d4a4eb
From 14310ca42f06c2156ab5cefd05dbaa47ae3b054d Mon Sep 17 00:00:00 2001
d4a4eb
From: Jonathan Lebon <jonathan@jlebon.com>
d4a4eb
Date: Tue, 29 Oct 2019 16:47:34 -0400
d4a4eb
Subject: [PATCH] 01fips: run sha512hmac from directory HMAC file directory
d4a4eb
d4a4eb
That way, the HMAC file can contain a relative path instead of an
d4a4eb
absolute one. The issue is that right now the kernel RPM bakes the
d4a4eb
`/boot/vmlinuz-${kver}` path into the HMAC file which poses an issue for
d4a4eb
rpm-ostree systems (and any other system where the kernel isn't simply
d4a4eb
in the top-level `/boot`.
d4a4eb
d4a4eb
For now, we're hacking around this in rpm-ostree:
d4a4eb
https://github.com/coreos/rpm-ostree/pull/1934
d4a4eb
d4a4eb
Though I'd like to propose the same change in the kernel spec file.
d4a4eb
---
d4a4eb
 modules.d/01fips/fips.sh | 2 +-
d4a4eb
 1 file changed, 1 insertion(+), 1 deletion(-)
d4a4eb
d4a4eb
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
d4a4eb
index c3dbcf74..893143d0 100755
d4a4eb
--- a/modules.d/01fips/fips.sh
d4a4eb
+++ b/modules.d/01fips/fips.sh
d4a4eb
@@ -135,7 +135,7 @@ do_fips()
d4a4eb
             return 1
d4a4eb
         fi
d4a4eb
 
d4a4eb
-        sha512hmac -c "${BOOT_IMAGE_HMAC}" || return 1
d4a4eb
+        (cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1
d4a4eb
     fi
d4a4eb
 
d4a4eb
     info "All initrd crypto checks done"
d4a4eb