Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(RHEL-56885) feat(fips): add support for UKIs #101

Merged
merged 1 commit into from
Nov 27, 2024
Merged

(RHEL-56885) feat(fips): add support for UKIs #101

merged 1 commit into from
Nov 27, 2024

Conversation

pvalena
Copy link
Contributor

@pvalena pvalena commented Nov 27, 2024
edited by github-actions bot
Loading

Kernel integrity check in FIPS module is incompatible with UKIs as neither
/boot/vmlinuz-uname-r nor /boot/.vmlinuz-uname-r.hmac are present. UKI
is placed to $ESP\EFI\Linux<install-tag>-.efi and if a .hmac file
is present next to it, it is possible to do similar check.

Note, UKIs have a 'one size fits all' command line and 'boot=' is not expected
to be set. Luckily, if the UKI is systemd-stub based then we can expect
'LoaderDevicePartUUID' variable containing PARTUUID of the ESP to be set. Mount
it to /boot using the existing logic.

Signed-off-by: Vitaly Kuznetsov vkuznets@redhat.com

(cherry picked from commit 72684ff519be4f29c45cbb0f84759e645b0ac4be)

Resolves: RHEL-56885

@vittyvk @pvalena
feat(fips): add support for UKIs
e843e16 
Kernel integrity check in FIPS module is incompatible with UKIs as neither
/boot/vmlinuz-`uname-r` nor /boot/.vmlinuz-`uname-r`.hmac are present. UKI
is placed to $ESP\EFI\Linux\<install-tag>-<uname-r>.efi and if a .hmac file
is present next to it, it is possible to do similar check.

Note, UKIs have a 'one size fits all' command line and 'boot=' is not expected
to be set. Luckily, if the UKI is systemd-stub based then we can expect
'LoaderDevicePartUUID' variable containing PARTUUID of the ESP to be set. Mount
it to /boot using the existing logic.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>

(cherry picked from commit 72684ff519be4f29c45cbb0f84759e645b0ac4be)

Resolves: RHEL-56885
@pvalena pvalena added the bug Something isn't working label Nov 27, 2024
@pvalena pvalena self-assigned this Nov 27, 2024
@github-actions github-actions bot changed the title feat(fips): add support for UKIs (RHEL-56885) feat(fips): add support for UKIs Nov 27, 2024
@github-actions GitHub Actions
Copy link

Commit validation

Tracker - RHEL-56885

The following commits need an inspection

commit note
e843e16 - feat(fips): add support for UKIs Missing upstream reference ‼️

Tracker validation

Failed

🔴 Tracker RHEL-56885 is missing severity

Success

🟢 Tracker RHEL-56885 has set desired product: rhel-9.6
🟢 Tracker RHEL-56885 has set desired component: dracut
🟢 Tracker RHEL-56885 has been approved

Pull Request validation

Failed

🔴 Failed or pending checks - test (centos:stream9, 36)[failure],test (centos:stream9, 35)[failure],test (centos:stream9, 31)[failure],test (centos:stream9, 30)[failure],test (centos:stream9, 15)[failure],test (centos:stream9, 14)[failure],test (centos:stream9, 03)[failure],centos-9-stream (centos:stream9, 98)[cancelled],centos-9-stream (centos:stream9, 20)[cancelled],centos-9-stream (centos:stream9, 41)[cancelled],centos-9-stream (centos:stream9, 40)[cancelled],centos-9-stream (centos:stream9, 21)[cancelled],centos-9-stream (centos:stream9, 17)[cancelled],centos-9-stream (centos:stream9, 16)[cancelled],centos-9-stream (centos:stream9, 13)[cancelled],centos-9-stream (centos:stream9, 12)[cancelled],centos-9-stream (centos:stream9, 11)[cancelled],centos-9-stream (centos:stream9, 10)[cancelled],centos-9-stream (centos:stream9, 02)[cancelled],centos-9-stream (centos:stream9, 01)[cancelled],basic (centos:stream9, 04)[failure],test (centos:stream9, 98)[in_progress],test (centos:stream9, 40)[in_progress],testing-farm:centos-stream-9-x86_64[in_progress],rpm-build:centos-stream-9-x86_64[in_progress],test (centos:stream9, 20)[in_progress],rpm-build:centos-stream-9-aarch64[in_progress],test (centos:stream9, 21)[in_progress],test (centos:stream9, 17)[in_progress],test (centos:stream9, 16)[in_progress],test (centos:stream9, 13)[in_progress],test (centos:stream9, 12)[in_progress],test (centos:stream9, 10)[in_progress],test (centos:stream9, 01)[in_progress],test (centos:stream9, 02)[in_progress],lint-shell[in_progress]
🔴 Review - Missing review from a member (1 required)

pvalena
pvalena commented Nov 27, 2024
View reviewed changes
Copy link
Contributor Author

@pvalena pvalena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@pvalena pvalena merged commit 492bc94 into redhat-plumbers:main Nov 27, 2024
21 of 44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@pvalena pvalena

Labels
bug Something isn't working fips modules pr/needs-ci pr/needs-review tracker/missing-severity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pvalena @vittyvk