linux/genhmac.inc deleted file mode 100644 index 372ffd7a93..0000000000 --- a/SPECS/linux/genhmac.inc +++ /dev/null @@ -1,15 +0,0 @@ -%define __modules_gen_hmac \ -MODULES="aes-x86_64 aesni-intel authenc cryptd crypto_null ctr seqiv sha512_generic tcrypt lrw xts ecb cbc des_generic sha256_generic algif_skcipher ccm cmac gcm lzo ghash-generic jitterentropy_rng drbg ecdh_generic hmac_generator" \ -KEY="FIPS-PH3-VMW2020" \ -for MODULE in $MODULES ;do \ -FULL_PATH=`find %{buildroot}/lib/modules/. -name "$MODULE.ko.xz"` \ -if [ ! -z "$FULL_PATH" ] \ -then \ -DIRECTORY=$(dirname $FULL_PATH) \ -FILENAME=$(basename $FULL_PATH) \ -openssl dgst -sha256 -hmac "$KEY" "$FULL_PATH" > $DIRECTORY/.$FILENAME.hmac \ -fi \ -done \ -VMLINUZ_PATH=%{buildroot}/boot/vmlinuz-%{uname_r} \ -openssl dgst -sha256 -hmac "$KEY" "$VMLINUZ_PATH" > %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac \ -%{nil} diff --git a/SPECS/linux/linux-aws.spec b/SPECS/linux/linux-aws.spec index 484b61b410..64e34fd193 100644 --- a/SPECS/linux/linux-aws.spec +++ b/SPECS/linux/linux-aws.spec @@ -1,6 +1,5 @@ %{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} %global security_hardening none -%global photon_checksum_generator_version 1.1 %ifarch x86_64 %define arch x86_64 %define archdir x86 @@ -9,7 +8,7 @@ Summary: Kernel Name: linux-aws Version: 5.9.0 -Release: 1%{?kat_build:.kat}%{?dist} +Release: 2%{?kat_build:.kat}%{?dist} License: GPLv2 URL: http://www.kernel.org/ Group: System Environment/Kernel @@ -25,10 +24,6 @@ Source1: config-aws Source2: initramfs.trigger Source3: pre-preun-postun-tasks.inc Source4: check_for_config_applicability.inc -# Photon-checksum-generator kernel module -Source5: https://github.com/vmware/photon-checksum-generator/releases/photon-checksum-generator-%{photon_checksum_generator_version}.tar.gz -%define sha1 photon-checksum-generator=1d5c2e1855a9d1368cf87ea9a8a5838841752dc3 -Source6: genhmac.inc # common Patch0: net-Double-tcp_mem-limits.patch @@ -159,14 +154,6 @@ Requires: python3 %description docs The Linux package contains the Linux kernel doc files -%package hmacgen -Summary: HMAC SHA256/HMAC SHA512 generator -Group: System Environment/Kernel -Requires: %{name} = %{version}-%{release} -Enhances: %{name} -%description hmacgen -This Linux package contains hmac sha generator kernel module. - %ifarch x86_64 %package oprofile Summary: Kernel driver for oprofile, a statistical profiler for Linux systems @@ -179,7 +166,6 @@ Kernel driver for oprofile, a statistical profiler for Linux systems %prep #TODO: remove rcN after 5.9 goes out of rc %setup -q -n linux-%{version} -%setup -D -b 5 -n linux-%{version} %patch0 -p1 %patch1 -p1 @@ -262,12 +248,6 @@ sed -i 's/CONFIG_LOCALVERSION="-aws"/CONFIG_LOCALVERSION="-%{release}-aws"/' .co make VERBOSE=1 KBUILD_BUILD_VERSION="1-photon" KBUILD_BUILD_HOST="photon" ARCH=%{arch} %{?_smp_mflags} -#build photon-checksum-generator module -bldroot=`pwd` -pushd ../photon-checksum-generator-%{photon_checksum_generator_version}/kernel -make -C $bldroot M=`pwd` modules -popd - %define __modules_install_post \ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ ./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \ @@ -276,8 +256,6 @@ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ done \ %{nil} -%include %{SOURCE6} - # We want to compress modules after stripping. Extra step is added to # the default __spec_install_post. %define __spec_install_post\ @@ -285,7 +263,6 @@ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ %{__arch_install_post}\ %{__os_install_post}\ %{__modules_install_post}\ - %{__modules_gen_hmac}\ %{nil} %install @@ -296,12 +273,6 @@ install -vdm 755 %{buildroot}%{_usrsrc}/%{name}-headers-%{uname_r} install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r} make INSTALL_MOD_PATH=%{buildroot} modules_install -#install photon-checksum-generator module -bldroot=`pwd` -pushd ../photon-checksum-generator-%{photon_checksum_generator_version}/kernel -make -C $bldroot M=`pwd` INSTALL_MOD_PATH=%{buildroot} modules_install -popd - %ifarch x86_64 # Verify for build-id match @@ -369,9 +340,6 @@ find %{buildroot}/lib/modules -name '*.ko' -print0 | xargs -0 chmod u+x /sbin/depmod -aq %{uname_r} ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg -%post hmacgen -/sbin/depmod -a %{uname_r} - %post drivers-gpu /sbin/depmod -aq %{uname_r} @@ -388,7 +356,6 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg /boot/System.map-%{uname_r} /boot/config-%{uname_r} /boot/vmlinuz-%{uname_r} -/boot/.vmlinuz-%{uname_r}.hmac %config(noreplace) /boot/%{name}-%{uname_r}.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} %defattr(0644,root,root) @@ -396,8 +363,6 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg %exclude /lib/modules/%{uname_r}/build %exclude /lib/modules/%{uname_r}/kernel/drivers/gpu %exclude /lib/modules/%{uname_r}/kernel/sound -%exclude /lib/modules/%{uname_r}/extra/hmac_generator.ko.xz -%exclude /lib/modules/%{uname_r}/extra/.hmac_generator.ko.xz.hmac %ifarch x86_64 %exclude /lib/modules/%{uname_r}/kernel/arch/x86/oprofile/ %endif @@ -416,11 +381,6 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg %exclude /lib/modules/%{uname_r}/kernel/drivers/gpu/drm/cirrus/ /lib/modules/%{uname_r}/kernel/drivers/gpu -%files hmacgen -%defattr(-,root,root) -/lib/modules/%{uname_r}/extra/hmac_generator.ko.xz -/lib/modules/%{uname_r}/extra/.hmac_generator.ko.xz.hmac - %files sound %defattr(-,root,root) /lib/modules/%{uname_r}/kernel/sound @@ -432,6 +392,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg %endif %changelog +* Tue Nov 03 2020 Srinidhi Rao 5.9.0-2 +- Remove the support of fipsify and hmacgen * Wed Oct 28 2020 Him Kalyan Bordoloi 5.9.0-1 - Update to version 5.9.0 * Tue Sep 29 2020 Satya Naga Vasamsetty 4.19.127-3 diff --git a/SPECS/linux/linux-esx.spec b/SPECS/linux/linux-esx.spec index 31f7b2e588..accd476259 100644 --- a/SPECS/linux/linux-esx.spec +++ b/SPECS/linux/linux-esx.spec @@ -1,9 +1,8 @@ %global security_hardening none -%global photon_checksum_generator_version 1.1 Summary: Kernel Name: linux-esx Version: 5.9.0 -Release: 2%{?kat_build:.kat}%{?dist} +Release: 3%{?kat_build:.kat}%{?dist} License: GPLv2 URL: http://www.kernel.org/ Group: System Environment/Kernel @@ -18,11 +17,6 @@ Source1: config-esx Source2: initramfs.trigger Source3: pre-preun-postun-tasks.inc Source4: check_for_config_applicability.inc -# Photon-checksum-generator kernel module -Source5: https://github.com/vmware/photon-checksum-generator/releases/photon-checksum-generator-%{photon_checksum_generator_version}.tar.gz -%define sha1 photon-checksum-generator=1d5c2e1855a9d1368cf87ea9a8a5838841752dc3 -Source6: genhmac.inc - # common Patch0: net-Double-tcp_mem-limits.patch # TODO: disable this patch, check for regressions @@ -197,17 +191,8 @@ Requires: %{name} = %{version}-%{release} %description docs The Linux package contains the Linux kernel doc files -%package hmacgen -Summary: HMAC SHA256/HMAC SHA512 generator -Group: System Environment/Kernel -Requires: %{name} = %{version}-%{release} -Enhances: %{name} -%description hmacgen -This Linux package contains hmac sha generator kernel module. - %prep %setup -q -n linux-%{version} -%setup -D -b 5 -n linux-%{version} %patch0 -p1 %patch1 -p1 @@ -346,20 +331,12 @@ sed -i 's/CONFIG_LOCALVERSION="-esx"/CONFIG_LOCALVERSION="-%{release}-esx"/' .co make VERBOSE=1 KBUILD_BUILD_VERSION="1-photon" KBUILD_BUILD_HOST="photon" ARCH="x86_64" %{?_smp_mflags} -#build photon-checksum-generator module -bldroot=`pwd` -pushd ../photon-checksum-generator-%{photon_checksum_generator_version}/kernel -make -C $bldroot M=`pwd` modules -popd - # Do not compress modules which will be loaded at boot time # to speed up boot process %define __modules_install_post \ find %{buildroot}/lib/modules/%{uname_r} -name "*.ko" \! \"(" -name "*evdev*" -o -name "*mousedev*" -o -name "*sr_mod*" -o -name "*cdrom*" -o -name "*vmwgfx*" -o -name "*drm_kms_helper*" -o -name "*ttm*" -o -name "*psmouse*" -o -name "*drm*" -o -name "*apa_piix*" -o -name "*vmxnet3*" -o -name "*i2c_core*" -o -name "*libata*" -o -name "*processor*" -o -path "*ipv6*" \")" | xargs xz \ %{nil} -%include %{SOURCE6} - # We want to compress modules after stripping. Extra step is added to # the default __spec_install_post. %define __spec_install_post\ @@ -367,7 +344,6 @@ popd %{__arch_install_post}\ %{__os_install_post}\ %{__modules_install_post}\ - %{__modules_gen_hmac}\ %{nil} %install @@ -384,12 +360,6 @@ cp -r Documentation/* %{buildroot}%{_docdir}/linux-%{uname_r} install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r} install -vm 644 vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r} -#install photon-checksum-generator module -bldroot=`pwd` -pushd ../photon-checksum-generator-%{photon_checksum_generator_version}/kernel -make -C $bldroot M=`pwd` INSTALL_MOD_PATH=%{buildroot} modules_install -popd - # TODO: noacpi acpi=off noapic pci=conf1,nodomains pcie_acpm=off pnpacpi=off cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF" # GRUB Environment Block @@ -427,21 +397,15 @@ find %{buildroot}/lib/modules -name '*.ko' -print0 | xargs -0 chmod u+x /sbin/depmod -a %{uname_r} ln -sf linux-%{uname_r}.cfg /boot/photon.cfg -%post hmacgen -/sbin/depmod -a %{uname_r} - %files %defattr(-,root,root) /boot/System.map-%{uname_r} /boot/config-%{uname_r} /boot/vmlinuz-%{uname_r} -/boot/.vmlinuz-%{uname_r}.hmac %config(noreplace) /boot/linux-%{uname_r}.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} /lib/modules/* %exclude /lib/modules/%{uname_r}/build -%exclude /lib/modules/%{uname_r}/extra/hmac_generator.ko.xz -%exclude /lib/modules/%{uname_r}/extra/.hmac_generator.ko.xz.hmac %files docs %defattr(-,root,root) @@ -452,12 +416,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg /lib/modules/%{uname_r}/build %{_usrsrc}/linux-headers-%{uname_r} -%files hmacgen -%defattr(-,root,root) -/lib/modules/%{uname_r}/extra/hmac_generator.ko.xz -/lib/modules/%{uname_r}/extra/.hmac_generator.ko.xz.hmac - %changelog +* Tue Nov 03 2020 Srinidhi Rao 5.9.0-3 +- Remove the support of fipsify and hmacgen * Tue Oct 27 2020 Srinidhi Rao 5.9.0-2 - Enable vtarfs support as module * Mon Oct 19 2020 Bo Gan 5.9.0-1 diff --git a/SPECS/linux/linux-secure.spec b/SPECS/linux/linux-secure.spec index dc329622af..104ba22bdc 100644 --- a/SPECS/linux/linux-secure.spec +++ b/SPECS/linux/linux-secure.spec @@ -1,9 +1,8 @@ %global security_hardening none -%global photon_checksum_generator_version 1.1 Summary: Kernel Name: linux-secure Version: 5.9.0 -Release: 1%{?kat_build:.kat}%{?dist} +Release: 2%{?kat_build:.kat}%{?dist} License: GPLv2 URL: http://www.kernel.org/ Group: System Environment/Kernel @@ -18,10 +17,6 @@ Source1: config-secure Source2: initramfs.trigger Source3: pre-preun-postun-tasks.inc Source4: check_for_config_applicability.inc -# Photon-checksum-generator kernel module -Source5: https://github.com/vmware/photon-checksum-generator/releases/photon-checksum-generator-%{photon_checksum_generator_version}.tar.gz -%define sha1 photon-checksum-generator=1d5c2e1855a9d1368cf87ea9a8a5838841752dc3 -Source6: genhmac.inc # common Patch0: net-Double-tcp_mem-limits.patch @@ -106,17 +101,8 @@ Requires: %{name} = %{version}-%{release} %description docs The Linux package contains the Linux kernel doc files -%package hmacgen -Summary: HMAC SHA256/HMAC SHA512 generator -Group: System Environment/Kernel -Requires: %{name} = %{version}-%{release} -Enhances: %{name} -%description hmacgen -This Linux package contains hmac sha generator kernel module. - %prep %setup -q -n linux-%{version} -%setup -D -b 5 -n linux-%{version} %patch0 -p1 %patch1 -p1 @@ -165,12 +151,6 @@ sed -i 's/CONFIG_LOCALVERSION="-secure"/CONFIG_LOCALVERSION="-%{release}-secure" make VERBOSE=1 KBUILD_BUILD_VERSION="1-photon" KBUILD_BUILD_HOST="photon" ARCH="x86_64" %{?_smp_mflags} -#build photon-checksum-generator module -bldroot=`pwd` -pushd ../photon-checksum-generator-%{photon_checksum_generator_version}/kernel -make -C $bldroot M=`pwd` modules -popd - %define __modules_install_post \ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ ./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \ @@ -179,8 +159,6 @@ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ done \ %{nil} -%include %{SOURCE6} - # __os_install_post strips signature from modules. We need to resign it again # and then compress. Extra step is added to the default __spec_install_post. %define __spec_install_post\ @@ -188,7 +166,6 @@ done \ %{__arch_install_post}\ %{__os_install_post}\ %{__modules_install_post}\ - %{__modules_gen_hmac}\ %{nil} %install @@ -198,12 +175,6 @@ install -vdm 755 %{buildroot}%{_docdir}/linux-%{uname_r} install -vdm 755 %{buildroot}%{_usrsrc}/linux-headers-%{uname_r} make INSTALL_MOD_PATH=%{buildroot} modules_install -#install photon-checksum-generator module -bldroot=`pwd` -pushd ../photon-checksum-generator-%{photon_checksum_generator_version}/kernel -make -C $bldroot M=`pwd` INSTALL_MOD_PATH=%{buildroot} modules_install -popd - install -vm 644 arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r} install -vm 400 System.map %{buildroot}/boot/System.map-%{uname_r} install -vm 644 .config %{buildroot}/boot/config-%{uname_r} @@ -249,27 +220,16 @@ ln -sf /usr/src/linux-headers-%{uname_r} %{buildroot}/lib/modules/%{uname_r}/bui /sbin/depmod -a %{uname_r} ln -sf linux-%{uname_r}.cfg /boot/photon.cfg -%post hmacgen -/sbin/depmod -a %{uname_r} - %files %defattr(-,root,root) /boot/System.map-%{uname_r} /boot/config-%{uname_r} /boot/vmlinuz-%{uname_r} -/boot/.vmlinuz-%{uname_r}.hmac %config(noreplace) /boot/linux-%{uname_r}.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} /lib/modules/* %exclude /lib/modules/%{uname_r}/build %exclude /usr/src -%exclude /lib/modules/%{uname_r}/extra/hmac_generator.ko.xz -%exclude /lib/modules/%{uname_r}/extra/.hmac_generator.ko.xz.hmac - -%files hmacgen -%defattr(-,root,root) -/lib/modules/%{uname_r}/extra/hmac_generator.ko.xz -/lib/modules/%{uname_r}/extra/.hmac_generator.ko.xz.hmac %files docs %defattr(-,root,root) @@ -281,6 +241,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg /usr/src/linux-headers-%{uname_r} %changelog +* Tue Nov 03 2020 Srinidhi Rao 5.9.0-2 +- Remove the support of fipsify and hmacgen * Thu Oct 22 2020 Keerthana K 5.9.0-1 - Update to 5.9.0 * Wed Oct 14 2020 Keerthana K 5.9.0-rc7.1 diff --git a/SPECS/linux/linux.spec b/SPECS/linux/linux.spec index 34251935a1..9c0f6a346d 100644 --- a/SPECS/linux/linux.spec +++ b/SPECS/linux/linux.spec @@ -1,6 +1,5 @@ %{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} %global security_hardening none -%global photon_checksum_generator_version 1.1 %ifarch x86_64 %define arch x86_64 %define archdir x86 @@ -14,7 +13,7 @@ Summary: Kernel Name: linux Version: 5.9.0 -Release: 2%{?kat_build:.kat}%{?dist} +Release: 3%{?kat_build:.kat}%{?dist} License: GPLv2 URL: http://www.kernel.org/ Group: System Environment/Kernel @@ -37,10 +36,6 @@ Source5: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/DCA %define sha1 DCAP=6161846c2ba03099a2307f28a91e9d45627614d7 Source6: pre-preun-postun-tasks.inc Source7: check_for_config_applicability.inc -# Photon-checksum-generator kernel module -Source8: https://github.com/vmware/photon-checksum-generator/releases/photon-checksum-generator-%{photon_checksum_generator_version}.tar.gz -%define sha1 photon-checksum-generator=1d5c2e1855a9d1368cf87ea9a8a5838841752dc3 -Source9: genhmac.inc %define i40e_version 2.12.6 Source10: https://sourceforge.net/projects/e1000/files/i40e%20stable/%{i40e_version}/i40e-%{i40e_version}.tar.gz %define sha1 i40e=e1a28cdf7c122f177ed75b7615a0a0e221d21ff4 @@ -272,14 +267,6 @@ Requires: python3 This package provides a module that permits applications written in the Python programming language to use the interface to manipulate perf events. -%package hmacgen -Summary: HMAC SHA256/HMAC SHA512 generator -Group: System Environment/Kernel -Requires: %{name} = %{version}-%{release} -Enhances: %{name} -%description hmacgen -This Linux package contains hmac sha generator kernel module. - %prep #TODO: remove rcN after 5.9 goes out of rc %setup -q -n linux-%{version} @@ -289,7 +276,6 @@ This Linux package contains hmac sha generator kernel module. %setup -D -b 5 -n linux-%{version} %setup -D -b 10 -n linux-%{version} %endif -%setup -D -b 8 -n linux-%{version} %patch0 -p1 %patch1 -p1 @@ -460,12 +446,6 @@ make -C src KSRC=$bldroot %{?_smp_mflags} popd %endif -#build photon-checksum-generator module -bldroot=`pwd` -pushd ../photon-checksum-generator-%{photon_checksum_generator_version}/kernel -make -C $bldroot M=`pwd` modules -popd - %define __modules_install_post \ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ ./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \ @@ -474,8 +454,6 @@ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ done \ %{nil} -%include %{SOURCE9} - # We want to compress modules after stripping. Extra step is added to # the default __spec_install_post. %define __spec_install_post\ @@ -483,7 +461,6 @@ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ %{__arch_install_post}\ %{__os_install_post}\ %{__modules_install_post}\ - %{__modules_gen_hmac}\ %{nil} %install @@ -537,12 +514,6 @@ fi install -vm 644 arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r} %endif -#install photon-checksum-generator module -bldroot=`pwd` -pushd ../photon-checksum-generator-%{photon_checksum_generator_version}/kernel -make -C $bldroot M=`pwd` INSTALL_MOD_PATH=%{buildroot} modules_install -popd - %ifarch aarch64 install -vm 644 arch/arm64/boot/Image %{buildroot}/boot/vmlinuz-%{uname_r} %endif @@ -603,9 +574,6 @@ make -C tools ARCH=%{arch} DESTDIR=%{buildroot} prefix=%{_prefix} mandir=%{_mand /sbin/depmod -a %{uname_r} ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg -%post hmacgen -/sbin/depmod -a %{uname_r} - %post drivers-gpu /sbin/depmod -a %{uname_r} @@ -626,7 +594,6 @@ getent group sgx_prv >/dev/null || groupadd -r sgx_prv /boot/System.map-%{uname_r} /boot/config-%{uname_r} /boot/vmlinuz-%{uname_r} -/boot/.vmlinuz-%{uname_r}.hmac %config(noreplace) /boot/%{name}-%{uname_r}.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} %defattr(0644,root,root) @@ -634,8 +601,6 @@ getent group sgx_prv >/dev/null || groupadd -r sgx_prv %exclude /lib/modules/%{uname_r}/build %exclude /lib/modules/%{uname_r}/kernel/drivers/gpu %exclude /lib/modules/%{uname_r}/kernel/sound -%exclude /lib/modules/%{uname_r}/extra/hmac_generator.ko.xz -%exclude /lib/modules/%{uname_r}/extra/.hmac_generator.ko.xz.hmac %ifarch aarch64 %exclude /lib/modules/%{uname_r}/kernel/drivers/staging/vc04_services/bcm2835-audio %endif @@ -669,11 +634,6 @@ getent group sgx_prv >/dev/null || groupadd -r sgx_prv /lib/modules/%{uname_r}/kernel/drivers/staging/vc04_services/bcm2835-audio %endif -%files hmacgen -%defattr(-,root,root) -/lib/modules/%{uname_r}/extra/hmac_generator.ko.xz -/lib/modules/%{uname_r}/extra/.hmac_generator.ko.xz.hmac - %ifarch x86_64 %files drivers-intel-sgx %defattr(-,root,root) @@ -718,6 +678,8 @@ getent group sgx_prv >/dev/null || groupadd -r sgx_prv %{python3_sitelib}/* %changelog +* Tue Nov 03 2020 Srinidhi Rao 5.9.0-3 +- Remove the support of fipsify and hmacgen * Tue Oct 27 2020 Piyush Gupta 5.9.0-2 - Fix aarch64 build failure due to missing CONFIG_FB_ARMLCD * Mon Oct 19 2020 Bo Gan 5.9.0-1 diff --git a/SPECS/photon-checksum-generator/photon-checksum-generator.spec b/SPECS/photon-checksum-generator/photon-checksum-generator.spec deleted file mode 100644 index a01ffeefb8..0000000000 --- a/SPECS/photon-checksum-generator/photon-checksum-generator.spec +++ /dev/null @@ -1,38 +0,0 @@ -Name: photon-checksum-generator -Summary: Userspace program to generate hmac sha256 / hmac sha512 sum of a file -Version: 1.1 -Release: 1%{?dist} -License: GPLv2+ -Vendor: VMware, Inc. -Distribution: Photon -Group: Utilities -Source0: https://github.com/vmware/photon-checksum-generator/%{name}-%{version}.tar.gz -%define sha1 %{name}=1d5c2e1855a9d1368cf87ea9a8a5838841752dc3 -BuildRequires: gcc -Requires: (linux-hmacgen or linux-secure-hmacgen or linux-aws-hmacgen or linux-esx-hmacgen) - -%description -Userspace program to generate hmac-sha256/ hmac-sha512 sum of a file. -This module interacts with its kernel counterpart hmacgen device to generate the -shasum of a file. - -%prep -%setup -q -n %{name}-%{version} - -%build -cd user -make all - -%install -install -vdm 755 %{buildroot}%{_bindir} -cp user/hmacgen %{buildroot}%{_bindir} - -%files -%defattr(-,root,root) -%{_bindir}/hmacgen - -%changelog -* Wed Apr 29 2020 Keerthana K 1.1-1 -- Update to version 1.1. -* Tue Feb 11 2020 Keerthana K 1.0-1 -- Initial photon checksum generator package for PhotonOS. diff --git a/installer/installer.py b/installer/installer.py index fa7f17a8ea..9e1c3080c4 100755 --- a/installer/installer.py +++ b/installer/installer.py @@ -75,7 +75,7 @@ class Installer(object): default_partitions = [{"mountpoint": "/", "size": 0, "filesystem": "ext4"}] all_linux_flavors = ["linux", "linux-esx", "linux-aws", "linux-secure", "linux-rt"] - linux_dependencies = ["devel", "drivers", "docs", "oprofile", "dtb", "hmacgen"] + linux_dependencies = ["devel", "drivers", "docs", "oprofile", "dtb"] def __init__(self, working_directory="/mnt/photon-root", rpm_path=os.path.dirname(__file__)+"/../stage/RPMS", log_path=os.path.dirname(__file__)+"/../stage/LOGS"):