From: Brian C. Lane <bcl@brianlane.com>
Date: Fri, 13 Dec 2019 17:47:43 +0000 (-0800)
Subject: Check .hmac of boot.iso in fips mode
X-Git-Tag: 050~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05b75703b0e378f0dac2db89dd5a4ad88ed9e529;p=thirdparty%2Fdracut.git

Check .hmac of boot.iso in fips mode

Instead of carrying the kernel and hmac in the install.img (which takes
up more space) use the vmlinuz installed under /images/pxeboot/ and the
.hmac in the install.img /boot.

This check is triggered by the presence of /run/install/repo/images/pxeboot/vmlinuz

Related: rhbz#1782737
---

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 031ada8b0..8fba135b2 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -111,6 +111,9 @@ do_fips()
         do_rhevh_check /run/initramfs/live/vmlinuz0 || return 1
     elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
         do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
+    elif [ -e "/run/install/repo/images/pxeboot/vmlinuz" ]; then
+        # This is a boot.iso with the .hmac inside the install.img
+        do_rhevh_check /run/install/repo/images/pxeboot/vmlinuz || return 1
     else
         BOOT_IMAGE="$(getarg BOOT_IMAGE)"