rpms/ima-evm-utils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

ima-setup: rebuild all initramfs images to include the integrity dracut module

Browse Source 
Resolves: https://issues.redhat.com/browse/RHEL-92638
Conflict: Caused by a typo that exists in upstream

commit ac36e54bee77c82bd7f48a507d014a1ec0055645
Author: Coiby Xu <coxu@redhat.com>
Date:   Thu Jul 10 16:53:18 2025 +0800

    ima-setup: rebuild all initramfs images to include the integrity dracut module

    Resolves: https://issues.redhat.com/browse/RHEL-92638

    Quoting Raju,
      ima-setup currently only rebuild the initramfs of running kernel, so
      the older kernel's(n-1 or n-2) initramfs does contain an outdated
      information or it does not contain ima module, as a result the system
      fails to boot with older kernel.

      It is always recommended to have at least 2 older kernel's kept
      installed on the system as a fallback option in case if the latest
      kernel fails to boot due to some unforeseen issue. So that we can boot
      the system with older kernel to troubleshoot the can't boot issue with
      older kernel.

    Suggested-by: Raju Cheerla <rcheerla@redhat.com>

Signed-off-by: Coiby Xu <coxu@redhat.com>
This commit is contained in:
Coiby Xu 2025-10-30 08:41:06 +08:00
parent 427e17643a
commit 5a27b43c2f
1 changed files with 4 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ima-setup.sh
View File

@ -126,15 +126,10 @@ load_ima_keys
# automatically when there is a system reboot
if ! lsinitrd --mod | grep -q integrity; then
cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
dracut -f
if command -v grubby >/dev/null; then
_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
if [[ $_default_kernel != $(uname -r) ]]; then
echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
dracut -f --kver "$_default_kernel"
fi
echo "Regenerating all initramfs images to include the dracut integrity module"
if ! dracut -f --regenerate-all; then
echo "Failed to Regenerate all initramfs images"
exit 1
fi
[[ $(uname -m) == s390x ]] && zipl &> /dev/null
fi