[kernel/f17] Ship hmac file for vmlinuz for FIPS-140 (rhbz 805538)

Wed Mar 21 20:23:25 UTC 2012

commit 98931fa9d113305798c9162551d7eb43d5bf593d
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed Mar 21 15:09:49 2012 -0400

    Ship hmac file for vmlinuz for FIPS-140 (rhbz 805538)

 kernel.spec |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)
---

diff --git a/kernel.spec b/kernel.spec
index e1c3f4d..486bb61 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 3
+%global baserelease 4
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -529,7 +529,7 @@ ExclusiveOS: Linux
 #
 BuildRequires: module-init-tools, patch >= 2.5.4, bash >= 2.03, sh-utils, tar
 BuildRequires: bzip2, xz, findutils, gzip, m4, perl, make >= 3.78, diffutils, gawk
-BuildRequires: gcc >= 3.4.2, binutils >= 2.12, redhat-rpm-config
+BuildRequires: gcc >= 3.4.2, binutils >= 2.12, redhat-rpm-config, hmaccalc
 BuildRequires: net-tools
 BuildRequires: xmlto, asciidoc
 %if %{with_sparse}
@@ -1640,6 +1640,11 @@ BuildKernel() {
     		$RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
     chmod 755 $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
 
+    # hmac sign the kernel for FIPS
+    echo "Creating hmac file: $RPM_BUILD_ROOT/%{image_install_path}/.vmlinuz-$KernelVer.hmac"
+    ls -l $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
+    sha512hmac $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer | sed -e "s,$RPM_BUILD_ROOT,," > $RPM_BUILD_ROOT/%{image_install_path}/.vmlinuz-$KernelVer.hmac;
+
     mkdir -p $RPM_BUILD_ROOT/lib/modules/$KernelVer
     # Override $(mod-fw) because we don't want it to install any firmware
     # we'll get it from the linux-firmware package and we don't want conflicts
@@ -2261,6 +2266,7 @@ fi
 %{expand:%%files %{?2}}\
 %defattr(-,root,root)\
 /%{image_install_path}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-%{KVERREL}%{?2:.%{2}}\
+/%{image_install_path}/.vmlinuz-%{KVERREL}%{?2:.%{2}}.hmac \
 %attr(600,root,root) /boot/System.map-%{KVERREL}%{?2:.%{2}}\
 /boot/config-%{KVERREL}%{?2:.%{2}}\
 %dir /lib/modules/%{KVERREL}%{?2:.%{2}}\
@@ -2324,6 +2330,9 @@ fi
 #    '-'      |  |
 #              '-'
 %changelog
+* Wed Mar 21 2012 Josh Boyer <jwboyer at redhat.com>
+- Ship hmac file for vmlinuz for FIPS-140 (rhbz 805538)
+
 * Tue Mar 20 2012 Dave Jones <davej at redhat.com>
 - Don't bind the IPS driver if no irq is assigned (typically BIOS bug). (rhbz 804353)
 
