lib/deploy: Also install HMAC file into /boot #1962
Conversation
|
Actually, let's hold this for a second. I'm still working out the dracut side of this, and I think another thing that will fail is that the HMAC file is of course pointing at the wrong path (this one is just from my Silverblue laptop for example): So... hmm, might need to have libostree also edit the path in there? Yuck. |
|
I think this is more an rpm-ostree bug: is also wrong. Or to say it more precisely, how we built it is wrong; ostree shouldn't be working around build problems. Hm, maybe it'd work to just make the file purely relative? |
As mentioned in the comment block: ``` If there's an HMAC file, fix the path to the kernel in it to be relative. Right now, the kernel spec encodes `/boot/vmlinux-$kver`, which of course not going to work for us. We should work towards making this change directly into the kernel spec. ``` For background, see this comment and following: ostreedev/ostree#1962 (comment)
To allow for FIPS mode, we need to also install the HMAC file from `/usr/lib/modules` to `/boot` alongside the kernel image where the `fips` dracut module will find it. For details, see: coreos/fedora-coreos-tracker#302 Note I didn't include the file in the boot checksum since it's itself a checksum of the kernel, so we don't really gain much here other than potentially causing an unnecessary bootcsum bump.
jlebon
force-pushed
the
pr/support-hmac
branch
from
1a97835 to
7ae8da0
Compare
|
/hold cancel |
Yeah, seems like the cleanest solution. Done in coreos/rpm-ostree#1934 now! |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cgwalters, jlebon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
As mentioned in the comment block: ``` If there's an HMAC file, fix the path to the kernel in it to be relative. Right now, the kernel spec encodes `/boot/vmlinux-$kver`, which of course not going to work for us. We should work towards making this change directly into the kernel spec. ``` For background, see this comment and following: ostreedev/ostree#1962 (comment)
To allow for FIPS mode, we need to also install the HMAC file from
/usr/lib/modulesto/bootalongside the kernel image where thefipsdracut module will find it. For details, see:coreos/fedora-coreos-tracker#302
Note I didn't include the file in the boot checksum since it's itself a
checksum of the kernel, so we don't really gain much here other than
potentially causing an unnecessary bootcsum bump.