First iteration fips boot support for 6.12 kernel#15659
Merged
chalamalasetty merged 6 commits into3.0-devfrom Feb 7, 2026
Merged
First iteration fips boot support for 6.12 kernel#15659chalamalasetty merged 6 commits into3.0-devfrom
chalamalasetty merged 6 commits into3.0-devfrom
Conversation
Camelron
approved these changes
Feb 2, 2026
Contributor
Camelron
left a comment
There was a problem hiding this comment.
Looks good to me from a dracut standpoint.
Contributor
|
Also looks ok. It would be nice to get some background on why we are removing the patch though: what was broken? Why does it work now without the patch, etc. |
dmcilvaney
approved these changes
Feb 4, 2026
rlmenge
approved these changes
Feb 4, 2026
| # Mocks sha512hmac using the openssl tool. | ||
| # Only for use during RPM build. | ||
|
|
||
| openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' | echo "$(cat -) $1" No newline at end of file |
Contributor
There was a problem hiding this comment.
Nit: missing trailing new line
christopherco
approved these changes
Feb 5, 2026
christopherco
approved these changes
Feb 6, 2026
anphel31
approved these changes
Feb 7, 2026
christopherco
approved these changes
Feb 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
First‑iteration changes for FIPS boot support on the 6.12 kernel for testing.
Upstream includes the cfb and ofb kernel modules in the module list—even though they are deprecated in newer kernel versions —in the latest dracut main branch (https://github.com/dracut-ng/dracut-ng/blob/main/modules.d/11fips/module-setup.sh#L22), which suggests support for kernels beyond 6.8.
We are currently carrying an old Fedora patch (0006-dracut.sh-validate-instmods-calls.patch).
Since we need to support both 6.6 and 6.12 kernels, we are removing this patch to remain on Dracut v102.
Enable building and producing 6.12 FIPS core and marketplace images for initial testing.
Change Log
Enable fips boot support for 6.12 kernel
Does this affect the toolchain?
NO
Associated issues
Links to CVEs
Test Methodology