Change-Id: If86dfc6711724340e2ea4ea7a580342e86a3d5f0
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3405
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,75 @@ |
0 |
+diff -rup 1/linux-4.9.38/crypto/testmgr.c linux-4.9.38-old/crypto/testmgr.c |
|
1 |
+--- 1/linux-4.9.38/crypto/testmgr.c 2017-07-15 03:17:55.000000000 -0700 |
|
2 |
+@@ -2184,6 +2184,7 @@ static const struct alg_test_desc alg_te |
|
3 |
+ }, { |
|
4 |
+ .alg = "authenc(hmac(md5),ecb(cipher_null))", |
|
5 |
+ .test = alg_test_aead, |
|
6 |
++ .fips_allowed = 1, |
|
7 |
+ .suite = { |
|
8 |
+ .aead = { |
|
9 |
+ .enc = { |
|
10 |
+@@ -2199,6 +2200,7 @@ static const struct alg_test_desc alg_te |
|
11 |
+ }, { |
|
12 |
+ .alg = "authenc(hmac(sha1),cbc(aes))", |
|
13 |
+ .test = alg_test_aead, |
|
14 |
++ .fips_allowed = 1, |
|
15 |
+ .suite = { |
|
16 |
+ .aead = { |
|
17 |
+ .enc = { |
|
18 |
+@@ -2212,6 +2214,7 @@ static const struct alg_test_desc alg_te |
|
19 |
+ }, { |
|
20 |
+ .alg = "authenc(hmac(sha1),cbc(des))", |
|
21 |
+ .test = alg_test_aead, |
|
22 |
++ .fips_allowed = 1, |
|
23 |
+ .suite = { |
|
24 |
+ .aead = { |
|
25 |
+ .enc = { |
|
26 |
+@@ -2243,6 +2246,7 @@ static const struct alg_test_desc alg_te |
|
27 |
+ }, { |
|
28 |
+ .alg = "authenc(hmac(sha1),ecb(cipher_null))", |
|
29 |
+ .test = alg_test_aead, |
|
30 |
++ .fips_allowed = 1, |
|
31 |
+ .suite = { |
|
32 |
+ .aead = { |
|
33 |
+ .enc = { |
|
34 |
+@@ -2266,6 +2270,7 @@ static const struct alg_test_desc alg_te |
|
35 |
+ }, { |
|
36 |
+ .alg = "authenc(hmac(sha224),cbc(des))", |
|
37 |
+ .test = alg_test_aead, |
|
38 |
++ .fips_allowed = 1, |
|
39 |
+ .suite = { |
|
40 |
+ .aead = { |
|
41 |
+ .enc = { |
|
42 |
+@@ -2307,6 +2312,7 @@ static const struct alg_test_desc alg_te |
|
43 |
+ }, { |
|
44 |
+ .alg = "authenc(hmac(sha256),cbc(des))", |
|
45 |
+ .test = alg_test_aead, |
|
46 |
++ .fips_allowed = 1, |
|
47 |
+ .suite = { |
|
48 |
+ .aead = { |
|
49 |
+ .enc = { |
|
50 |
+@@ -2342,6 +2348,7 @@ static const struct alg_test_desc alg_te |
|
51 |
+ }, { |
|
52 |
+ .alg = "authenc(hmac(sha384),cbc(des))", |
|
53 |
+ .test = alg_test_aead, |
|
54 |
++ .fips_allowed = 1, |
|
55 |
+ .suite = { |
|
56 |
+ .aead = { |
|
57 |
+ .enc = { |
|
58 |
+@@ -2391,6 +2398,7 @@ static const struct alg_test_desc alg_te |
|
59 |
+ }, { |
|
60 |
+ .alg = "authenc(hmac(sha512),cbc(des))", |
|
61 |
+ .test = alg_test_aead, |
|
62 |
++ .fips_allowed = 1, |
|
63 |
+ .suite = { |
|
64 |
+ .aead = { |
|
65 |
+ .enc = { |
|
66 |
+@@ -3149,6 +3157,7 @@ static const struct alg_test_desc alg_te |
|
67 |
+ }, { |
|
68 |
+ .alg = "ecb(des)", |
|
69 |
+ .test = alg_test_skcipher, |
|
70 |
++ .fips_allowed = 1, |
|
71 |
+ .suite = { |
|
72 |
+ .cipher = { |
|
73 |
+ .enc = { |
0 | 74 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,11 @@ |
0 |
+diff -rup linux-4.9.38-old/crypto/testmgr.c linux-4.9.38/crypto/testmgr.c |
|
1 |
+--- linux-4.9.38-old/crypto/testmgr.c 2017-08-03 17:21:08.979019958 -0700 |
|
2 |
+@@ -3154,6 +3154,7 @@ static const struct alg_test_desc alg_te |
|
3 |
+ }, { |
|
4 |
+ .alg = "ecb(cipher_null)", |
|
5 |
+ .test = alg_test_null, |
|
6 |
++ .fips_allowed = 1, |
|
7 |
+ }, { |
|
8 |
+ .alg = "ecb(des)", |
|
9 |
+ .test = alg_test_skcipher, |
... | ... |
@@ -1177,7 +1177,7 @@ CONFIG_IP_NF_TARGET_CLUSTERIP=m |
1177 | 1177 |
CONFIG_IP_NF_TARGET_ECN=m |
1178 | 1178 |
CONFIG_IP_NF_TARGET_TTL=m |
1179 | 1179 |
CONFIG_IP_NF_RAW=m |
1180 |
-# CONFIG_IP_NF_SECURITY is not set |
|
1180 |
+CONFIG_IP_NF_SECURITY=m |
|
1181 | 1181 |
CONFIG_IP_NF_ARPTABLES=m |
1182 | 1182 |
CONFIG_IP_NF_ARPFILTER=m |
1183 | 1183 |
CONFIG_IP_NF_ARP_MANGLE=m |
... | ... |
@@ -1188,17 +1188,17 @@ CONFIG_IP_NF_ARP_MANGLE=m |
1188 | 1188 |
CONFIG_NF_DEFRAG_IPV6=m |
1189 | 1189 |
CONFIG_NF_CONNTRACK_IPV6=m |
1190 | 1190 |
CONFIG_NF_TABLES_IPV6=m |
1191 |
-# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set |
|
1191 |
+CONFIG_NFT_CHAIN_ROUTE_IPV6=m |
|
1192 | 1192 |
CONFIG_NFT_REJECT_IPV6=m |
1193 |
-# CONFIG_NFT_DUP_IPV6 is not set |
|
1193 |
+CONFIG_NFT_DUP_IPV6=m |
|
1194 | 1194 |
CONFIG_NF_DUP_IPV6=m |
1195 | 1195 |
CONFIG_NF_REJECT_IPV6=m |
1196 | 1196 |
CONFIG_NF_LOG_IPV6=m |
1197 | 1197 |
CONFIG_NF_NAT_IPV6=m |
1198 |
-# CONFIG_NFT_CHAIN_NAT_IPV6 is not set |
|
1199 |
-# CONFIG_NF_NAT_MASQUERADE_IPV6 is not set |
|
1200 |
-# CONFIG_NFT_MASQ_IPV6 is not set |
|
1201 |
-# CONFIG_NFT_REDIR_IPV6 is not set |
|
1198 |
+CONFIG_NFT_CHAIN_NAT_IPV6=m |
|
1199 |
+CONFIG_NF_NAT_MASQUERADE_IPV6=m |
|
1200 |
+CONFIG_NFT_MASQ_IPV6=m |
|
1201 |
+CONFIG_NFT_REDIR_IPV6=m |
|
1202 | 1202 |
CONFIG_IP6_NF_IPTABLES=m |
1203 | 1203 |
CONFIG_IP6_NF_MATCH_AH=m |
1204 | 1204 |
CONFIG_IP6_NF_MATCH_EUI64=m |
... | ... |
@@ -1215,10 +1215,10 @@ CONFIG_IP6_NF_TARGET_REJECT=m |
1215 | 1215 |
CONFIG_IP6_NF_TARGET_SYNPROXY=m |
1216 | 1216 |
CONFIG_IP6_NF_MANGLE=m |
1217 | 1217 |
CONFIG_IP6_NF_RAW=m |
1218 |
-# CONFIG_IP6_NF_SECURITY is not set |
|
1218 |
+CONFIG_IP6_NF_SECURITY=m |
|
1219 | 1219 |
CONFIG_IP6_NF_NAT=m |
1220 |
-# CONFIG_IP6_NF_TARGET_MASQUERADE is not set |
|
1221 |
-# CONFIG_IP6_NF_TARGET_NPT is not set |
|
1220 |
+CONFIG_IP6_NF_TARGET_MASQUERADE=m |
|
1221 |
+CONFIG_IP6_NF_TARGET_NPT=m |
|
1222 | 1222 |
# CONFIG_NF_TABLES_BRIDGE is not set |
1223 | 1223 |
CONFIG_BRIDGE_NF_EBTABLES=m |
1224 | 1224 |
CONFIG_BRIDGE_EBT_BROUTE=m |
... | ... |
@@ -1148,7 +1148,7 @@ CONFIG_IP_NF_TARGET_CLUSTERIP=m |
1148 | 1148 |
CONFIG_IP_NF_TARGET_ECN=m |
1149 | 1149 |
CONFIG_IP_NF_TARGET_TTL=m |
1150 | 1150 |
CONFIG_IP_NF_RAW=m |
1151 |
-# CONFIG_IP_NF_SECURITY is not set |
|
1151 |
+CONFIG_IP_NF_SECURITY=m |
|
1152 | 1152 |
CONFIG_IP_NF_ARPTABLES=m |
1153 | 1153 |
CONFIG_IP_NF_ARPFILTER=m |
1154 | 1154 |
CONFIG_IP_NF_ARP_MANGLE=m |
... | ... |
@@ -1159,17 +1159,17 @@ CONFIG_IP_NF_ARP_MANGLE=m |
1159 | 1159 |
CONFIG_NF_DEFRAG_IPV6=m |
1160 | 1160 |
CONFIG_NF_CONNTRACK_IPV6=m |
1161 | 1161 |
CONFIG_NF_TABLES_IPV6=m |
1162 |
-# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set |
|
1162 |
+CONFIG_NFT_CHAIN_ROUTE_IPV6=m |
|
1163 | 1163 |
CONFIG_NFT_REJECT_IPV6=m |
1164 |
-# CONFIG_NFT_DUP_IPV6 is not set |
|
1164 |
+CONFIG_NFT_DUP_IPV6=m |
|
1165 | 1165 |
CONFIG_NF_DUP_IPV6=m |
1166 | 1166 |
CONFIG_NF_REJECT_IPV6=m |
1167 | 1167 |
CONFIG_NF_LOG_IPV6=m |
1168 | 1168 |
CONFIG_NF_NAT_IPV6=m |
1169 |
-# CONFIG_NFT_CHAIN_NAT_IPV6 is not set |
|
1170 |
-# CONFIG_NF_NAT_MASQUERADE_IPV6 is not set |
|
1171 |
-# CONFIG_NFT_MASQ_IPV6 is not set |
|
1172 |
-# CONFIG_NFT_REDIR_IPV6 is not set |
|
1169 |
+CONFIG_NFT_CHAIN_NAT_IPV6=m |
|
1170 |
+CONFIG_NF_NAT_MASQUERADE_IPV6=m |
|
1171 |
+CONFIG_NFT_MASQ_IPV6=m |
|
1172 |
+CONFIG_NFT_REDIR_IPV6=m |
|
1173 | 1173 |
CONFIG_IP6_NF_IPTABLES=m |
1174 | 1174 |
CONFIG_IP6_NF_MATCH_AH=m |
1175 | 1175 |
CONFIG_IP6_NF_MATCH_EUI64=m |
... | ... |
@@ -1186,10 +1186,10 @@ CONFIG_IP6_NF_TARGET_REJECT=m |
1186 | 1186 |
CONFIG_IP6_NF_TARGET_SYNPROXY=m |
1187 | 1187 |
CONFIG_IP6_NF_MANGLE=m |
1188 | 1188 |
CONFIG_IP6_NF_RAW=m |
1189 |
-# CONFIG_IP6_NF_SECURITY is not set |
|
1189 |
+CONFIG_IP6_NF_SECURITY=m |
|
1190 | 1190 |
CONFIG_IP6_NF_NAT=m |
1191 |
-# CONFIG_IP6_NF_TARGET_MASQUERADE is not set |
|
1192 |
-# CONFIG_IP6_NF_TARGET_NPT is not set |
|
1191 |
+CONFIG_IP6_NF_TARGET_MASQUERADE=m |
|
1192 |
+CONFIG_IP6_NF_TARGET_NPT=m |
|
1193 | 1193 |
# CONFIG_NF_TABLES_BRIDGE is not set |
1194 | 1194 |
CONFIG_BRIDGE_NF_EBTABLES=m |
1195 | 1195 |
CONFIG_BRIDGE_EBT_BROUTE=m |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 | 4 |
Version: 4.9.38 |
5 |
-Release: 4%{?dist} |
|
5 |
+Release: 5%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -43,6 +43,9 @@ Patch23: 0011-vmbus-remove-goto-error_clean_msglist-in-vmbus_open.patch |
43 | 43 |
Patch24: 0012-vmbus-dynamically-enqueue-dequeue-the-channel-on-vmb.patch |
44 | 44 |
Patch25: 0013-vmbus-fix-the-missed-signaling-in-hv_signal_on_read.patch |
45 | 45 |
Patch26: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
46 |
+#FIPS patches - allow some algorithms |
|
47 |
+Patch27: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
|
48 |
+Patch28: 0002-allow-also-ecb-cipher_null.patch |
|
46 | 49 |
# NSX requirements (should be removed) |
47 | 50 |
Patch99: LKCM.patch |
48 | 51 |
BuildRequires: bc |
... | ... |
@@ -135,6 +138,8 @@ EOF |
135 | 135 |
%patch24 -p1 |
136 | 136 |
%patch25 -p1 |
137 | 137 |
%patch26 -p1 |
138 |
+%patch27 -p1 |
|
139 |
+%patch28 -p1 |
|
138 | 140 |
|
139 | 141 |
pushd .. |
140 | 142 |
%patch99 -p0 |
... | ... |
@@ -250,6 +255,11 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
250 | 250 |
/usr/src/linux-headers-%{uname_r} |
251 | 251 |
|
252 | 252 |
%changelog |
253 |
+* Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-5 |
|
254 |
+- Allow some algorithms in FIPS mode |
|
255 |
+- Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports |
|
256 |
+- bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree |
|
257 |
+- Enable additional NF features |
|
253 | 258 |
* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-4 |
254 | 259 |
- Add patches in Hyperv codebase |
255 | 260 |
* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-3 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.9.38 |
5 |
-Release: 4%{?dist} |
|
5 |
+Release: 5%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -40,6 +40,9 @@ Patch20: 0011-vmbus-remove-goto-error_clean_msglist-in-vmbus_open.patch |
40 | 40 |
Patch21: 0012-vmbus-dynamically-enqueue-dequeue-the-channel-on-vmb.patch |
41 | 41 |
Patch22: 0013-vmbus-fix-the-missed-signaling-in-hv_signal_on_read.patch |
42 | 42 |
Patch23: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
43 |
+#FIPS patches - allow some algorithms |
|
44 |
+Patch24: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
|
45 |
+Patch25: 0002-allow-also-ecb-cipher_null.patch |
|
43 | 46 |
|
44 | 47 |
BuildRequires: bc |
45 | 48 |
BuildRequires: kbd |
... | ... |
@@ -131,6 +134,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
131 | 131 |
%patch21 -p1 |
132 | 132 |
%patch22 -p1 |
133 | 133 |
%patch23 -p1 |
134 |
+%patch24 -p1 |
|
135 |
+%patch25 -p1 |
|
134 | 136 |
|
135 | 137 |
%build |
136 | 138 |
make mrproper |
... | ... |
@@ -290,6 +295,11 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
290 | 290 |
/usr/share/doc/* |
291 | 291 |
|
292 | 292 |
%changelog |
293 |
+* Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-5 |
|
294 |
+- Allow some algorithms in FIPS mode |
|
295 |
+- Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports |
|
296 |
+- bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree |
|
297 |
+- Enable additional NF features |
|
293 | 298 |
* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-4 |
294 | 299 |
- Add patches in Hyperv codebase |
295 | 300 |
* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-3 |