All of lore.kernel.org
 help / color / mirror / Atom feed
From: Benjamin Poirier <bpoirier@suse.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Michal Marek <mmarek@suse.cz>, joeyli <jlee@suse.com>,
	"Yann E . MORIN " <yann.morin.1998@free.fr>,
	linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 2/2] localmodconfig: Reset certificate paths
Date: Sat,  2 Apr 2016 10:55:22 -0700	[thread overview]
Message-ID: <1459619722-13695-2-git-send-email-bpoirier@suse.com> (raw)
In-Reply-To: <1459619722-13695-1-git-send-email-bpoirier@suse.com>

When using `make localmodconfig` and friends, if the input config comes
from a kernel that was built in a different environment (for example, the
canonical case of using localmodconfig to trim a distribution kernel
config) the key files for module signature checking will not be available
and should be regenerated or omitted. Otherwise, the user will be faced
with annoying errors when trying to build with the generated .config:

make[1]: *** No rule to make target 'keyring.crt', needed by 'certs/x509_certificate_list'.  Stop.
Makefile:1576: recipe for target 'certs/' failed

Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
---
 scripts/kconfig/streamline_config.pl | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl
index 7036ae3..514735d 100755
--- a/scripts/kconfig/streamline_config.pl
+++ b/scripts/kconfig/streamline_config.pl
@@ -610,6 +610,40 @@ foreach my $line (@config_file) {
 	next;
     }
 
+    if (/CONFIG_MODULE_SIG_KEY="(.+)"/) {
+        my $orig_cert = $1;
+        my $default_cert = "certs/signing_key.pem";
+
+        # Check that the logic in this script still matches the one in Kconfig
+        if (!defined($depends{"MODULE_SIG_KEY"}) ||
+            $depends{"MODULE_SIG_KEY"} !~ /"\Q$default_cert\E"/) {
+            die "Assertion failure, update needed";
+        }
+
+        if ($orig_cert ne $default_cert && ! -f $orig_cert) {
+            print STDERR "Module signature verification enabled but ",
+                "module signing key \"$orig_cert\" not found. Resetting ",
+                "signing key to default value.\n";
+            print "CONFIG_MODULE_SIG_KEY=\"$default_cert\"\n";
+        } else {
+            print;
+        }
+        next;
+    }
+
+    if (/CONFIG_SYSTEM_TRUSTED_KEYS="(.+)"/) {
+        my $orig_keys = $1;
+
+        if (! -f $orig_keys) {
+            print STDERR "System keyring enabled but keys \"$orig_keys\" ",
+                "not found. Resetting keys to default value.\n";
+            print "CONFIG_SYSTEM_TRUSTED_KEYS=\"\"\n";
+        } else {
+            print;
+        }
+        next;
+    }
+
     if (/^(CONFIG.*)=(m|y)/) {
 	if (defined($configs{$1})) {
 	    if ($localyesconfig) {
-- 
2.7.2

  reply	other threads:[~2016-04-02 17:55 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-02 17:55 [PATCH 1/2] localmodconfig: Fix parsing of Kconfig "source" statements Benjamin Poirier
2016-04-02 17:55 ` Benjamin Poirier [this message]
2016-04-08 14:59   ` [PATCH 2/2] localmodconfig: Reset certificate paths joeyli
2016-04-26 14:02   ` Steven Rostedt
2016-04-26 18:51     ` Benjamin Poirier
2016-04-26 18:52       ` [PATCH v2] " Benjamin Poirier
2016-04-26 19:48         ` Steven Rostedt
2016-04-08 14:59 ` [PATCH 1/2] localmodconfig: Fix parsing of Kconfig "source" statements joeyli
2016-04-26 14:03   ` Steven Rostedt
2016-04-08 18:29 ` Steven Rostedt
2016-04-10 23:52   ` Benjamin Poirier
2016-04-11  0:06     ` [PATCH 1/4] localmodconfig: Recognize more keywords that end a menu entry Benjamin Poirier
2016-04-11  0:06       ` [PATCH 2/4] localmodconfig: Fix parsing of "help" text Benjamin Poirier
2016-04-11  0:06       ` [PATCH 3/4] localmodconfig: Add missing $ to reference a variable Benjamin Poirier
2016-04-11  0:06       ` [PATCH 4/4] localmodconfig: Recognize standalone "prompt" Benjamin Poirier
2016-04-26 15:11         ` Steven Rostedt
2016-04-26 18:54           ` Benjamin Poirier
2016-04-26 18:56             ` [PATCH v2] localmodconfig: Fix whitespace repeat count after "tristate" Benjamin Poirier
2016-04-26 19:51               ` Steven Rostedt
2016-04-26 21:35                 ` Benjamin Poirier
2016-04-26 22:34                   ` Steven Rostedt
2016-04-18 20:29     ` [PATCH 1/2] localmodconfig: Fix parsing of Kconfig "source" statements Benjamin Poirier
2016-04-18 21:43       ` Steven Rostedt
2016-04-18 23:49         ` Benjamin Poirier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1459619722-13695-2-git-send-email-bpoirier@suse.com \
    --to=bpoirier@suse.com \
    --cc=jlee@suse.com \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mmarek@suse.cz \
    --cc=rostedt@goodmis.org \
    --cc=yann.morin.1998@free.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.