|
|
d4a4eb |
From 14310ca42f06c2156ab5cefd05dbaa47ae3b054d Mon Sep 17 00:00:00 2001
|
|
|
d4a4eb |
From: Jonathan Lebon <jonathan@jlebon.com>
|
|
|
d4a4eb |
Date: Tue, 29 Oct 2019 16:47:34 -0400
|
|
|
d4a4eb |
Subject: [PATCH] 01fips: run sha512hmac from directory HMAC file directory
|
|
|
d4a4eb |
|
|
|
d4a4eb |
That way, the HMAC file can contain a relative path instead of an
|
|
|
d4a4eb |
absolute one. The issue is that right now the kernel RPM bakes the
|
|
|
d4a4eb |
`/boot/vmlinuz-${kver}` path into the HMAC file which poses an issue for
|
|
|
d4a4eb |
rpm-ostree systems (and any other system where the kernel isn't simply
|
|
|
d4a4eb |
in the top-level `/boot`.
|
|
|
d4a4eb |
|
|
|
d4a4eb |
For now, we're hacking around this in rpm-ostree:
|
|
|
d4a4eb |
https://github.com/coreos/rpm-ostree/pull/1934
|
|
|
d4a4eb |
|
|
|
d4a4eb |
Though I'd like to propose the same change in the kernel spec file.
|
|
|
d4a4eb |
---
|
|
|
d4a4eb |
modules.d/01fips/fips.sh | 2 +-
|
|
|
d4a4eb |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
d4a4eb |
|
|
|
d4a4eb |
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
|
|
|
d4a4eb |
index c3dbcf74..893143d0 100755
|
|
|
d4a4eb |
--- a/modules.d/01fips/fips.sh
|
|
|
d4a4eb |
+++ b/modules.d/01fips/fips.sh
|
|
|
d4a4eb |
@@ -135,7 +135,7 @@ do_fips()
|
|
|
d4a4eb |
return 1
|
|
|
d4a4eb |
fi
|
|
|
d4a4eb |
|
|
|
d4a4eb |
- sha512hmac -c "${BOOT_IMAGE_HMAC}" || return 1
|
|
|
d4a4eb |
+ (cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1
|
|
|
d4a4eb |
fi
|
|
|
d4a4eb |
|
|
|
d4a4eb |
info "All initrd crypto checks done"
|
|
|
d4a4eb |
|