diff options
| author | Jonathan Lebon <jonathan@jlebon.com> | 2019-10-29 16:45:29 -0400 |
|---|---|---|
| committer | Jonathan Lebon <jonathan@jlebon.com> | 2019-10-29 16:45:29 -0400 |
| commit | 7ae8da08b9f832bbaf6c9c50737e25116ec7ca9c (patch) | |
| tree | 2e2ac4fa5af1aaba6609d1f1aa015ca35b3ea265 /tests/libtest.sh | |
| parent | 476f375cfcfe0b9a56db0703ffe68441a33b2ce2 (diff) | |
| download | ostree-7ae8da08b9f832bbaf6c9c50737e25116ec7ca9c.tar.gz | |
lib/deploy: Also install HMAC file into /boot
To allow for FIPS mode, we need to also install the HMAC file from
`/usr/lib/modules` to `/boot` alongside the kernel image where the
`fips` dracut module will find it. For details, see:
https://github.com/coreos/fedora-coreos-tracker/issues/302
Note I didn't include the file in the boot checksum since it's itself a
checksum of the kernel, so we don't really gain much here other than
potentially causing an unnecessary bootcsum bump.
Diffstat (limited to 'tests/libtest.sh')
| -rwxr-xr-x | tests/libtest.sh | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/tests/libtest.sh b/tests/libtest.sh index 8832e63c..ba00073a 100755 --- a/tests/libtest.sh +++ b/tests/libtest.sh @@ -395,6 +395,8 @@ setup_os_repository () { mkdir -p usr/bin ${bootdir} usr/lib/modules/${kver} usr/share usr/etc kernel_path=${bootdir}/vmlinuz initramfs_path=${bootdir}/initramfs.img + # the HMAC file is only in /usr/lib/modules + hmac_path=usr/lib/modules/${kver}/.vmlinuz.hmac # /usr/lib/modules just uses "vmlinuz", since the version is in the module # directory name. if [[ $bootdir != usr/lib/modules/* ]]; then @@ -403,6 +405,7 @@ setup_os_repository () { fi echo "a kernel" > ${kernel_path} echo "an initramfs" > ${initramfs_path} + echo "an hmac file" > ${hmac_path} bootcsum=$(cat ${kernel_path} ${initramfs_path} | sha256sum | cut -f 1 -d ' ') export bootcsum # Add the checksum for legacy dirs (/boot, /usr/lib/ostree-boot), but not |