redhat: hmac sign the UKI for FIPS (!3314) · Merge requests · cki-project / kernel-ark

Dracut's FIPS module contains kernel integrity check for traditional kernels: /boot/vmlinuz-uname-r's HMAC is compared to /boot/.vmlinuz-uname-r.hmac which is created duing kernel build. In preparation to enabling FIPS mode support for UKI, create HMAC for it too.

For the reference, other pieces of the puzzle:

dracut: https://github.com/dracut-ng/dracut-ng/pull/574
virt-firmware: kraxel/virt-firmware!17 (merged)

Signed-off-by: Vitaly Kuznetsov vkuznets@redhat.com

Edited Aug 09, 2024 by Vitaly Kuznetsov

redhat: hmac sign the UKI for FIPS

Merge request reports