From 32dbc1a9879c07f49ed7fe8cce98db0277bf9cc6 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 19 2022 18:19:13 +0000
Subject: import scap-security-guide-0.1.63-4.el8


---

diff --git a/SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch b/SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
new file mode 100644
index 0000000..e5132c3
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
@@ -0,0 +1,33 @@
+From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 16 Aug 2022 18:53:02 +0200
+Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x
+
+There is no need to check  /etc/grubenv for fips=1 on s390x systems, it
+uses zIPL.
+---
+ .../integrity/fips/enable_fips_mode/oval/shared.xml      | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+index 65056a654c6..7af675de0d3 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+@@ -7,9 +7,16 @@
+       <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
+       <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
+       <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
+-      {{% if product in ["ol8","rhel8"] %}}
++      {{% if product in ["ol8"] %}}
+       <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
+       test_ref="test_grubenv_fips_mode" />
++      {{% elif product in ["rhel8"] %}}
++      <criteria operator="OR">
++        <extend_definition comment="Generic test for s390x architecture"
++        definition_ref="system_info_architecture_s390_64" />
++        <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
++        test_ref="test_grubenv_fips_mode" />
++      </criteria>
+       {{% endif %}}
+     </criteria>
+   </definition>
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index 088ccfa..db7efc0 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -6,7 +6,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.63
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@@ -34,6 +34,7 @@ Patch12:		scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_920
 Patch13:		scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
 Patch14:		scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
 Patch15:		scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
+Patch16:		scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
 
 BuildRequires:	libxslt
 BuildRequires:	expat
@@ -138,6 +139,9 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %endif
 
 %changelog
+* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
+- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
+
 * Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
 - Fix Ansible partition conditional (RHBZ#2032403)