[mantic:linux-signed][PATCH 2/5] UBUNTU: Use openssl for HMAC calculation
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Fri Jul 14 21:30:50 UTC 2023
kcapi-tools applications are not available in all suites, in the same
path, with the same name, instead use openssl which is universally
available. kcapi-tools itself also uses openssl to calculate its hmac.
BugLink: https://bugs.launchpad.net/bugs/2027818
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
debian/rules | 2 +-
debian/scripts/generate-control | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/debian/rules b/debian/rules
index c78ca3dde8..06651f2f5f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -109,7 +109,7 @@ override_dh_auto_install:
if grep -q "^Package: *$$hmac_pkg\$$" debian/control; then \
unsigned_hmac_pkg="linux-image-unsigned-hmac-$$verflav";\
hmac="$$(dirname "$$signed")/.$$(basename "$$signed").hmac"; \
- sha512hmac "$$signed" | \
+ openssl sha512 -r -hmac FIPS-FTW-RHT2009 "$$signed" | \
awk -vpkg="/boot/$$(basename "$$signed")" \
'{ printf("%s %s\n", $$1, pkg) }' \
> "$$hmac"; \
diff --git a/debian/scripts/generate-control b/debian/scripts/generate-control
index 4a778d9d9e..65a3841b7e 100755
--- a/debian/scripts/generate-control
+++ b/debian/scripts/generate-control
@@ -31,6 +31,8 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd:
efi_archs.update([arch])
if efi_archs:
print(f' sbsigntool [{" ".join(efi_archs)}],', file=cfd)
+ # For HMACs
+ print(f" openssl,", file=cfd)
else:
print(line, end='', file=cfd)
--
2.34.1
More information about the kernel-team
mailing list