Keyrings Archive on lore.kernel.org
 help / color / Atom feed
From: David Howells <dhowells@redhat.com>
To: Valdis Kl=?utf-8?Q?=c4=93?=tnieks <valdis.kletnieks@vt.edu>
Cc: dhowells@redhat.com, David Woodhouse <dwmw2@infradead.org>,
	keyrings@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] certs: Clean up signing_key.pem and x509.genkey on make mrproper
Date: Fri, 12 Mar 2021 11:19:31 +0000
Message-ID: <2243141.1615547971@warthog.procyon.org.uk> (raw)
In-Reply-To: <159991.1615539999@turing-police>

Valdis Klētnieks <valdis.kletnieks@vt.edu> wrote:

> > Possibly I can add something like:
> >
> > 	clean-files := signing_key.pem x509.genkey
> >
> > inside the
> >
> > 	ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
> > 	...
> > 	endif
> 
> Would that remove them on a 'make clean', or only a 'make mrproper'?
> The latter sounds like the correct solution to me, as the signing key should
> have (roughly) the same lifetime rules as the .config file.

It would appear that it works on neither.  Neither of them seem to have any
CONFIG_xxx symbols set.

How about the attached patch?

David
---
commit 95897dc8dc13ad13c637a477a1ead9b63ff1fafa
Author: David Howells <dhowells@redhat.com>
Date:   Fri Mar 12 10:48:25 2021 +0000

    certs: Clean up signing_key.pem and x509.genkey on make mrproper
    
    Autogenerated signing_key.pem and x509.genkey files aren't removed from the
    build certs/ directory when "make mrproper" is run.  This is somewhat
    deliberate since the "file" is specified by the CONFIG_MODULE_SIG_KEY
    string option and may not be in the build tree - and may not even be a
    filename, but rather a PKCS#7 URI (also the config variables doesn't seem
    to be set when cleaning).
    
    Fix this by unconditionally listing signing_key.pem and x509.genkey for
    removal from the build certs/ directory - which will just do nothing if
    they're not there, and shouldn't remove signing keys that are configured to
    be elsewhere.
    
    Note that this will permanently erase the autogenerated private key, so
    anyone that is relying on it still being around after doing make mrproper
    will no longer find it.
    
    Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
    Reported-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Link: https://lore.kernel.org/r/134696.1615510534@turing-police/ [1]

diff --git a/certs/Makefile b/certs/Makefile
index f4c25b67aad9..2ae1dd518bc7 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -104,3 +104,5 @@ targets += signing_key.x509
 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
 	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
 endif # CONFIG_MODULE_SIG
+
+clean-files += signing_key.pem x509.genkey


  parent reply index

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-11  6:32 'make O=' indigestion with module signing Valdis Klētnieks
2021-03-11  9:34 ` David Howells
2021-03-11  9:51   ` Valdis Klētnieks
2021-03-11 10:49 ` David Howells
2021-03-11 11:44   ` Valdis Klētnieks
2021-03-11 12:04   ` David Howells
2021-03-12  0:55     ` Valdis Klētnieks
2021-03-12  9:01     ` David Howells
2021-03-12  9:06       ` Valdis Klētnieks
2021-03-12 11:19       ` David Howells [this message]
2021-05-09 15:11       ` Ingo Molnar
2021-05-09 15:15         ` Ingo Molnar
2021-05-09 16:19           ` Ingo Molnar
2021-05-10 12:41             ` Ingo Molnar
2021-03-11 13:31   ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2243141.1615547971@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=valdis.kletnieks@vt.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Keyrings Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/keyrings/0 keyrings/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 keyrings keyrings/ https://lore.kernel.org/keyrings \
		keyrings@vger.kernel.org
	public-inbox-index keyrings

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.keyrings


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git