# cd /lib/modules/`uname -r`/build
# patch -p1 -b < /tmp/igb_main.c.patch
patching file drivers/net/ethernet/intel/igb/igb_main.c
Hunk #1 succeeded at 4534 (offset -197 lines).
Hunk #2 succeeded at 4548 (offset -197 lines).
パッチを適用後、下記の手順でモジュールを作成します。
# ./ccur-config -c -n
# make -C /lib/modules/`uname -r`/build M=/lib/modules/`uname -r`/build/drivers/net/ethernet/intel/igb REDHAWKFLAVOR=`cat /proc/ccur/flavor` modules
# make -C /lib/modules/`uname -r`/build M=/lib/modules/`uname -r`/build/drivers/net/ethernet/intel/igb REDHAWKFLAVOR=`cat /proc/ccur/flavor` modules_install
# depmod
正しく組み込まれている場合、下記のようにextraディレクトリにインストールされています。
# modprobe -r igb
# modprobe igb
# dmesg|grep igb
igb: Intel(R) Gigabit Ethernet Network Driver
igb: Copyright (c) 2007-2014 Intel Corporation.
# modinfo igb |grep filename
filename: /lib/modules/5.4.109-rt56-RedHawk-8.2.3/extra/igb.ko
initramfsにigbドライバが含まれている場合には、initramfsも再構築する必要があります。
# dracut -f
initramfsにigbドライバを組み込みたくない場合には、以下の手順で再構築してください。
# dracut -f --omit-drivers="igb"
Polkit 権限の昇格(CVE-2021-4034 No2)について(2022.09.16)
# cd /run/media/root/RedHawk-8.2.2-x86_64
# dnf localinstall \
./AppStream/Packages/motif-2.3.4-16.el8.i686.rpm \
./AppStream/Packages/motif-2.3.4-16.el8.x86_64.rpm \
./AppStream/Packages/motif-devel-2.3.4-16.el8.i686.rpm \
./AppStream/Packages/motif-devel-2.3.4-16.el8.x86_64.rpm \
./AppStream/Packages/libXp-1.0.3-3.el8.i686.rpm \
./AppStream/Packages/libXp-1.0.3-3.el8.x86_64.rpm \
./AppStream/Packages/libXp-devel-1.0.3-3.el8.i686.rpm \
./AppStream/Packages/libXp-devel-1.0.3-3.el8.x86_64.rpm \
./AppStream/Packages/xorg-x11-xbitmaps-1.1.1-13.el8.noarch.rpm \
./AppStream/Packages/libICE-1.0.9-15.el8.i686.rpm \
./AppStream/Packages/libSM-1.2.3-1.el8.i686.rpm \
./AppStream/Packages/libX11-1.6.8-3.el8.i686.rpm \
./AppStream/Packages/libXext-1.3.3-9.el8.i686.rpm \
./AppStream/Packages/libXft-2.3.2-10.el8.i686.rpm \
./AppStream/Packages/libXmu-1.1.2-12.el8.i686.rpm \
./AppStream/Packages/libXt-1.1.5-12.el8.i686.rpm \
./AppStream/Packages/libjpeg-turbo-1.5.3-10.el8.i686.rpm \
./AppStream/Packages/libXext-devel-1.3.3-9.el8.i686.rpm \
./AppStream/Packages/libXft-devel-2.3.2-10.el8.i686.rpm \
./AppStream/Packages/libXmu-devel-1.1.2-12.el8.i686.rpm \
./AppStream/Packages/libXt-devel-1.1.5-12.el8.i686.rpm \
./AppStream/Packages/libjpeg-turbo-devel-1.5.3-10.el8.i686.rpm \
./AppStream/Packages/libXft-devel-2.3.2-10.el8.x86_64.rpm \
./AppStream/Packages/libjpeg-turbo-devel-1.5.3-10.el8.x86_64.rpm \
./AppStream/Packages/libXau-1.0.8-13.el8.i686.rpm \
./AppStream/Packages/libxcb-1.13.1-1.el8.i686.rpm \
./AppStream/Packages/libXrender-0.9.10-7.el8.i686.rpm \
./AppStream/Packages/libXrender-devel-0.9.10-7.el8.i686.rpm \
./BaseOS/Packages/bzip2-devel-1.0.6-26.el8.i686.rpm \
./BaseOS/Packages/bzip2-libs-1.0.6-26.el8.i686.rpm \
./BaseOS/Packages/expat-2.2.5-3.el8.i686.rpm \
./BaseOS/Packages/expat-devel-2.2.5-3.el8.i686.rpm \
./BaseOS/Packages/fontconfig-2.13.1-3.el8.i686.rpm \
./BaseOS/Packages/fontconfig-devel-2.13.1-3.el8.i686.rpm \
./BaseOS/Packages/freetype-2.9.1-4.el8.i686.rpm \
./BaseOS/Packages/freetype-devel-2.9.1-4.el8.i686.rpm \
./BaseOS/Packages/libpkgconf-1.4.2-1.el8.i686.rpm \
./BaseOS/Packages/libpng-1.6.34-5.el8.i686.rpm \
./BaseOS/Packages/libpng-devel-1.6.34-5.el8.i686.rpm \
./BaseOS/Packages/libpng-devel-1.6.34-5.el8.x86_64.rpm \
./BaseOS/Packages/libuuid-2.32.1-22.el8.i686.rpm \
./BaseOS/Packages/libuuid-devel-2.32.1-22.el8.i686.rpm \
./BaseOS/Packages/pkgconf-1.4.2-1.el8.i686.rpm \
./BaseOS/Packages/pkgconf-pkg-config-1.4.2-1.el8.i686.rpm \
./BaseOS/Packages/zlib-1.2.11-16.el8_2.i686.rpm \
./BaseOS/Packages/zlib-devel-1.2.11-16.el8_2.i686.rpm
なお、下記2つの静的パッケージは、インストールを奨励できません。
./AppStream/Packages/motif-static-2.3.4-16.el8.i686.rpm
./AppStream/Packages/motif-static-2.3.4-16.el8.x86_64.rpm
# cd /run/media/root/CentOS-8.2-Updates-x86_64/
# dnf localinstall \
./AppStream/Packages/libvirt-daemon-config-network-4.5.0-42.module_el8.2.0+320+13f867d7.x86_64.rpm \
./AppStream/Packages/libguestfs-1.38.4-15.module_el8.2.0+320+13f867d7.x86_64.rpm \
./AppStream/Packages/libvirt-client-4.5.0-42.module_el8.2.0+320+13f867d7.x86_64.rpm \
./AppStream/Packages/autogen-libopts-5.18.12-7.el8.x86_64.rpm \
./AppStream/Packages/gnutls-dane-3.6.8-11.el8_2.x86_64.rpm \
./AppStream/Packages/gnutls-utils-3.6.8-11.el8_2.x86_64.rpm \
./AppStream/Packages/hivex-1.3.15-7.module_el8.2.0+320+13f867d7.x86_64.rpm \
./AppStream/Packages/libvirt-bash-completion-4.5.0-42.module_el8.2.0+320+13f867d7.x86_64.rpm \
./AppStream/Packages/scrub-2.5.2-14.el8.x86_64.rpm \
./AppStream/Packages/supermin-5.1.19-9.module_el8.2.0+320+13f867d7.x86_64.rpm \
./BaseOS/Packages/syslinux-6.04-4.el8.x86_64.rpm \
./BaseOS/Packages/syslinux-extlinux-6.04-4.el8.x86_64.rpm \
./BaseOS/Packages/syslinux-extlinux-nonlinux-6.04-4.el8.noarch.rpm \
./BaseOS/Packages/syslinux-nonlinux-6.04-4.el8.noarch.rpm \
./AppStream/Packages/virt-install-2.2.1-3.el8.noarch.rpm \
./AppStream/Packages/virt-manager-common-2.2.1-3.el8.noarch.rpm \
./AppStream/Packages/python3-argcomplete-1.9.3-6.el8.noarch.rpm \
./AppStream/Packages/python3-libvirt-4.5.0-2.module_el8.2.0+320+13f867d7.x86_64.rpm \
./AppStream/Packages/virt-manager-2.2.1-3.el8.noarch.rpm \
./AppStream/Packages/virt-viewer-7.0-9.el8.x86_64.rpm
また、KVM/KVM-RTを利用する場合には、起動オプションに intel_iommu=on workqueue.pri=3 が必要になります。
# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto resume=UUID=b91bbc38-e524-4d93-9804-e0632985a885 rhgb quiet intel_iommu=on workqueue.pri=3"
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_BLSCFG=true
# cp /boot/efi/EFI/centos/grub.cfg /boot/efi/EFI/centos/grub.cfg.orig
# grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
再起動後、下記コマンドの様に、cgroup 'memory' controller supportに警告が表示されますが、これはRedHawkでは正常です。
# virt-host-validate
QEMU: 確認中 for hardware virtualization : 成功
QEMU: 確認中 if device /dev/kvm exists : 成功
QEMU: 確認中 if device /dev/kvm is accessible : 成功
QEMU: 確認中 if device /dev/vhost-net exists : 成功
QEMU: 確認中 if device /dev/net/tun exists : 成功
QEMU: 確認中 for cgroup 'cpu' controller support : 成功
QEMU: 確認中 for cgroup 'cpuacct' controller support : 成功
QEMU: 確認中 for cgroup 'cpuset' controller support : 成功
QEMU: 確認中 for cgroup 'memory' controller support : 警告 (Enable 'memory' in kernel Kconfig file or mount/enable cgroup controller in your system)
QEMU: 確認中 for cgroup 'devices' controller support : 成功
QEMU: 確認中 for cgroup 'blkio' controller support : 成功
QEMU: 確認中 for device assignment IOMMU support : 成功
QEMU: 確認中 if IOMMU is enabled by kernel : 成功
# kvmrt-boot
Traceback (most recent call last):
File "/usr/bin/kvmrt-boot", line 261, in
if boot_and_tune(vm, vc):
File "/usr/bin/kvmrt-boot", line 155, in boot_and_tune
verbose=verbose):
File "/usr/lib/python3.6/site-packages/kvmrt/tune_vm.py", line 49, in tune_vm
tasks = cpus_have_pinned_tasks(shield_cpumask, allow_pid=get_vm_pid(vm))
File "/usr/lib/python3.6/site-packages/kvmrt/runtime_vm_lib.py", line 125, in cpus_have_pinned_tasks
t = bitmask(affinity)
File "/usr/lib/python3.6/site-packages/kvmrt/bitmask.py", line 139, in __init__
raise ValueError("invalid bitmask string: '%s'" % mask)
ValueError: invalid bitmask string: 'プロセス ID 1 の現在の親和性リスト: 0-3'
# export LANG=en_US.UTF-8
# kvmrt-boot
# kvmrt-stat
centos7.0 running 10474 spice://127.0.0.1:5900 192.168.122.186
# kvmrt-shutdown
# kvmrt-stat
centos7.0 shutdown
# cd /run/media/root/CentOS-8.2-Updates-x86_64/
# rpm -ivh ./BaseOS/Packages/cifs-utils-6.8-3.el8.x86_64.rpm
# cd /run/media/root/CentOS-8.2-Updates-x86_64/
# dnf localinstall \
AppStream/Packages/ibus-kkc-1.5.22-9.el8.x86_64.rpm \
AppStream/Packages/libgee-0.20.1-1.el8.x86_64.rpm \
AppStream/Packages/libkkc-0.3.5-12.el8.x86_64.rpm \
AppStream/Packages/libkkc-common-0.3.5-12.el8.noarch.rpm \
AppStream/Packages/libkkc-data-0.2.7-12.el8.x86_64.rpm \
AppStream/Packages/marisa-0.2.4-36.el8.x86_64.rpm \
AppStream/Packages/skkdic-20170102-4.T1100.el8.noarch.rpm
# cd /run/media/root/CentOS-8.2-Updates-x86_64/
# dnf localinstall \
BaseOS/Packages/glibc-devel-2.28-101.el8.i686.rpm \
BaseOS/Packages/glibc-headers-2.28-101.el8.i686.rpm \
BaseOS/Packages/libgfortran-8.3.1-5.el8.0.2.x86_64.rpm \
BaseOS/Packages/libquadmath-8.3.1-5.el8.0.2.x86_64.rpm \
BaseOS/Packages/libxcrypt-4.1.1-4.el8.i686.rpm \
BaseOS/Packages/libxcrypt-devel-4.1.1-4.el8.i686.rpm \
AppStream/Packages/gcc-gfortran-8.3.1-5.el8.0.2.x86_64.rpm \
AppStream/Packages/libquadmath-devel-8.3.1-5.el8.0.2.x86_64.rpm
誤:make -C ${KERNEL_DIR} SUBDIRS=`pwd` REDHAWKFLAVOR=`cat /proc/ccur/flavor` modules
正:make -C ${KERNEL_DIR} M=`pwd` REDHAWKFLAVOR=`cat /proc/ccur/flavor` modules
シングルユーザで起動 、カーネル再コンパイルの環境を構築
# cd /usr/src/linux-5.4.109RedHawk8.2.2
# ./ccur-config -c -n
nvidiaドライバを削除
# lsmod|grep nvidia
nvidia_drm 61440 0
nvidia_modeset 1232896 1 nvidia_drm
nvidia 34152448 1 nvidia_modeset
drm_kms_helper 200704 1 nvidia_drm
drm 471040 3 drm_kms_helper,nvidia_drm
# rmmod nvidia_drm
# rmmod nvidia_modeset
# rmmod nvidia
nvidiaドライバを削除を確認
# lsmod|grep nvidia
インストール
# sh NVIDIA-Linux-x86_64-470.57.02.run
initramfsを再構築
# dracut --force --kver `uname -r`
別のカーネルにインストールする場合には、上記手順で
# sh NVIDIA-Linux-x86_64-470.57.02.run -K
を行う。
# dnf copr enable openscapmaint/openscap-latest
# dnf install openscap-scanner scap-security-guide
# cd /
# patch -p0 < /tmp/oscap.patch
# rm -f /tmp/oscap.patch
# oscap -V |grep Community
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Community Enterprise Operating System 8 - cpe:/o:centos:centos:8
# oscap xccdf eval --profile pci-dss --report ssg-cents8-xccdf.html /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml file which is referenced from XCCDF content
Title Prevent Login to Accounts With Empty Password
Rule xccdf_org.ssgproject.content_rule_no_empty_passwords
Result pass
:
1. ソースツリーの再構築
# cd /usr/src/linux-5.4.66RedHawk8.2
# ./ccur-config -n -c
2.パッチの適用
# cd /usr/src/linux-5.4.66RedHawk8.2
# cp configs/x86_64/trace configs/x86_64/fips-trace
# patch -p0 < /tmp/fips-trace.patch
# rm -f /tmp/fips-trace.patch
# ./ccur-config -k fips -n fips-trace
# make -j 4 bzImage
# make -j 4 modules
# make -j 4 modules_install
# make -j 4 install
# sha512hmac /boot/vmlinuz-5.4.66-rt38-RedHawk-8.2-fips > /boot/.vmlinuz-5.4.66-rt38-RedHawk-8.2-fips.hmac
# blscfg -d 2
3.firewalldをアップデートする
# dnf install firewalld-0.8.2-2.el8.noarch
または、/usr/lib/systemd/system/firewalld.service を以下の様に更新してください。
Conflicts行の最後に、ipset.serviceを追加する。
変更前
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
変更後
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service
4.再起動後、FIPSカーネルで、起動してください。