From: Jonathan Lebon Date: Tue, 29 Oct 2019 20:47:34 +0000 (-0400) Subject: 01fips: run sha512hmac from directory HMAC file directory X-Git-Tag: 050~103 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba813779bf3d613b841fef2e127b2605fafbaa0c;p=thirdparty%2Fdracut.git 01fips: run sha512hmac from directory HMAC file directory That way, the HMAC file can contain a relative path instead of an absolute one. The issue is that right now the kernel RPM bakes the `/boot/vmlinuz-${kver}` path into the HMAC file which poses an issue for rpm-ostree systems (and any other system where the kernel isn't simply in the top-level `/boot`. For now, we're hacking around this in rpm-ostree: https://github.com/coreos/rpm-ostree/pull/1934 Though I'd like to propose the same change in the kernel spec file. --- diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh index b256b11bf..b796c72e8 100755 --- a/modules.d/01fips/fips.sh +++ b/modules.d/01fips/fips.sh @@ -135,7 +135,7 @@ do_fips() return 1 fi - sha512hmac -c "${BOOT_IMAGE_HMAC}" || return 1 + (cd "${BOOT_IMAGE_HMAC%/*}" && sha512hmac -c "${BOOT_IMAGE_HMAC}") || return 1 fi info "All initrd crypto checks done"