From 5a27b43c2ffa4e77e6f6672cf33d8f50579cf039 Mon Sep 17 00:00:00 2001
From: Coiby Xu <coxu@redhat.com>
Date: Thu, 30 Oct 2025 08:41:06 +0800
Subject: [PATCH] ima-setup: rebuild all initramfs images to include the
 integrity dracut module

Resolves: https://issues.redhat.com/browse/RHEL-92638
Conflict: Caused by a typo that exists in upstream

commit ac36e54bee77c82bd7f48a507d014a1ec0055645
Author: Coiby Xu <coxu@redhat.com>
Date:   Thu Jul 10 16:53:18 2025 +0800

    ima-setup: rebuild all initramfs images to include the integrity dracut module

    Resolves: https://issues.redhat.com/browse/RHEL-92638

    Quoting Raju,
      ima-setup currently only rebuild the initramfs of running kernel, so
      the older kernel's(n-1 or n-2) initramfs does contain an outdated
      information or it does not contain ima module, as a result the system
      fails to boot with older kernel.

      It is always recommended to have at least 2 older kernel's kept
      installed on the system as a fallback option in case if the latest
      kernel fails to boot due to some unforeseen issue. So that we can boot
      the system with older kernel to troubleshoot the can't boot issue with
      older kernel.

    Suggested-by: Raju Cheerla <rcheerla@redhat.com>

Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 ima-setup.sh | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/ima-setup.sh b/ima-setup.sh
index 4a61a28..a84fc4d 100755
--- a/ima-setup.sh
+++ b/ima-setup.sh
@@ -126,15 +126,10 @@ load_ima_keys
 # automatically when there is a system reboot
 if ! lsinitrd --mod | grep -q integrity; then
 	cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
-	echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
-	dracut -f
-
-	if command -v grubby >/dev/null; then
-		_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
-		if [[ $_default_kernel != $(uname -r) ]]; then
-			echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
-			dracut -f --kver "$_default_kernel"
-		fi
+	echo "Regenerating all initramfs images to include the dracut integrity module"
+	if ! dracut -f --regenerate-all; then
+		echo "Failed to Regenerate all initramfs images"
+		exit 1
 	fi
 	[[ $(uname -m) == s390x ]] && zipl &> /dev/null
 fi