Fix pkcs11 and pcsc modules

pkcs11 and pcsc don't seem to have ever worked. In the case of pkcs11, the following install line is incorrect (note the dot before *): {"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-pkcs11.so.*" And it should be: {"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-pkcs11.so*" I opened a PR and it was merged a while ago: dracutdevs/dracut#2540 In the case of pcsc there are two problems. One, the installation file is missing /usr/share/p11-kit/modules/opensc.module and without that, you can't really do anything. Two, dracut doesn't include polkit and pcsc is compiled with it enabled by default. The option --disable-polkit was added to pcscd in 2.0, precisely to address this issue. It needs to be added to pcscd.service in the module for it to work on initramfs. I opened another PR which has been approved by 2 reviewers and merged into openSUSE: dracutdevs/dracut#2547 Signed-off-by: Manuel Fombuena <[email protected]>
fedora-riscv · Feb 12, 2024 · 2d7bee7 · 2d7bee7
1 parent 8f3935c
commit 2d7bee7
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 1 deletion.
diff --git a/2540-fix-pkcs11-libcryptsetup-token-systemd-pkcs11-so-path.patch b/2540-fix-pkcs11-libcryptsetup-token-systemd-pkcs11-so-path.patch
@@ -0,0 +1,23 @@
+From 1c762c0da6ed2bb6fa44d5e0968605cc4d45361c Mon Sep 17 00:00:00 2001
+From: innovara <[email protected]>
+Date: Fri, 27 Oct 2023 11:53:49 +0100
+Subject: [PATCH] fix(pkcs11): delete trailing dot on
+ libcryptsetup-token-systemd-pkcs11.so
+
+libcryptsetup-token-systemd-pkcs11.so.* doesn't match the file libcryptsetup-token-systemd-pkcs11.so
+---
+ modules.d/91pkcs11/module-setup.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules.d/91pkcs11/module-setup.sh b/modules.d/91pkcs11/module-setup.sh
+index 547631db66..5675efb580 100755
+--- a/modules.d/91pkcs11/module-setup.sh
++++ b/modules.d/91pkcs11/module-setup.sh
+@@ -30,6 +30,6 @@ install() {
+         {"tls/$_arch/",tls/,"$_arch/",}"libffi.so.*" \
+         {"tls/$_arch/",tls/,"$_arch/",}"libp11-kit.so.*" \
+         {"tls/$_arch/",tls/,"$_arch/",}"libcryptsetup.so.*" \
+-        {"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-pkcs11.so.*"
++        {"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-pkcs11.so*"
+
+ }
diff --git a/2547-fix-pcsc-module.patch b/2547-fix-pcsc-module.patch
@@ -0,0 +1,50 @@
+From 6da61a2c0e38da4e6e880e1bb7f47d55d2c54c65 Mon Sep 17 00:00:00 2001
+From: Manuel Fombuena <[email protected]>
+Date: Fri, 3 Nov 2023 09:04:53 +0000
+Subject: [PATCH 1/2] fix(pcsc): add opensc load module file
+
+On Fedora, and possibly others, this file loads opensc-pkcs11.so which you need to interact with the smart card to unlock a LUKS encrypted volume.
+---
+ modules.d/91pcsc/module-setup.sh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/modules.d/91pcsc/module-setup.sh b/modules.d/91pcsc/module-setup.sh
+index 6f8b2c88e1..26b463d436 100755
+--- a/modules.d/91pcsc/module-setup.sh
++++ b/modules.d/91pcsc/module-setup.sh
+@@ -29,7 +29,8 @@ install() {
+     inst_simple "$moddir/pcscd.socket" "${systemdsystemunitdir}"/pcscd.socket
+
+     inst_multiple -o \
+-        pcscd
++        pcscd \
++        /usr/share/p11-kit/modules/opensc.module
+
+     # Enable systemd type unit(s)
+     for i in \
+
+From 842be0c89fe0cc8cac9efa88e68b07ae1c2d2464 Mon Sep 17 00:00:00 2001
+From: Manuel Fombuena <[email protected]>
+Date: Fri, 3 Nov 2023 11:53:38 +0000
+Subject: [PATCH 2/2] fix(pcsc): add --disable-polkit to pcscd.service
+
+Needs pcsc >= 2.0.0
+
+polkit is not included in dracut and without this option, pcscd simply fails
+---
+ modules.d/91pcsc/pcscd.service | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules.d/91pcsc/pcscd.service b/modules.d/91pcsc/pcscd.service
+index 639decd275..7d4e0a2b30 100644
+--- a/modules.d/91pcsc/pcscd.service
++++ b/modules.d/91pcsc/pcscd.service
+@@ -5,7 +5,7 @@ Documentation=man:pcscd(8)
+ Requires=pcscd.socket
+
+ [Service]
+-ExecStart=/usr/sbin/pcscd --foreground --auto-exit
++ExecStart=/usr/sbin/pcscd --foreground --auto-exit --disable-polkit
+ ExecReload=/usr/sbin/pcscd --hotplug
+
+ [Install]
diff --git a/dracut.spec b/dracut.spec
@@ -7,7 +7,7 @@
 %global __requires_exclude pkg-config
 
 # rpmdev-bumpspec and releng automation compatible variable
-%global baserelease 20
+%global baserelease 21
 
 Name: dracut
 Version: 059
@@ -98,6 +98,15 @@ Patch17: 2481-remove-microcode-check-based-on-CONFIG_MICROCODE_.patch
 # https://github.com/dracutdevs/dracut/pull/2531
 Patch: 2531.patch
 
+# fix(pkcs11): delete trailing dot on libcryptsetup-token-systemd-pkcs11.so
+# https://github.com/dracutdevs/dracut/pull/2540
+Patch19: 2540-fix-pkcs11-libcryptsetup-token-systemd-pkcs11-so-path.patch
+
+# fix(pcsc): add opensc load module file
+# fix(pcsc): add --disable-polkit to pcscd.service
+# https://github.com/dracutdevs/dracut/pull/2547
+Patch20: 2547-fix-pcsc-module.patch
+
 BuildRequires: bash
 BuildRequires: git-core
 BuildRequires: pkgconfig(libkmod) >= 23
@@ -498,6 +507,11 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
 %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install
 
 %changelog
+* Sat Jan 27 2024 Manuel Fombuena <[email protected]> - 059-21
+- fix(pkcs11): delete trailing dot on libcryptsetup-token-systemd-pkcs11.so
+- fix(pcsc): add opensc load module file
+- fix(pcsc): add --disable-polkit to pcscd.service
+
 * Wed Jan 24 2024 Fedora Release Engineering <[email protected]> - 059-20
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild