This commit updates the last PR patch (one of the commits was not
accepted upstream) and adds new fixes that have been added in the
meantime (including an alternative version of the patch that had been
dropped).
Putting the .hmac files into the same directory as the checked binary
causes rpmlint errors and is generaly not a good idea (there could be a
multilib conflict).
Since dracut is already hard-coded to search for them in
/lib(64)?/fipscheck and /lib(64)?/hmaccalc, let's just drop them there.
This commit adds a temporary workaround for failing builds with the new
4.18-rcX kernel on rawhide. The issue will likely be fixed in the kernel
before the final 4.18 release. The workaround can be removed then.
Upstream issue: https://github.com/smuellerDD/libkcapi/issues/59
Use the freshly-built binaries to recompute the checksums in the
post-install hook. This allows us to drop the build-time dependencies
on hmaccalc (i.e. itself) and fipscheck.
This patch also fixes the computation of self-check .hmac files.
Before, fipshmac was used for all binaries but since the hmaccalc tools
use different parameters (SHA-512 instead of SHA-256 and a different
key, this would lead to self-check failures for hmaccalc. The new
post-install script calculates the hmaccalc files using sha512hmac and
other .hmac files using fipshmac.
The parameters for the self-check of the library were also consolidated
upstream to use a single parameter set across tools (the fipscheck
parameters) so that the library is checked correctly by all tools.
I also dropped the kcapi-hasher binary and the hasher subpackage as it
is really useless on its own (and the other hasher tools are always
created as hard links). It would also be impossible to add a universally
correct .hmac file since different tools would check against it with
different parameters.
Let the build fail, if the minimum kernel version cannot be met
Conditionalize the sysctl.d tweak on version of the kernel
Conditionalize the name of README.distro on the distro
Ondrej Mosnacek
Igor Gnatenko
Fedora Release Engineering
Björn Esser