File 0312-fips-handle-checksum-checks-for-RHEV-kernels.patch of Package dracut

From 581452062f52fa1dc6b45880af7a31ad0744bdb3 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Thu, 18 Jul 2013 13:12:58 +0200
Subject: [PATCH] fips: handle checksum checks for RHEV kernels

https://bugzilla.redhat.com/show_bug.cgi?id=947729
---
 modules.d/01fips/fips.sh | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index c050505..d061dfe 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -51,6 +51,22 @@ mount_boot()
     fi
 }
 
+do_rhevh_check()
+{
+    KERNEL=$(uname -r)
+    kpath=${1}
+
+    # If we're on RHEV-H, the kernel is in /dev/.initramfs/live/vmlinuz0
+    HMAC_SUM_ORIG=$(cat /boot/.vmlinuz-${KERNEL}.hmac | while read a b; do printf "%s\n" $a; done)
+    HMAC_SUM_CALC=$(sha512hmac $kpath | while read a b; do printf "%s\n" $a; done || return 1)
+    if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
+        warn "HMAC sum mismatch"
+        return 1
+    fi
+    info "rhevh_check OK"
+    return 0
+}
+
 do_fips()
 {
     info "Checking integrity of kernel"
@@ -61,7 +77,13 @@ do_fips()
         return 1
     fi
 
-    sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
+    if [ -e "$NEWROOT/dev/.initramfs/live/vmlinuz0" ]; then
+        do_rhevh_check $NEWROOT/dev/.initramfs/live/vmlinuz0 || return 1
+    elif [ -e "$NEWROOT/dev/.initramfs/live/isolinux/vmlinuz0" ]; then
+        do_rhevh_check $NEWROOT/dev/.initramfs/live/isolinux/vmlinuz0 || return 1
+    else
+        sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
+    fi
 
     FIPSMODULES=$(cat /etc/fipsmodules)
 
-- 
1.8.3.1