From: David Howells <dhowells@redhat.com>
To: mcgrof@gmail.com
Cc: mjg59@srcf.ucam.org, keyrings@linux-nfs.org,
gregkh@linuxfoundation.org, kyle@kernel.org,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
seth.forshee@canonical.com,
linux-security-module@vger.kernel.org, zohar@linux.vnet.ibm.com,
dwmw2@infradead.org
Subject: [PATCH 23/27] modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
Date: Fri, 17 Jul 2015 17:19:28 +0100 [thread overview]
Message-ID: <20150717161928.2578.21019.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <20150717161456.2578.95678.stgit@warthog.procyon.org.uk>
From: David Woodhouse <David.Woodhouse@intel.com>
Fix up the dependencies somewhat too, while we're at it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
kernel/Makefile | 25 ++++++++++++-------------
kernel/system_certificates.S | 3 +++
scripts/Makefile | 3 ++-
3 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/kernel/Makefile b/kernel/Makefile
index 686d93b93006..9e31922138d0 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -166,23 +166,22 @@ endef
#
###############################################################################
-
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
$(eval $(call config_filename,SYSTEM_TRUSTED_KEYS))
-SIGNING_X509-$(CONFIG_MODULE_SIG) += signing_key.x509
-
-kernel/system_certificates.o: $(obj)/x509_certificate_list
+# GCC doesn't include .incbin files in -MD generated dependencies (PR#66871)
+$(obj)/system_certificates.o: $(obj)/x509_certificate_list
-quiet_cmd_x509certs = CERTS $(SIGNING_X509-y) $(patsubst "%",%,$(2))
- cmd_x509certs = ( cat $(SIGNING_X509-y) /dev/null; \
- awk '/-----BEGIN CERTIFICATE-----/{flag=1;next}/-----END CERTIFICATE-----/{flag=0}flag' $(2) /dev/null | base64 -d ) > $@ || ( rm $@; exit 1)
+# Cope with signing_key.x509 existing in $(srctree) not $(objtree)
+AFLAGS_system_certificates.o := -I$(srctree)
-targets += $(obj)/x509_certificate_list
-$(obj)/x509_certificate_list: $(SIGNING_X509-y) include/config/system/trusted/keys.h $(wildcard include/config/module/sig.h) $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME)
- $(call if_changed,x509certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))
+quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2))
+ cmd_extract_certs = scripts/extract-cert $(2) $@ || ( rm $@; exit 1)
+targets += x509_certificate_list
+$(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE
+ $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))
endif
clean-files := x509_certificate_list .x509.list
@@ -248,9 +247,9 @@ ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword
X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME)
endif
-quiet_cmd_extract_der = SIGNING_CERT $(patsubst "%",%,$(2))
- cmd_extract_der = scripts/extract-cert $(2) signing_key.x509
+# GCC PR#66871 again.
+$(obj)/system_certificates.o: signing_key.x509
signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP)
- $(call cmd,extract_der,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
+ $(call cmd,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
endif
diff --git a/kernel/system_certificates.S b/kernel/system_certificates.S
index 3e9868d47535..6ba2f75e7ba5 100644
--- a/kernel/system_certificates.S
+++ b/kernel/system_certificates.S
@@ -7,6 +7,9 @@
.globl VMLINUX_SYMBOL(system_certificate_list)
VMLINUX_SYMBOL(system_certificate_list):
__cert_list_start:
+#ifdef CONFIG_MODULE_SIG
+ .incbin "signing_key.x509"
+#endif
.incbin "kernel/x509_certificate_list"
__cert_list_end:
diff --git a/scripts/Makefile b/scripts/Makefile
index 236f683510bd..1b2661712d44 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -16,7 +16,8 @@ hostprogs-$(CONFIG_VT) += conmakehash
hostprogs-$(BUILD_C_RECORDMCOUNT) += recordmcount
hostprogs-$(CONFIG_BUILDTIME_EXTABLE_SORT) += sortextable
hostprogs-$(CONFIG_ASN1) += asn1_compiler
-hostprogs-$(CONFIG_MODULE_SIG) += sign-file extract-cert
+hostprogs-$(CONFIG_MODULE_SIG) += sign-file
+hostprogs-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert
HOSTCFLAGS_sortextable.o = -I$(srctree)/tools/include
HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
next prev parent reply other threads:[~2015-07-17 16:19 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-17 16:14 [PATCH 00/27] MODSIGN: Use PKCS#7 for module signatures David Howells
2015-07-17 16:15 ` [PATCH 01/27] X.509: Extract both parts of the AuthorityKeyIdentifier David Howells
2015-07-17 16:15 ` [PATCH 02/27] X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier David Howells
2015-07-17 16:15 ` [PATCH 03/27] PKCS#7: Allow detached data to be supplied for signature checking purposes David Howells
2015-07-17 16:15 ` [PATCH 04/27] MODSIGN: Provide a utility to append a PKCS#7 signature to a module David Howells
2015-07-17 16:15 ` [PATCH 05/27] MODSIGN: Use PKCS#7 messages as module signatures David Howells
2015-07-17 16:16 ` [PATCH 06/27] sign-file: Add option to only create signature file David Howells
2015-07-17 16:16 ` [PATCH 07/27] system_keyring.c doesn't need to #include module-internal.h David Howells
2015-07-17 16:16 ` [PATCH 08/27] MODSIGN: Extract the blob PKCS#7 signature verifier from module signing David Howells
2015-07-17 16:16 ` [PATCH 09/27] modsign: Abort modules_install when signing fails David Howells
2015-07-17 16:16 ` [PATCH 10/27] modsign: Allow password to be specified for signing key David Howells
2015-07-17 16:17 ` [PATCH 11/27] modsign: Allow signing key to be PKCS#11 David Howells
2015-07-17 16:17 ` [PATCH 12/27] modsign: Allow external signing key to be specified David Howells
2015-07-17 16:17 ` [PATCH 13/27] modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed David Howells
2015-07-17 16:17 ` [PATCH 14/27] modsign: Use single PEM file for autogenerated key David Howells
2015-07-17 16:17 ` [PATCH 15/27] modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option David Howells
2015-07-17 16:18 ` [PATCH 16/27] PKCS#7: Check content type and versions David Howells
2015-07-17 16:18 ` [PATCH 17/27] ASN.1: Add an ASN.1 compiler option to dump the element tree David Howells
2015-07-17 16:18 ` [PATCH 18/27] ASN.1: Fix handling of CHOICE in ASN.1 compiler David Howells
2015-07-17 16:18 ` [PATCH 19/27] X.509: Change recorded SKID & AKID to not include Subject or Issuer David Howells
2015-07-17 16:18 ` [PATCH 20/27] PKCS#7: Support CMS messages also [RFC5652] David Howells
2015-07-17 16:19 ` [PATCH 21/27] sign-file: Generate CMS message as signature instead of PKCS#7 David Howells
2015-07-17 16:19 ` [PATCH 22/27] extract-cert: Cope with multiple X.509 certificates in a single file David Howells
2015-07-17 16:19 ` David Howells [this message]
2015-07-17 16:19 ` [PATCH 24/27] X.509: Restrict the usage of a key based on information in X.509 certificate David Howells
2015-07-17 16:19 ` [PATCH 25/27] X.509: Parse the keyUsage extension to detect key-signing keys David Howells
2015-07-17 16:20 ` [PATCH 26/27] PKCS#7: Add an optional authenticated attribute to hold firmware name David Howells
2015-07-17 16:20 ` [PATCH 27/27] KEYS: Restrict signature verification to keys appropriate to the purpose David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150717161928.2578.21019.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=gregkh@linuxfoundation.org \
--cc=keyrings@linux-nfs.org \
--cc=kyle@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=mcgrof@gmail.com \
--cc=mjg59@srcf.ucam.org \
--cc=seth.forshee@canonical.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).