01fips: run sha512hmac from directory HMAC file directory

That way, the HMAC file can contain a relative path instead of an
absolute one. The issue is that right now the kernel RPM bakes the
`/boot/vmlinuz-${kver}` path into the HMAC file which poses an issue for
rpm-ostree systems (and any other system where the kernel isn't simply
in the top-level `/boot`.

For now, we're hacking around this in rpm-ostree:
https://github.com/coreos/rpm-ostree/pull/1934

Though I'd like to propose the same change in the kernel spec file.

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index b256b11bf5fea7913c8b1c19c8bf4cee8e94e5f7..b796c72e8a7781925ee06d3b3575f5ec0383fec6 100755 (executable)
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -135,7 +135,7 @@ do_fips()
             return 1
         fi
 
-        sha512hmac -c "${BOOT_IMAGE_HMAC}" || return 1
+        (cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1
     fi
 
     info "All initrd crypto checks done"