feat: add openssl module #29
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Related: RHEL-65204
Resolves: RHEL-76323
| install() { | ||
| local ossl_files="${dracutbasedir}/ossl-files" | ||
|
|
||
| local openssl_cnf="$($ossl_files --config)" |
Check warning
Code scanning / shellcheck
SC2155 Warning
| /etc/pki/tls/openssl.d/* \ | ||
| /etc/crypto-policies/back-ends/opensslcnf.config \ | ||
| /usr/lib64/ossl-modules/*.so \ | ||
| $($ossl_files --engines --providers) |
Check warning
Code scanning / shellcheck
SC2046 Warning
| $($ossl_files --engines --providers) | ||
|
|
||
| mkdir -p "${initrd_openssl_cnf%/*}" | ||
| ${dracutbasedir}/ossl-config >"${initrd_openssl_cnf}" |
Check warning
Code scanning / shellcheck
SC2086 Warning
|
@neverpanic PTAL. COPR build: https://copr.fedorainfracloud.org/coprs/pvalena/dracut-rhel10/build/8653837/ AFAIR I did only one change to src/ossl/Makefile to use the distro default CFLAGS. I have not tested any runtime in initrd (should be same as before; the included files did not change). |
| /etc/pki/tls/openssl.cnf \ | ||
| /etc/pki/tls/openssl.d/* \ |
There was a problem hiding this comment.
These can be removed, the invocation of ossl-config makes sure that it exists and does not use any includes.
There was a problem hiding this comment.
Thanks; I wasn't sure about that. Shloudn't I keep it just for redundancy though?
There was a problem hiding this comment.
I wouldn't. A modified /etc/pki/tls/openssl.cnf could contain .include /opt/foobar/module.cnf, which we wouldn't copy, and could case an issue. .include /etc/pki/tls/openssl.d/ isn't the only include statement that could be in this file.
For that reason, I'd also remove the openssl.d directory. It shouldn't be needed anymore.
| /etc/pki/tls/openssl.cnf \ | ||
| /etc/pki/tls/openssl.d/* \ | ||
| /etc/crypto-policies/back-ends/opensslcnf.config \ | ||
| /usr/lib64/ossl-modules/*.so \ |
There was a problem hiding this comment.
Technically redundant, since the line after that will contain the same files. If we're aiming for the minimal initramfs, we should probably remove this line to save some space.
There was a problem hiding this comment.
Yes, exactly my thoughts :). Thanks for confirmation.
| install() { | ||
| local ossl_files="${dracutbasedir}/ossl-files" | ||
|
|
||
| local openssl_cnf="$($ossl_files --config)" |
There was a problem hiding this comment.
| local openssl_cnf="$($ossl_files --config)" | |
| local openssl_cnf="$($ossl-files --config)" |
As I understand the Makefiles, you installed this as ossl-files. The same applies below.
There was a problem hiding this comment.
I don't have it in PATH, but I have it in dracut dir, so this is a shell variable instead, difined two lines above this one :). Sorry for the confusion.
There was a problem hiding this comment.
Ah, you're right. I was confused because I missed the second $ in front.
Technically, this should be "$("$ossl_files" --config)", then, though. Although it's unlikely that there ever will be a space in $ossl_files.
WIP
Currently using only with hard coded paths.
COPR Builds: https://copr.fedorainfracloud.org/coprs/pvalena/dracut-openssl/
Smoke-test log: https://gist.github.com/pvalena/0c526ec1e3abcc571a25c13c07508be4