redhat: hmac sign the UKI for FIPS

vittyvk · vittyvk · commit d0d5a2c124ae · 2024-09-02T18:02:54.000+02:00
JIRA: INTERNAL
Upstream Status: RHEL-only
ARK commit: c21494f10acecd92677eb363b38956a4994b2e29

Dracut's FIPS module contains kernel integrity check for traditional
kernels: /boot/vmlinuz-`uname-r`'s HMAC is compared to
/boot/.vmlinuz-`uname-r`.hmac which is created duing kernel
build. In preparation to enabling FIPS mode support for UKI, create
HMAC for the it too.

Signed-off-by: Vitaly Kuznetsov &lt;vkuznets@redhat.com&gt;
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
@@ -2511,6 +2511,12 @@ BuildKernel() {
 # signkernel
 %endif
 
+      # hmac sign the UKI for FIPS
+      KernelUnifiedImageHMAC="$KernelUnifiedImageDir/.$InstallName-virt.efi.hmac"
+      echo "hmac sign the UKI for FIPS"
+      echo "Creating hmac file: $KernelUnifiedImageHMAC"
+      (cd $KernelUnifiedImageDir && sha512hmac $InstallName-virt.efi) > $KernelUnifiedImageHMAC;
+
         pushd $RPM_BUILD_ROOT
 
     # Variant != rt && Variant != rt-debug
@@ -3727,6 +3733,7 @@ fi
 /lib/modules/%{KVERREL}%{?3:+%{3}}/config\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/modules.builtin*\
 %attr(0644, root, root) /lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi\
+%attr(0644, root, root) /lib/modules/%{KVERREL}%{?3:+%{3}}/.%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi.hmac\
 %ghost /%{image_install_path}/efi/EFI/Linux/%{?-k:%{-k*}}%{!?-k:*}-%{KVERREL}%{?3:+%{3}}.efi\
 %{expand:%%files %{?3:%{3}-}uki-virt-addons}\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi.extra.d/ \
