Merge: redhat: Prepare for UKI+FIPS enablement

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/5129

JIRA: INTERNAL

To prepare for FIPS mode enablement in the UKI, create keyless
sha512hmac for vmlinuz-virt.efi file.

Note: this MR does not enable FIPS mode in the UKI initramfs, it
is a preparatory change so tools (dracut, virt-firmware) can be
tested.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>

Approved-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Approved-by: Jan Stancek <jstancek@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Rado Vrbovsky <rvrbovsk@redhat.com>

Author: emmil

redhat/kernel.spec.template

@@ -2511,6 +2511,12 @@ BuildKernel() {
 # signkernel
 %endif
 
+      # hmac sign the UKI for FIPS
+      KernelUnifiedImageHMAC="$KernelUnifiedImageDir/.$InstallName-virt.efi.hmac"
+      echo "hmac sign the UKI for FIPS"
+      echo "Creating hmac file: $KernelUnifiedImageHMAC"
+      (cd $KernelUnifiedImageDir && sha512hmac $InstallName-virt.efi) > $KernelUnifiedImageHMAC;
+
         pushd $RPM_BUILD_ROOT
 
     # Variant != rt && Variant != rt-debug
@@ -3726,7 +3732,8 @@ fi
 /lib/modules/%{KVERREL}%{?3:+%{3}}/symvers.gz\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/config\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/modules.builtin*\
-/lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi\
+%attr(0644, root, root) /lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi\
+%attr(0644, root, root) /lib/modules/%{KVERREL}%{?3:+%{3}}/.%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi.hmac\
 %ghost /%{image_install_path}/efi/EFI/Linux/%{?-k:%{-k*}}%{!?-k:*}-%{KVERREL}%{?3:+%{3}}.efi\
 %{expand:%%files %{?3:%{3}-}uki-virt-addons}\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi.extra.d/ \