Try BOOT_IMAGE and fallback to vmlinuz-${KERNEL}

On s390 BOOT_IMAGE only denotes the number of the boot record that
was selected in the bootloader and not the path to the kernel image.

Also only bail out, if the kernel hmac checking relies on that path.

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 1f84526ac0a1575737f146620cb96ef537758919..1e5707c03646d145e18624ace0d5b0aa9608be2c 100755 (executable)
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -77,12 +77,6 @@ do_fips()
     local _module
 
     KERNEL=$(uname -r)
-    BOOT_IMAGE="$(getarg BOOT_IMAGE)"
-    BOOT_IMAGE="${BOOT_IMAGE:-/vmlinuz-${KERNEL}}"
-    if ! [ -e "/boot/.${BOOT_IMAGE}.hmac" ] && ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
-        warn "/boot/.${BOOT_IMAGE}.hmac does not exist"
-        return 1
-    fi
 
     FIPSMODULES=$(cat /etc/fipsmodules)
 
@@ -115,6 +109,13 @@ do_fips()
     elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
         do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
     else
+        BOOT_IMAGE="$(getarg BOOT_IMAGE)"
+        [ -e "/boot/.${BOOT_IMAGE}.hmac" ] || BOOT_IMAGE="vmlinuz-${KERNEL}"
+
+        if ! [ -e "/boot/.${BOOT_IMAGE}.hmac" ]; then
+            warn "/boot/.${BOOT_IMAGE}.hmac does not exist"
+            return 1
+        fi
         sha512hmac -c "/boot/.${BOOT_IMAGE}.hmac" || return 1
     fi