Skip to content

Commit

Permalink
Merge pull request #187 from bcressey/kernel-hmac
Browse files Browse the repository at this point in the history 
generate HMAC for kernel on build
  • Loading branch information
@bcressey
bcressey authored Apr 8, 2024
2 parents 79ef367 + 5426ecf commit 40c22ab
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions twoliter/embedded/rpm2img
View file
Original file line number Diff line number Diff line change
Expand Up @@ -451,15 +451,20 @@ mkdir -p "${ROOT_MOUNT}/boot/grub"
# Now that we're done messing with /, move /boot out of it
mv "${ROOT_MOUNT}/boot"/* "${BOOT_MOUNT}"

pushd "${BOOT_MOUNT}" >/dev/null

vmlinuz="vmlinuz"
if [ "${UEFI_SECURE_BOOT}" == "yes" ] ; then
pushd "${BOOT_MOUNT}" >/dev/null
vmlinuz="vmlinuz"
pesign -i "${vmlinuz}" -o "${vmlinuz}.signed" -s "${CODE_SIGN_KEY[@]}"
mv "${vmlinuz}.signed" "${vmlinuz}"
pesigcheck -i "${vmlinuz}" -n 0 -c "${SBKEYS}/vendor.cer"
popd >/dev/null
fi

# Generate an HMAC for the kernel after signing.
sha512hmac "${vmlinuz}" > ".${vmlinuz}.hmac"

popd >/dev/null

# Set the Bottlerocket variant, version, and build-id
SYS_ROOT="${ARCH}-bottlerocket-linux-gnu/sys-root"
VERSION="${VERSION_ID} (${VARIANT})"
Expand Down

0 comments on commit 40c22ab

Please sign in to comment.