new file mode 100644

@@ -0,0 +1,75 @@

+diff -rup 1/linux-4.9.38/crypto/testmgr.c linux-4.9.38-old/crypto/testmgr.c

+--- 1/linux-4.9.38/crypto/testmgr.c	2017-07-15 03:17:55.000000000 -0700

+@@ -2184,6 +2184,7 @@ static const struct alg_test_desc alg_te

+ 	}, {

+ 		.alg = "authenc(hmac(md5),ecb(cipher_null))",

+ 		.test = alg_test_aead,

++                .fips_allowed = 1,

+ 		.suite = {

+ 			.aead = {

+ 				.enc = {

+@@ -2199,6 +2200,7 @@ static const struct alg_test_desc alg_te

+ 	}, {

+ 		.alg = "authenc(hmac(sha1),cbc(aes))",

+ 		.test = alg_test_aead,

++                .fips_allowed = 1,

+ 		.suite = {

+ 			.aead = {

+ 				.enc = {

+@@ -2212,6 +2214,7 @@ static const struct alg_test_desc alg_te

+ 	}, {

+ 		.alg = "authenc(hmac(sha1),cbc(des))",

+ 		.test = alg_test_aead,

++                .fips_allowed = 1,

+ 		.suite = {

+ 			.aead = {

+ 				.enc = {

+@@ -2243,6 +2246,7 @@ static const struct alg_test_desc alg_te

+ 	}, {

+ 		.alg = "authenc(hmac(sha1),ecb(cipher_null))",

+ 		.test = alg_test_aead,

++                .fips_allowed = 1,

+ 		.suite = {

+ 			.aead = {

+ 				.enc = {

+@@ -2266,6 +2270,7 @@ static const struct alg_test_desc alg_te

+ 	}, {

+ 		.alg = "authenc(hmac(sha224),cbc(des))",

+ 		.test = alg_test_aead,

++                .fips_allowed = 1,

+ 		.suite = {

+ 			.aead = {

+ 				.enc = {

+@@ -2307,6 +2312,7 @@ static const struct alg_test_desc alg_te

+ 	}, {

+ 		.alg = "authenc(hmac(sha256),cbc(des))",

+ 		.test = alg_test_aead,

++                .fips_allowed = 1,

+ 		.suite = {

+ 			.aead = {

+ 				.enc = {

+@@ -2342,6 +2348,7 @@ static const struct alg_test_desc alg_te

+ 	}, {

+ 		.alg = "authenc(hmac(sha384),cbc(des))",

+ 		.test = alg_test_aead,

++                .fips_allowed = 1,

+ 		.suite = {

+ 			.aead = {

+ 				.enc = {

+@@ -2391,6 +2398,7 @@ static const struct alg_test_desc alg_te

+ 	}, {

+ 		.alg = "authenc(hmac(sha512),cbc(des))",

+ 		.test = alg_test_aead,

++                .fips_allowed = 1,

+ 		.suite = {

+ 			.aead = {

+ 				.enc = {

+@@ -3149,6 +3157,7 @@ static const struct alg_test_desc alg_te

+ 	}, {

+ 		.alg = "ecb(des)",

+ 		.test = alg_test_skcipher,

++                .fips_allowed = 1,

+ 		.suite = {

+ 			.cipher = {

+ 				.enc = {

new file mode 100644

@@ -0,0 +1,11 @@

+diff -rup linux-4.9.38-old/crypto/testmgr.c linux-4.9.38/crypto/testmgr.c

+--- linux-4.9.38-old/crypto/testmgr.c	2017-08-03 17:21:08.979019958 -0700

+@@ -3154,6 +3154,7 @@ static const struct alg_test_desc alg_te

+ 	}, {

+ 		.alg = "ecb(cipher_null)",

+ 		.test = alg_test_null,

++                .fips_allowed = 1,

+ 	}, {

+ 		.alg = "ecb(des)",

+ 		.test = alg_test_skcipher,

@@ -1177,7 +1177,7 @@ CONFIG_IP_NF_TARGET_CLUSTERIP=m

 CONFIG_IP_NF_TARGET_ECN=m

 CONFIG_IP_NF_TARGET_TTL=m

 CONFIG_IP_NF_RAW=m

-# CONFIG_IP_NF_SECURITY is not set

+CONFIG_IP_NF_SECURITY=m

 CONFIG_IP_NF_ARPTABLES=m

 CONFIG_IP_NF_ARPFILTER=m

 CONFIG_IP_NF_ARP_MANGLE=m

@@ -1188,17 +1188,17 @@ CONFIG_IP_NF_ARP_MANGLE=m

 CONFIG_NF_DEFRAG_IPV6=m

 CONFIG_NF_CONNTRACK_IPV6=m

 CONFIG_NF_TABLES_IPV6=m

-# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set

+CONFIG_NFT_CHAIN_ROUTE_IPV6=m

 CONFIG_NFT_REJECT_IPV6=m

-# CONFIG_NFT_DUP_IPV6 is not set

+CONFIG_NFT_DUP_IPV6=m

 CONFIG_NF_DUP_IPV6=m

 CONFIG_NF_REJECT_IPV6=m

 CONFIG_NF_LOG_IPV6=m

 CONFIG_NF_NAT_IPV6=m

-# CONFIG_NFT_CHAIN_NAT_IPV6 is not set

-# CONFIG_NF_NAT_MASQUERADE_IPV6 is not set

-# CONFIG_NFT_MASQ_IPV6 is not set

-# CONFIG_NFT_REDIR_IPV6 is not set

+CONFIG_NFT_CHAIN_NAT_IPV6=m

+CONFIG_NF_NAT_MASQUERADE_IPV6=m

+CONFIG_NFT_MASQ_IPV6=m

+CONFIG_NFT_REDIR_IPV6=m

 CONFIG_IP6_NF_IPTABLES=m

 CONFIG_IP6_NF_MATCH_AH=m

 CONFIG_IP6_NF_MATCH_EUI64=m

@@ -1215,10 +1215,10 @@ CONFIG_IP6_NF_TARGET_REJECT=m

 CONFIG_IP6_NF_TARGET_SYNPROXY=m

 CONFIG_IP6_NF_MANGLE=m

 CONFIG_IP6_NF_RAW=m

-# CONFIG_IP6_NF_SECURITY is not set

+CONFIG_IP6_NF_SECURITY=m

 CONFIG_IP6_NF_NAT=m

-# CONFIG_IP6_NF_TARGET_MASQUERADE is not set

-# CONFIG_IP6_NF_TARGET_NPT is not set

+CONFIG_IP6_NF_TARGET_MASQUERADE=m

+CONFIG_IP6_NF_TARGET_NPT=m

 # CONFIG_NF_TABLES_BRIDGE is not set

 CONFIG_BRIDGE_NF_EBTABLES=m

 CONFIG_BRIDGE_EBT_BROUTE=m

@@ -1148,7 +1148,7 @@ CONFIG_IP_NF_TARGET_CLUSTERIP=m

 CONFIG_IP_NF_TARGET_ECN=m

 CONFIG_IP_NF_TARGET_TTL=m

 CONFIG_IP_NF_RAW=m

-# CONFIG_IP_NF_SECURITY is not set

+CONFIG_IP_NF_SECURITY=m

 CONFIG_IP_NF_ARPTABLES=m

 CONFIG_IP_NF_ARPFILTER=m

 CONFIG_IP_NF_ARP_MANGLE=m

@@ -1159,17 +1159,17 @@ CONFIG_IP_NF_ARP_MANGLE=m

 CONFIG_NF_DEFRAG_IPV6=m

 CONFIG_NF_CONNTRACK_IPV6=m

 CONFIG_NF_TABLES_IPV6=m

-# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set

+CONFIG_NFT_CHAIN_ROUTE_IPV6=m

 CONFIG_NFT_REJECT_IPV6=m

-# CONFIG_NFT_DUP_IPV6 is not set

+CONFIG_NFT_DUP_IPV6=m

 CONFIG_NF_DUP_IPV6=m

 CONFIG_NF_REJECT_IPV6=m

 CONFIG_NF_LOG_IPV6=m

 CONFIG_NF_NAT_IPV6=m

-# CONFIG_NFT_CHAIN_NAT_IPV6 is not set

-# CONFIG_NF_NAT_MASQUERADE_IPV6 is not set

-# CONFIG_NFT_MASQ_IPV6 is not set

-# CONFIG_NFT_REDIR_IPV6 is not set

+CONFIG_NFT_CHAIN_NAT_IPV6=m

+CONFIG_NF_NAT_MASQUERADE_IPV6=m

+CONFIG_NFT_MASQ_IPV6=m

+CONFIG_NFT_REDIR_IPV6=m

 CONFIG_IP6_NF_IPTABLES=m

 CONFIG_IP6_NF_MATCH_AH=m

 CONFIG_IP6_NF_MATCH_EUI64=m

@@ -1186,10 +1186,10 @@ CONFIG_IP6_NF_TARGET_REJECT=m

 CONFIG_IP6_NF_TARGET_SYNPROXY=m

 CONFIG_IP6_NF_MANGLE=m

 CONFIG_IP6_NF_RAW=m

-# CONFIG_IP6_NF_SECURITY is not set

+CONFIG_IP6_NF_SECURITY=m

 CONFIG_IP6_NF_NAT=m

-# CONFIG_IP6_NF_TARGET_MASQUERADE is not set

-# CONFIG_IP6_NF_TARGET_NPT is not set

+CONFIG_IP6_NF_TARGET_MASQUERADE=m

+CONFIG_IP6_NF_TARGET_NPT=m

 # CONFIG_NF_TABLES_BRIDGE is not set

 CONFIG_BRIDGE_NF_EBTABLES=m

 CONFIG_BRIDGE_EBT_BROUTE=m

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        4.9.38

-Release:        4%{?dist}

+Release:        5%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -43,6 +43,9 @@ Patch23:        0011-vmbus-remove-goto-error_clean_msglist-in-vmbus_open.patch

 Patch24:        0012-vmbus-dynamically-enqueue-dequeue-the-channel-on-vmb.patch

 Patch25:        0013-vmbus-fix-the-missed-signaling-in-hv_signal_on_read.patch

 Patch26:        0014-hv_sock-introduce-Hyper-V-Sockets.patch

+#FIPS patches - allow some algorithms

+Patch27:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

+Patch28:        0002-allow-also-ecb-cipher_null.patch

 # NSX requirements (should be removed)

 Patch99:        LKCM.patch

 BuildRequires:  bc

@@ -135,6 +138,8 @@ EOF

 %patch24 -p1

 %patch25 -p1

 %patch26 -p1

+%patch27 -p1

+%patch28 -p1

 pushd ..

 %patch99 -p0

@@ -250,6 +255,11 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-5

+-   Allow some algorithms in FIPS mode

+-   Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports

+-   bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree

+-   Enable additional NF features

 *   Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-4

 -   Add patches in Hyperv codebase

 *   Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-3

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:        4.9.38

-Release:        4%{?dist}

+Release:        5%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -40,6 +40,9 @@ Patch20:        0011-vmbus-remove-goto-error_clean_msglist-in-vmbus_open.patch

 Patch21:        0012-vmbus-dynamically-enqueue-dequeue-the-channel-on-vmb.patch

 Patch22:        0013-vmbus-fix-the-missed-signaling-in-hv_signal_on_read.patch

 Patch23:        0014-hv_sock-introduce-Hyper-V-Sockets.patch

+#FIPS patches - allow some algorithms

+Patch24:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

+Patch25:        0002-allow-also-ecb-cipher_null.patch

 BuildRequires:  bc

 BuildRequires:  kbd

@@ -131,6 +134,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch21 -p1

 %patch22 -p1

 %patch23 -p1

+%patch24 -p1

+%patch25 -p1

 %build

 make mrproper

@@ -290,6 +295,11 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-5

+-   Allow some algorithms in FIPS mode

+-   Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports

+-   bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree

+-   Enable additional NF features

 *   Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-4

 -   Add patches in Hyperv codebase

 *   Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-3