* [PATCH] MODSIGN: Fix including certificate twice when the signing_key.x509
@ 2014-01-09 6:46 Lee, Chun-Yi
2014-01-15 4:39 ` Rusty Russell
2014-01-16 12:31 ` David Howells
0 siblings, 2 replies; 7+ messages in thread
From: Lee, Chun-Yi @ 2014-01-09 6:46 UTC (permalink / raw)
To: rusty, dhowells
Cc: linux-kernel, Chun-Yi Lee, Josh Boyer, Randy Dunlap, Herbert Xu,
David S. Miller, Michal Marek
From: Chun-Yi Lee <jlee@suse.com>
This issue was found in devel-pekey branch on linux-modsign.git tree.
The
x509_certificate_list includes certificate twice when the
signing_key.x509
already exists.
We can reproduce this issue by making kernel twice, the build log of
second time looks like this:
...
CHK kernel/config_data.h
CERTS kernel/x509_certificate_list
- Including cert /ramdisk/working/joey/linux-modsign/signing_key.x509
- Including cert signing_key.x509
...
Actually the build path was the same with the srctree path when building
kernel. It causes the size of bzImage increased by packaging
certificates
twice.
v2:
Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
between different shells
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Josh Boyer <jwboyer@redhat.com>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Michal Marek <mmarek@suse.com>
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
kernel/Makefile | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/Makefile b/kernel/Makefile
index bc010ee..582fa7a 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -136,7 +136,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
#
###############################################################################
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
-X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
+X509_CERTIFICATES-y := $(wildcard *.x509)
+ifneq ($(shell /bin/pwd), $(srctree))
+X509_CERTIFICATES-y += $(wildcard $(srctree)/*.x509)
+endif
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
$(or $(realpath $(CERT)),$(CERT))))
--
1.6.4.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] MODSIGN: Fix including certificate twice when the signing_key.x509
2014-01-09 6:46 [PATCH] MODSIGN: Fix including certificate twice when the signing_key.x509 Lee, Chun-Yi
@ 2014-01-15 4:39 ` Rusty Russell
2014-01-16 4:03 ` joeyli
2014-01-16 15:35 ` Michal Marek
2014-01-16 12:31 ` David Howells
1 sibling, 2 replies; 7+ messages in thread
From: Rusty Russell @ 2014-01-15 4:39 UTC (permalink / raw)
To: Lee, Chun-Yi, dhowells
Cc: linux-kernel, Chun-Yi Lee, Josh Boyer, Randy Dunlap, Herbert Xu,
David S. Miller, Michal Marek, David Howells
Punting to David Howells...
Cheers,
Rusty.
"Lee, Chun-Yi" <joeyli.kernel@gmail.com> writes:
> From: Chun-Yi Lee <jlee@suse.com>
>
> This issue was found in devel-pekey branch on linux-modsign.git tree.
> The
> x509_certificate_list includes certificate twice when the
> signing_key.x509
> already exists.
> We can reproduce this issue by making kernel twice, the build log of
> second time looks like this:
>
> ...
> CHK kernel/config_data.h
> CERTS kernel/x509_certificate_list
> - Including cert /ramdisk/working/joey/linux-modsign/signing_key.x509
> - Including cert signing_key.x509
> ...
>
> Actually the build path was the same with the srctree path when building
> kernel. It causes the size of bzImage increased by packaging
> certificates
> twice.
>
> v2:
> Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
> between different shells
Hmm, that's not a great test for equality. How about:
ifneq ($(realpath .), $(realpath $(srctree)))
That should cover all the cases.
Cheers,
Rusty.
>
> Cc: Rusty Russell <rusty@rustcorp.com.au>
> Cc: Josh Boyer <jwboyer@redhat.com>
> Cc: Randy Dunlap <rdunlap@xenotime.net>
> Cc: Herbert Xu <herbert@gondor.apana.org.au>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Michal Marek <mmarek@suse.com>
> Signed-off-by: Chun-Yi Lee <jlee@suse.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> ---
> kernel/Makefile | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/Makefile b/kernel/Makefile
> index bc010ee..582fa7a 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -136,7 +136,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
> #
> ###############################################################################
> ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
> -X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
> +X509_CERTIFICATES-y := $(wildcard *.x509)
> +ifneq ($(shell /bin/pwd), $(srctree))
> +X509_CERTIFICATES-y += $(wildcard $(srctree)/*.x509)
> +endif
> X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
> X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
> $(or $(realpath $(CERT)),$(CERT))))
> --
> 1.6.4.2
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] MODSIGN: Fix including certificate twice when the signing_key.x509
2014-01-15 4:39 ` Rusty Russell
@ 2014-01-16 4:03 ` joeyli
2014-01-16 15:35 ` Michal Marek
1 sibling, 0 replies; 7+ messages in thread
From: joeyli @ 2014-01-16 4:03 UTC (permalink / raw)
To: Rusty Russell
Cc: dhowells, linux-kernel, Josh Boyer, Randy Dunlap, Herbert Xu,
David S. Miller, Michal Marek
於 三,2014-01-15 於 15:09 +1030,Rusty Russell 提到:
> >
> > v2:
> > Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more
> reliable
> > between different shells
>
> Hmm, that's not a great test for equality. How about:
>
> ifneq ($(realpath .), $(realpath $(srctree)))
>
> That should cover all the cases.
>
> Cheers,
> Rusty.
Yes, it's better!
Thanks for your suggestion, I will send new version with changelog
updated.
Joey Lee
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] MODSIGN: Fix including certificate twice when the signing_key.x509
2014-01-09 6:46 [PATCH] MODSIGN: Fix including certificate twice when the signing_key.x509 Lee, Chun-Yi
2014-01-15 4:39 ` Rusty Russell
@ 2014-01-16 12:31 ` David Howells
2014-01-17 5:56 ` joeyli
1 sibling, 1 reply; 7+ messages in thread
From: David Howells @ 2014-01-16 12:31 UTC (permalink / raw)
To: Lee, Chun-Yi
Cc: dhowells, rusty, linux-kernel, Chun-Yi Lee, Josh Boyer,
Randy Dunlap, Herbert Xu, David S. Miller, Michal Marek
Lee, Chun-Yi <joeyli.kernel@gmail.com> wrote:
> This issue was found in devel-pekey branch on linux-modsign.git tree.
> The
Are you asking for this to go upstream or into my devel-pekey branch?
If upstream you want it to go upstream, I presume commit
d7ec435fdd03cfee70dba934ee384acc87bd6d00 doesn't fix the problem?
David
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] MODSIGN: Fix including certificate twice when the signing_key.x509
2014-01-15 4:39 ` Rusty Russell
2014-01-16 4:03 ` joeyli
@ 2014-01-16 15:35 ` Michal Marek
2014-01-16 22:06 ` Rusty Russell
1 sibling, 1 reply; 7+ messages in thread
From: Michal Marek @ 2014-01-16 15:35 UTC (permalink / raw)
To: Rusty Russell, Lee, Chun-Yi, dhowells
Cc: linux-kernel, Chun-Yi Lee, Josh Boyer, Randy Dunlap, Herbert Xu,
David S. Miller
On 15.1.2014 05:39, Rusty Russell wrote:
> "Lee, Chun-Yi" <joeyli.kernel@gmail.com> writes:
>> From: Chun-Yi Lee <jlee@suse.com>
>> v2:
>> Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
>> between different shells
>
> Hmm, that's not a great test for equality. How about:
>
> ifneq ($(realpath .), $(realpath $(srctree)))
>
> That should cover all the cases.
make 3.80 does not have realpath :(.
Michal
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] MODSIGN: Fix including certificate twice when the signing_key.x509
2014-01-16 15:35 ` Michal Marek
@ 2014-01-16 22:06 ` Rusty Russell
0 siblings, 0 replies; 7+ messages in thread
From: Rusty Russell @ 2014-01-16 22:06 UTC (permalink / raw)
To: Michal Marek, Lee, Chun-Yi, dhowells
Cc: linux-kernel, Chun-Yi Lee, Josh Boyer, Randy Dunlap, Herbert Xu,
David S. Miller
Michal Marek <mmarek@suse.com> writes:
> On 15.1.2014 05:39, Rusty Russell wrote:
>> "Lee, Chun-Yi" <joeyli.kernel@gmail.com> writes:
>>> From: Chun-Yi Lee <jlee@suse.com>
>>> v2:
>>> Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
>>> between different shells
>>
>> Hmm, that's not a great test for equality. How about:
>>
>> ifneq ($(realpath .), $(realpath $(srctree)))
>>
>> That should cover all the cases.
>
> make 3.80 does not have realpath :(.
OK, I guess the former is the best compromise then.
Thanks,
Rusty.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] MODSIGN: Fix including certificate twice when the signing_key.x509
2014-01-16 12:31 ` David Howells
@ 2014-01-17 5:56 ` joeyli
0 siblings, 0 replies; 7+ messages in thread
From: joeyli @ 2014-01-17 5:56 UTC (permalink / raw)
To: David Howells
Cc: rusty, linux-kernel, Josh Boyer, Randy Dunlap, Herbert Xu,
David S. Miller, Michal Marek
於 四,2014-01-16 於 12:31 +0000,David Howells 提到:
>
> Are you asking for this to go upstream or into my devel-pekey branch?
>
> If upstream you want it to go upstream, I presume commit
> d7ec435fdd03cfee70dba934ee384acc87bd6d00 doesn't fix the problem?
>
> David
You are right. I tried the d7ec435 patch fixed issue. Please ignore my
patch.
Thanks a lot!
Joey Lee
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-01-17 5:58 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-09 6:46 [PATCH] MODSIGN: Fix including certificate twice when the signing_key.x509 Lee, Chun-Yi
2014-01-15 4:39 ` Rusty Russell
2014-01-16 4:03 ` joeyli
2014-01-16 15:35 ` Michal Marek
2014-01-16 22:06 ` Rusty Russell
2014-01-16 12:31 ` David Howells
2014-01-17 5:56 ` joeyli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).