Description of problem: When upgrading to dracut 0.48-1 we see kernel-debug-core libkcapi libkcapi-hmaccalc added. As I build kernels myself I do not need kernel-debug-core on my disks and the use case for libkcapi libkcapi-hmaccalc needs to be explained as we could cope without them for years. Version-Release number of selected component (if applicable): dracut-048-1.fc28.x86_64 How reproducible: dnf update Actual results: See dependencies being added as explained. Expected results: No such dependencies. Additional info: dracut runs fine without these during `make modules_install install`.
Why would dracut need debug-labelled kernel modules when it simply needs to facilitate a kernel booting?
I guess that comes from: Requires: libkcapi-hmaccalc because we want /usr/bin/sha512hmac Reassigning.
Hi, we switched to a different implementation of sha512hmac (originally provided by package hmaccalc) with the goal to make dracut no longer indirectly depend on the NSS library. The main reason why the sha512hmac tool even exists is FIPS-mandated integrity checking of the kernel binaries. The new implementation uses the kernel's own cryptographic framework (via libkcapi), so it only depends on what we already need to have - the kernel. Also, the original hmaccalc package is no longer actively maintained. We have contacted the maintainer some time ago with the request to deprecate the package in favor of libkcapi-hmaccalc, but we didn't get a response. Re: kernel-debug-core dependency - this one seems really unnecessary, I'll look into why it's being pulled in and try to drop it.
Thanks for the quick reply and the explanation. I guess you can assume we have a kernel else we cannot use dracut nor libkcapi-hmaccalc.
I am not sure why kernel-debug-core is pulled in on your side... This is a fresh Fedora 28: # dnf update dracut Fedora 28 - x86_64 - Updates 2.9 MB/s | 18 MB 00:06 Fedora 28 - x86_64 3.5 MB/s | 60 MB 00:17 Last metadata expiration check: 0:00:09 ago on Fri 13 Jul 2018 09:36:46 AM CEST. Dependencies resolved. ================================================================================================================ Package Arch Version Repository Size ================================================================================================================ Upgrading: dracut x86_64 048-1.fc28 updates 352 k dracut-config-rescue x86_64 048-1.fc28 updates 47 k dracut-live x86_64 048-1.fc28 updates 57 k dracut-network x86_64 048-1.fc28 updates 91 k Installing dependencies: libkcapi x86_64 1.1.1-1.fc28 updates 43 k libkcapi-hmaccalc x86_64 1.1.1-1.fc28 updates 25 k Transaction Summary ================================================================================================================ Install 2 Packages Upgrade 4 Packages Total download size: 616 k Is this ok [y/N]:
Did you try on a system with no kernel-* rpms? I can repeat the solid assumption that without ther kernel there is no userland and thus no use case for dracut nor libkcapi-hmaccalc.
$ dnf repoquery --provides kernel-debug-core 2>/dev/null | head installonlypkg(kernel) kernel = 4.16.3-301.fc28 kernel = 4.17.4-200.fc28 kernel-debug-core = 4.16.3-301.fc28 kernel-debug-core = 4.17.4-200.fc28 kernel-debug-core(x86-64) = 4.16.3-301.fc28 kernel-debug-core(x86-64) = 4.17.4-200.fc28 kernel-debug-core-uname-r = 4.16.3-301.fc28.x86_64+debug kernel-debug-core-uname-r = 4.17.4-200.fc28.x86_64+debug kernel-drm-nouveau = 16 So, the reason is that 'kernel-debug-core' provides 'kernel' if the proper kernel package is not available... Based on the comments in the specfile, the only reason why libkcapi is made to depend on kernel, is to ensure that a recent enough version of the kernel is installed. However, the actual running kernel may have different version anyway (for example when running in mock/booting into an older kernel/...) so I would say it better to just drop that dependency altogether. Björn, would you be OK with removing the Requires on kernel and also the BuildRequires on kernel-headers?
I suppose the BuildRequires dependence on kernel-headers cannot be dropped. Or am I mistaken and libkcapi builds fine without kernel-headers present?
(In reply to Tomas Mraz from comment #8) > I suppose the BuildRequires dependence on kernel-headers cannot be dropped. > Or am I mistaken and libkcapi builds fine without kernel-headers present? I'm not exactly sure why but it isn't necessary. I did quite a few builds internally without it and it worked fine. I think it is thanks to mock being wise enough to expose the host system's kernel headers automatically (which makes sense, as the build runs on the host kernel). I think in general we should assume that it's the user's choice how they install the kernel. If I understand udo's use case correctly, it may well be that you can have Fedora installed without the kernel RPMs and just manually install your own kernel (and headers).
If the build dependency is there but it is just indirectly satisfied via other dependencies I would still say it should be in the SPEC file. Having Fedora with your-own-compiled-and-nonpackaged kernel is not a supported thing. I'm not saying we should actively block this use-case but having kernel-headers installed does not block you from building and using your own kernel.
Kernel-headers are not an issue for me...
Turns out I was wrong, kernel-headers is indeed just installed as an indirect dependency, no mock magic going on here... I'll keep the kernel-headers BuildRequires then.
Hey all. Is there a reason this is landing in Fedora 28 instead of rawhide and then Fedora 29? I got here because I noticed the .hmac files: Warning: Hidden file found: /usr/bin/.sha384hmac.hmac: ASCII text Warning: Hidden file found: /usr/bin/.sha256hmac.hmac: ASCII text Warning: Hidden file found: /usr/bin/.sha224hmac.hmac: ASCII text Warning: Hidden file found: /usr/bin/.sha1hmac.hmac: ASCII text Warning: Hidden file found: /usr/bin/.sha512hmac.hmac: ASCII text (which will need to be added to rkhunters whitelist).
(In reply to Kevin Fenzi from comment #14) > Hey all. Is there a reason this is landing in Fedora 28 instead of rawhide > and then Fedora 29? I am running Fedora 28 and not 29 nor Rawhide. > I got here because I noticed the .hmac files: Separate issue but confirmed here. What is their purpose and why are they hidden?
They are HMAC checksums of the sha*hmac binaries. They are hidden because they are not binaries.
(In reply to Kevin Fenzi from comment #14) > I got here because I noticed the .hmac files: > > Warning: Hidden file found: /usr/bin/.sha384hmac.hmac: ASCII text > Warning: Hidden file found: /usr/bin/.sha256hmac.hmac: ASCII text > Warning: Hidden file found: /usr/bin/.sha224hmac.hmac: ASCII text > Warning: Hidden file found: /usr/bin/.sha1hmac.hmac: ASCII text > Warning: Hidden file found: /usr/bin/.sha512hmac.hmac: ASCII text > > (which will need to be added to rkhunters whitelist). See https://bugzilla.redhat.com/show_bug.cgi?id=1601426, the HMAC files should move to a more suitable place and be no longer hidden with the next update.
Björn is not responding, so I'll go ahead and remove the Requires: kernel dependency (but keep the BuildRequires on kernel-headers). I don't think the minimum kernel version enforcement is that important and it causes a real issue here.
Commit: https://src.fedoraproject.org/rpms/libkcapi/c/ea59de0d6c64d237f36ea3d2e14605bced2ef188 Builds: F28: https://koji.fedoraproject.org/koji/taskinfo?taskID=28541296 rawhide: https://koji.fedoraproject.org/koji/taskinfo?taskID=28541272
libkcapi-1.1.1-7.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4cc4afbae7
libkcapi-1.1.1-7.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5525838a97
libkcapi-1.1.1-7.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4cc4afbae7
libkcapi-1.1.1-7.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5525838a97
libkcapi-1.1.1-8.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4cc4afbae7
libkcapi-1.1.1-8.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5525838a97
libkcapi-1.1.1-8.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4cc4afbae7
libkcapi-1.1.1-8.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5525838a97
libkcapi-1.1.1-11.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ace705a9eb
libkcapi-1.1.1-11.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3fa30b97d1
libkcapi-1.1.1-11.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ace705a9eb
libkcapi-1.1.1-11.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3fa30b97d1
libkcapi-1.1.1-11.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
libkcapi-1.1.1-11.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
To understand and properly use the kernel crypto API a brief explanation of its structure is given. Based on the architecture, the API can be separated into different components. Following the architecture specification, hints to developers of ciphers are provided. Pointers to the API function call documentation are given at the end. by https://tweakdoor.info/