* [PATCH 1/2] certs: include certs/signing_key.x509 unconditionally
@ 2022-02-18 4:46 Masahiro Yamada
2022-02-18 4:46 ` [PATCH 2/2] certs: simplify empty certs creation in certs/Makefile Masahiro Yamada
0 siblings, 1 reply; 4+ messages in thread
From: Masahiro Yamada @ 2022-02-18 4:46 UTC (permalink / raw)
To: linux-kbuild, David Howells, David Woodhouse, keyrings
Cc: linux-kernel, Masahiro Yamada
I do not see much sense in the #if conditional in system_certificates.S;
even if the condition is true, there exists no signing key when
CONFIG_MODULE_SIG_KEY="".
So, certs/Makefile generates empty certs/signing_key.x509 in such a
case. We can always do this, irrespective of CONFIG_MODULE_SIG or
(CONFIG_IMA_APPRAISE_MODSIG && CONFIG_MODULES).
We only need to check CONFIG_MODULE_SIG_KEY, then both *.S and Makefile
will become much simpler.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
---
certs/Makefile | 16 ----------------
certs/system_certificates.S | 3 ---
2 files changed, 19 deletions(-)
diff --git a/certs/Makefile b/certs/Makefile
index 3ea7fe60823f..68c1d7b9a388 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -22,25 +22,10 @@ $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert
targets += x509_certificate_list
-ifeq ($(CONFIG_MODULE_SIG),y)
- SIGN_KEY = y
-endif
-
-ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
-ifeq ($(CONFIG_MODULES),y)
- SIGN_KEY = y
-endif
-endif
-
-ifdef SIGN_KEY
-###############################################################################
-#
# If module signing is requested, say by allyesconfig, but a key has not been
# supplied, then one will need to be generated to make sure the build does not
# fail and that the kernel may be used afterwards.
#
-###############################################################################
-
# We do it this way rather than having a boolean option for enabling an
# external private key, because 'make randconfig' might enable such a
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
@@ -76,7 +61,6 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509
$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE
$(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),""))
-endif # CONFIG_MODULE_SIG
targets += signing_key.x509
diff --git a/certs/system_certificates.S b/certs/system_certificates.S
index e1645e6f4d97..003e25d4a17e 100644
--- a/certs/system_certificates.S
+++ b/certs/system_certificates.S
@@ -9,10 +9,7 @@
system_certificate_list:
__cert_list_start:
__module_cert_start:
-#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \
- && defined(CONFIG_MODULES))
.incbin "certs/signing_key.x509"
-#endif
__module_cert_end:
.incbin "certs/x509_certificate_list"
__cert_list_end:
--
2.32.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] certs: simplify empty certs creation in certs/Makefile
2022-02-18 4:46 [PATCH 1/2] certs: include certs/signing_key.x509 unconditionally Masahiro Yamada
@ 2022-02-18 4:46 ` Masahiro Yamada
2022-02-22 8:12 ` Nicolas Schier
0 siblings, 1 reply; 4+ messages in thread
From: Masahiro Yamada @ 2022-02-18 4:46 UTC (permalink / raw)
To: linux-kbuild, David Howells, David Woodhouse, keyrings
Cc: linux-kernel, Masahiro Yamada
To create an empty cert file, we need to pass "" to the extract-cert
tool, which is common for all the three call-sites of cmd_exract_certs.
Factor out the logic into extract-cert-in.
One exceptional case is PKCS#11 case, where we override extract-cert-in
with the URI.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
---
certs/Makefile | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/certs/Makefile b/certs/Makefile
index 68c1d7b9a388..d8443cfb1c40 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -13,12 +13,13 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
endif
quiet_cmd_extract_certs = CERT $@
- cmd_extract_certs = $(obj)/extract-cert $(2) $@
+ cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@
+extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
$(obj)/system_certificates.o: $(obj)/x509_certificate_list
$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
- $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,""))
+ $(call if_changed,extract_certs)
targets += x509_certificate_list
@@ -52,22 +53,22 @@ $(obj)/x509.genkey:
endif # CONFIG_MODULE_SIG_KEY
-# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
-ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
-X509_DEP := $(CONFIG_MODULE_SIG_KEY)
-endif
-
$(obj)/system_certificates.o: $(obj)/signing_key.x509
-$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE
- $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),""))
+PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
+ifdef PKCS11_URI
+$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
+endif
+
+$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
+ $(call if_changed,extract_certs)
targets += signing_key.x509
$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE
- $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,""))
+ $(call if_changed,extract_certs)
targets += x509_revocation_list
--
2.32.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] certs: simplify empty certs creation in certs/Makefile
2022-02-18 4:46 ` [PATCH 2/2] certs: simplify empty certs creation in certs/Makefile Masahiro Yamada
@ 2022-02-22 8:12 ` Nicolas Schier
2022-03-03 0:01 ` Masahiro Yamada
0 siblings, 1 reply; 4+ messages in thread
From: Nicolas Schier @ 2022-02-22 8:12 UTC (permalink / raw)
To: Masahiro Yamada
Cc: linux-kbuild, David Howells, David Woodhouse, keyrings, linux-kernel
On Fri, Feb 18, 2022 at 01:46:34PM +0900, Masahiro Yamada wrote:
> To create an empty cert file, we need to pass "" to the extract-cert
> tool, which is common for all the three call-sites of cmd_exract_certs.
Missing a 't' in 'cmd_exract_certs'.
Reviewed-by: Nicolas Schier <n.schier@avm.de>
>
> Factor out the logic into extract-cert-in.
>
> One exceptional case is PKCS#11 case, where we override extract-cert-in
> with the URI.
>
> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
> ---
>
> certs/Makefile | 21 +++++++++++----------
> 1 file changed, 11 insertions(+), 10 deletions(-)
>
> diff --git a/certs/Makefile b/certs/Makefile
> index 68c1d7b9a388..d8443cfb1c40 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -13,12 +13,13 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
> endif
>
> quiet_cmd_extract_certs = CERT $@
> - cmd_extract_certs = $(obj)/extract-cert $(2) $@
> + cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@
> +extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
>
> $(obj)/system_certificates.o: $(obj)/x509_certificate_list
>
> $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
> - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,""))
> + $(call if_changed,extract_certs)
>
> targets += x509_certificate_list
>
> @@ -52,22 +53,22 @@ $(obj)/x509.genkey:
>
> endif # CONFIG_MODULE_SIG_KEY
>
> -# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
> -ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
> -X509_DEP := $(CONFIG_MODULE_SIG_KEY)
> -endif
> -
> $(obj)/system_certificates.o: $(obj)/signing_key.x509
>
> -$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE
> - $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),""))
> +PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
> +ifdef PKCS11_URI
> +$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
> +endif
> +
> +$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
> + $(call if_changed,extract_certs)
>
> targets += signing_key.x509
>
> $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
>
> $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE
> - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,""))
> + $(call if_changed,extract_certs)
>
> targets += x509_revocation_list
>
> --
> 2.32.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] certs: simplify empty certs creation in certs/Makefile
2022-02-22 8:12 ` Nicolas Schier
@ 2022-03-03 0:01 ` Masahiro Yamada
0 siblings, 0 replies; 4+ messages in thread
From: Masahiro Yamada @ 2022-03-03 0:01 UTC (permalink / raw)
To: Nicolas Schier
Cc: Linux Kbuild mailing list, David Howells, David Woodhouse,
keyrings, Linux Kernel Mailing List
On Tue, Feb 22, 2022 at 5:12 PM Nicolas Schier <n.schier@avm.de> wrote:
>
> On Fri, Feb 18, 2022 at 01:46:34PM +0900, Masahiro Yamada wrote:
> > To create an empty cert file, we need to pass "" to the extract-cert
> > tool, which is common for all the three call-sites of cmd_exract_certs.
>
> Missing a 't' in 'cmd_exract_certs'.
>
> Reviewed-by: Nicolas Schier <n.schier@avm.de>
>
Thanks. Fixed the typo, and applied to linux-kbuild.
--
Best Regards
Masahiro Yamada
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-03-03 0:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-18 4:46 [PATCH 1/2] certs: include certs/signing_key.x509 unconditionally Masahiro Yamada
2022-02-18 4:46 ` [PATCH 2/2] certs: simplify empty certs creation in certs/Makefile Masahiro Yamada
2022-02-22 8:12 ` Nicolas Schier
2022-03-03 0:01 ` Masahiro Yamada
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.