Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-56885

Add support for UKI integrity check to FIPS module

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-9.6
    • rhel-9.6
    • dracut
    • dracut-057-79.git20241127.el9
    • None
    • rhel-sst-cs-bootloaders
    • ssg_core_services
    • 26
    • 3
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None

      Currently, FIPS https://issues.redhat.com/browse/RHEL-56885#module performs integrity check for kernel in initramfs by basically comparing keyless sha256hmac of /boot/vmlinuz-`uname r` with /boot/.vmlinuz`uname r`.hmac and fails boot process in case of a mismatch. This is not compatible with UKIs as neither /boot/vmlinuz`uname r` nor /boot/.vmlinuz`uname -r`.hmac  are present when 'kernel-uki-virt' package is installed instead of kernel-core.

      To make things work for UKIs we can follow the same approach. Create keyless HMAC for /boot/efi/EFI/Linux/<machine-id>-vmlinuz-virt.efi (.<machine-id>-vmlinuz-virt.efi.hmac) and do the comparison. The HMAC file was added to ARK:

      and virt-firmware will copy it to the ESP upon kernel install

      Dracut support was implemented in the following upstream PR:

              pvalena@redhat.com Pavel Valena
              vkuznets@redhat.com Vitaly Kuznetsov
              dracut maint mailing list dracut maint mailing list
              Frantisek Sumsal Frantisek Sumsal
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: