diff --git a/twoliter/embedded/rpm2img b/twoliter/embedded/rpm2img
index 6052c118e..7d399e5c3 100755
--- a/twoliter/embedded/rpm2img
+++ b/twoliter/embedded/rpm2img
@@ -451,15 +451,20 @@ mkdir -p "${ROOT_MOUNT}/boot/grub"
 # Now that we're done messing with /, move /boot out of it
 mv "${ROOT_MOUNT}/boot"/* "${BOOT_MOUNT}"
 
+pushd "${BOOT_MOUNT}" >/dev/null
+
+vmlinuz="vmlinuz"
 if [ "${UEFI_SECURE_BOOT}" == "yes" ] ; then
-  pushd "${BOOT_MOUNT}" >/dev/null
-  vmlinuz="vmlinuz"
   pesign -i "${vmlinuz}" -o "${vmlinuz}.signed" -s "${CODE_SIGN_KEY[@]}"
   mv "${vmlinuz}.signed" "${vmlinuz}"
   pesigcheck -i "${vmlinuz}" -n 0 -c "${SBKEYS}/vendor.cer"
-  popd >/dev/null
 fi
 
+# Generate an HMAC for the kernel after signing.
+sha512hmac "${vmlinuz}" > ".${vmlinuz}.hmac"
+
+popd >/dev/null
+
 # Set the Bottlerocket variant, version, and build-id
 SYS_ROOT="${ARCH}-bottlerocket-linux-gnu/sys-root"
 VERSION="${VERSION_ID} (${VARIANT})"