All of lore.kernel.org
 help / color / mirror / Atom feed
From: Masahiro Yamada <masahiroy@kernel.org>
To: linux-kbuild@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	Masahiro Yamada <masahiroy@kernel.org>,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Nicolas Schier <nicolas@fjasle.eu>
Subject: [PATCH 7/8] kbuild: support 'make modules_sign' with CONFIG_MODULE_SIG_ALL=n
Date: Wed, 23 Aug 2023 20:50:47 +0900	[thread overview]
Message-ID: <20230823115048.823011-7-masahiroy@kernel.org> (raw)
In-Reply-To: <20230823115048.823011-1-masahiroy@kernel.org>

Commit d890f510c8e4 ("MODSIGN: Add modules_sign make target") introduced
'make modules_sign' to manually sign modules.

Some time later, commit d9d8d7ed498e ("MODSIGN: Add option to not sign
modules during modules_install") introduced CONFIG_MODULE_SIG_ALL.
If it was disabled, mod_sign_cmd was set to no-op ('true' command).
It affected not only 'make modules_install' but also 'make modules_sign'.
With CONFIG_MODULE_SIG_ALL=n, 'make modules_install' did not sign modules
and 'make modules_sign' could not sign modules either.

Kbuild has kept that behavior, and nobody has complained about it, but
I think it is weird.

CONFIG_MODULE_SIG_ALL=n should turn off signing only for modules_install.
If users want to sign modules manually, they should be allowed to use
'make modules_sign'.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
---

 scripts/Makefile.modinst | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index dc7c54669082..33d424a3f265 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -106,7 +106,6 @@ endif
 # Signing
 # Don't stop modules_install even if we can't sign external modules.
 #
-ifeq ($(CONFIG_MODULE_SIG_ALL),y)
 ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
 sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
 else
@@ -115,13 +114,15 @@ endif
 quiet_cmd_sign = SIGN    $@
       cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@ \
                  $(if $(KBUILD_EXTMOD),|| true)
-else
+
+ifeq ($(modules_sign_only),)
+
+# During modules_install, modules are signed only when CONFIG_MODULE_SIG_ALL=y.
+ifndef CONFIG_MODULE_SIG_ALL
 quiet_cmd_sign :=
       cmd_sign := :
 endif
 
-ifeq ($(modules_sign_only),)
-
 $(dst)/%.ko: $(extmod_prefix)%.ko FORCE
 	$(call cmd,install)
 	$(call cmd,strip)
-- 
2.39.2


  parent reply	other threads:[~2023-08-23 11:51 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-23 11:50 [PATCH 1/8] kbuild: do not run depmod for 'make modules_sign' Masahiro Yamada
2023-08-23 11:50 ` [PATCH 2/8] kbuild: add modules_sign to no-{compiler,sync-config}-targets Masahiro Yamada
2023-08-23 19:53   ` Nicolas Schier
2023-08-23 11:50 ` [PATCH 3/8] kbuild: move depmod rule to scripts/Makefile.modinst Masahiro Yamada
2023-08-23 19:53   ` Nicolas Schier
2023-08-26 13:50     ` Masahiro Yamada
2023-08-23 11:50 ` [PATCH 4/8] kbuild: remove $(MODLIB)/source symlink Masahiro Yamada
2023-08-23 20:17   ` Nicolas Schier
2023-08-23 11:50 ` [PATCH 5/8] kbuild: reduce the number of mkdir calls during modules_install Masahiro Yamada
2023-08-23 20:22   ` Nicolas Schier
2023-08-23 11:50 ` [PATCH 6/8] kbuild: move more module installation code to scripts/Makefile.modinst Masahiro Yamada
2023-08-28 14:25   ` Nicolas Schier
2023-08-29  2:35     ` Masahiro Yamada
2023-08-29  3:50       ` Nicolas Schier
2023-08-23 11:50 ` Masahiro Yamada [this message]
2023-08-28 14:31   ` [PATCH 7/8] kbuild: support 'make modules_sign' with CONFIG_MODULE_SIG_ALL=n Nicolas Schier
2023-08-23 11:50 ` [PATCH 8/8] kbuild: support modules_sign for external modules as well Masahiro Yamada
2023-08-28 14:52   ` Nicolas Schier
2023-08-23 19:52 ` [PATCH 1/8] kbuild: do not run depmod for 'make modules_sign' Nicolas Schier
2023-08-26 13:36   ` Masahiro Yamada

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230823115048.823011-7-masahiroy@kernel.org \
    --to=masahiroy@kernel.org \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nathan@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=nicolas@fjasle.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.