From 744afe75315b975a7eb431d0a52f6056353bf8f1 Mon Sep 17 00:00:00 2001

From: Harald Hoyer <harald@redhat.com>

Date: Thu, 29 Jun 2017 10:38:09 +0200

Subject: [PATCH] Try BOOT_IMAGE and fallback to vmlinuz-${KERNEL}

On s390 BOOT_IMAGE only denotes the number of the boot record that

was selected in the bootloader and not the path to the kernel image.

Also only bail out, if the kernel hmac checking relies on that path.

Cherry-picked from: 3d875f77f3d1c5e4161794ca59025bc6bcd77eaa

Resolves: #1415032

---

 modules.d/01fips/fips.sh | 13 +++++++------

 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh

index e9ed00b5..ecd711c2 100755

--- a/modules.d/01fips/fips.sh

+++ b/modules.d/01fips/fips.sh

@@ -79,12 +79,6 @@ do_fips()

     local _module

     KERNEL=$(uname -r)

-    BOOT_IMAGE="$(getarg BOOT_IMAGE)"

-    BOOT_IMAGE="${BOOT_IMAGE:-/vmlinuz-${KERNEL}}"

-    if ! [ -e "/boot/.${BOOT_IMAGE}.hmac" ] && ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then

-        warn "/boot/.${BOOT_IMAGE}.hmac does not exist"

-        return 1

-    fi

     FIPSMODULES=$(cat /etc/fipsmodules)

@@ -117,6 +111,13 @@ do_fips()

     elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then

         do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1

     else

+        BOOT_IMAGE="$(getarg BOOT_IMAGE)"

+        [ -e "/boot/.${BOOT_IMAGE}.hmac" ] || BOOT_IMAGE="vmlinuz-${KERNEL}"

+

+        if ! [ -e "/boot/.${BOOT_IMAGE}.hmac" ]; then

+            warn "/boot/.${BOOT_IMAGE}.hmac does not exist"

+            return 1

+        fi

         sha512hmac -c "/boot/.${BOOT_IMAGE}.hmac" || return 1

     fi