Description of changes:
This aligns libkcapi with the version specified in the FIPS 140-3 security policy for the Amazon Linux 2023 Kernel Cryptographic API.
Bump the epoch to ensure that the "older" 1.4.0 version is preferred over the "newer" 1.5.0 version from past core kit releases.
Trim the set of installed files down to just the ones referenced by the security policy: sha512hmac and libkcapi.so.1.4.0.
Testing done:
Enabled the FIPS feature for aws-dev and verified that the kernel integrity check still works:
bash-5.2# cd /boot
bash-5.2# sha512hmac -c .vmlinuz.hmac
vmlinuz: OK
This operation implicitly checks the SHA-512 HMAC of /usr/bin/sha512hmac and the SHA-256 HMAC of /usr/lib64/libkcapi.so.1.4.0.
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.
Issue number: Related: https://github.com/bottlerocket-os/bottlerocket/issues/1667
Description of changes: This aligns libkcapi with the version specified in the FIPS 140-3 security policy for the Amazon Linux 2023 Kernel Cryptographic API.
Bump the epoch to ensure that the "older" 1.4.0 version is preferred over the "newer" 1.5.0 version from past core kit releases.
Trim the set of installed files down to just the ones referenced by the security policy:
sha512hmacandlibkcapi.so.1.4.0.Testing done: Enabled the FIPS feature for
aws-devand verified that the kernel integrity check still works:This operation implicitly checks the SHA-512 HMAC of
/usr/bin/sha512hmacand the SHA-256 HMAC of/usr/lib64/libkcapi.so.1.4.0.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.