[mantic:linux-signed][PATCH 2/5] UBUNTU: Use openssl for HMAC calculation

Dimitri John Ledkov dimitri.ledkov at canonical.com
Fri Jul 14 21:30:50 UTC 2023


kcapi-tools applications are not available in all suites, in the same
path, with the same name, instead use openssl which is universally
available. kcapi-tools itself also uses openssl to calculate its hmac.

BugLink: https://bugs.launchpad.net/bugs/2027818
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
 debian/rules                    | 2 +-
 debian/scripts/generate-control | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index c78ca3dde8..06651f2f5f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -109,7 +109,7 @@ override_dh_auto_install:
 		if grep -q "^Package: *$$hmac_pkg\$$" debian/control; then	\
 			unsigned_hmac_pkg="linux-image-unsigned-hmac-$$verflav";\
 			hmac="$$(dirname "$$signed")/.$$(basename "$$signed").hmac";	\
-			sha512hmac "$$signed" |					\
+			openssl sha512 -r -hmac FIPS-FTW-RHT2009 "$$signed" |   \
 				awk -vpkg="/boot/$$(basename "$$signed")"	\
 					'{ printf("%s  %s\n", $$1, pkg) }'	\
 				> "$$hmac";					\
diff --git a/debian/scripts/generate-control b/debian/scripts/generate-control
index 4a778d9d9e..65a3841b7e 100755
--- a/debian/scripts/generate-control
+++ b/debian/scripts/generate-control
@@ -31,6 +31,8 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd:
                     efi_archs.update([arch])
             if efi_archs:
                 print(f' sbsigntool [{" ".join(efi_archs)}],', file=cfd)
+            # For HMACs
+            print(f" openssl,", file=cfd)
         else:
             print(line, end='', file=cfd)
 
-- 
2.34.1




More information about the kernel-team mailing list