certs: Fix build error when PKCS#11 URI contains semicolon

When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
semicolon, signing_key.x509 fails to build:

certs/extract-cert pkcs1

certs: Fix build error when PKCS#11 URI contains semicolon

When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
semicolon, signing_key.x509 fails to build:

certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509
Usage: extract-cert <source> <dest>

Add quotes to the extract-cert argument to avoid splitting by the shell.

This approach was suggested by Masahiro Yamada <masahiroy@kernel.org>.

Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf")
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: unify blacklist_hashes.c and blacklist_nohashes.c

These two files are very similar. Unify them.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Mickaël Salaün <mic@linux.m

certs: unify blacklist_hashes.c and blacklist_nohashes.c

These two files are very similar. Unify them.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

show more ...

certs: move scripts/check-blacklist-hashes.awk to certs/

This script is only used in certs/Makefile, so certs/ is a better
home for it.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewe

certs: move scripts/check-blacklist-hashes.awk to certs/

This script is only used in certs/Makefile, so certs/ is a better
home for it.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

show more ...

certs: Move load_certificate_list() to be with the asymmetric keys code

Move load_certificate_list(), which loads a series of binary X.509
certificates from a blob and inserts them as keys into a ke

certs: Move load_certificate_list() to be with the asymmetric keys code

Move load_certificate_list(), which loads a series of binary X.509
certificates from a blob and inserts them as keys into a keyring, to be
with the asymmetric keys code that it drives.

This makes it easier to add FIPS selftest code in which we need to load up
a private keyring for the tests to use.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Herbert Xu <herbert@gondor.apana.org.au>
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org
Link: https://lore.kernel.org/r/165515742145.1554877.13488098107542537203.stgit@warthog.procyon.org.uk/

show more ...

certs: fix and refactor CONFIG_SYSTEM_BLACKLIST_HASH_LIST build

Commit addf466389d9 ("certs: Check that builtin blacklist hashes are
valid") was applied 8 months after the submission.

In the meanti

certs: fix and refactor CONFIG_SYSTEM_BLACKLIST_HASH_LIST build

Commit addf466389d9 ("certs: Check that builtin blacklist hashes are
valid") was applied 8 months after the submission.

In the meantime, the base code had been removed by commit b8c96a6b466c
("certs: simplify $(srctree)/ handling and remove config_filename
macro").

Fix the Makefile.

Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is
included from certs/blacklist_hashes.c and also works as a timestamp.

Send error messages from check-blacklist-hashes.awk to stderr instead
of stdout.

Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

show more ...

certs: Convert spaces in certs/Makefile to a tab

There's a rule in certs/Makefile for which the command begins with eight
spaces. This results in:

../certs/Makefile:21: FORCE prerequisite

certs: Convert spaces in certs/Makefile to a tab

There's a rule in certs/Makefile for which the command begins with eight
spaces. This results in:

../certs/Makefile:21: FORCE prerequisite is missing
../certs/Makefile:21: *** missing separator. Stop.

Fix this by turning the spaces into a tab.

Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid")
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com>
cc: keyrings@vger.kernel.org
Link: https://lore.kernel.org/r/486b1b80-9932-aab6-138d-434c541c934a@digikod.net/ # v1
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

show more ...

certs: Check that builtin blacklist hashes are valid

Add and use a check-blacklist-hashes.awk script to make sure that the
builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will
ef

certs: Check that builtin blacklist hashes are valid

Add and use a check-blacklist-hashes.awk script to make sure that the
builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will
effectively be taken into account as blacklisted hashes. This is useful
to debug invalid hash formats, and it make sure that previous hashes
which could have been loaded in the kernel, but silently ignored, are
now noticed and deal with by the user at kernel build time.

This also prevent stricter blacklist key description checking (provided
by following commits) to failed for builtin hashes.

Update CONFIG_SYSTEM_BLACKLIST_HASH_LIST help to explain the content of
a hash string and how to generate certificate ones.

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Link: https://lore.kernel.org/r/20210712170313.884724-3-mic@digikod.net
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

show more ...

kbuild: Allow kernel installation packaging to override pkg-config

Add HOSTPKG_CONFIG to allow tooling that builds the kernel to override
what pkg-config and parameters are used.

Signed-off-by: Chu

kbuild: Allow kernel installation packaging to override pkg-config

Add HOSTPKG_CONFIG to allow tooling that builds the kernel to override
what pkg-config and parameters are used.

Signed-off-by: Chun-Tse Shao <ctshao@google.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: simplify empty certs creation in certs/Makefile

To create an empty cert file, we need to pass "" to the extract-cert
tool, which is common for all the three call-sites of cmd_extract_certs.

certs: simplify empty certs creation in certs/Makefile

To create an empty cert file, we need to pass "" to the extract-cert
tool, which is common for all the three call-sites of cmd_extract_certs.

Factor out the logic into extract-cert-in.

One exceptional case is PKCS#11 case, where we override extract-cert-in
with the URI.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>

show more ...

certs: include certs/signing_key.x509 unconditionally

I do not see much sense in the #if conditional in system_certificates.S;
even if the condition is true, there exists no signing key when
CONFIG_

certs: include certs/signing_key.x509 unconditionally

I do not see much sense in the #if conditional in system_certificates.S;
even if the condition is true, there exists no signing key when
CONFIG_MODULE_SIG_KEY="".

So, certs/Makefile generates empty certs/signing_key.x509 in such a
case. We can always do this, irrespective of CONFIG_MODULE_SIG or
(CONFIG_IMA_APPRAISE_MODSIG && CONFIG_MODULES).

We only need to check CONFIG_MODULE_SIG_KEY, then both *.S and Makefile
will become much simpler.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: Fix build error when CONFIG_MODULE_SIG_KEY is empty

Since b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove
config_filename macro"), when CONFIG_MODULE_SIG_KEY is empty,
signing_

certs: Fix build error when CONFIG_MODULE_SIG_KEY is empty

Since b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove
config_filename macro"), when CONFIG_MODULE_SIG_KEY is empty,
signing_key.x509 fails to build:

CERT certs/signing_key.x509
Usage: extract-cert <source> <dest>
make[1]: *** [certs/Makefile:78: certs/signing_key.x509] Error 2
make: *** [Makefile:1831: certs] Error 2

Pass "" to the first argument of extract-cert to fix the build error.

Link: https://lore.kernel.org/linux-kbuild/20220120094606.2skuyb26yjlnu66q@lion.mk-sys.cz/T/#u
Fixes: b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro")
Reported-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Tested-by: Michal Kubecek <mkubecek@suse.cz>

show more ...

certs: Fix build error when CONFIG_MODULE_SIG_KEY is PKCS#11 URI

When CONFIG_MODULE_SIG_KEY is PKCS#11 URL (pkcs11:*), signing_key.x509
fails to build:

certs/Makefile:77: *** target pattern conta

certs: Fix build error when CONFIG_MODULE_SIG_KEY is PKCS#11 URI

When CONFIG_MODULE_SIG_KEY is PKCS#11 URL (pkcs11:*), signing_key.x509
fails to build:

certs/Makefile:77: *** target pattern contains no '%'. Stop.

Due to the typo, $(X509_DEP) contains a colon.

Fix it.

Fixes: b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: move scripts/extract-cert to certs/

extract-cert is only used in certs/Makefile.

Move it there and build extract-cert on demand.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

kbuild: do not quote string values in include/config/auto.conf

The previous commit fixed up all shell scripts to not include
include/config/auto.conf.

Now that include/config/auto.conf is only incl

kbuild: do not quote string values in include/config/auto.conf

The previous commit fixed up all shell scripts to not include
include/config/auto.conf.

Now that include/config/auto.conf is only included by Makefiles,
we can change it into a more Make-friendly form.

Previously, Kconfig output string values enclosed with double-quotes
(both in the .config and include/config/auto.conf):

CONFIG_X="foo bar"

Unlike shell, Make handles double-quotes (and single-quotes as well)
verbatim. We must rip them off when used.

There are some patterns:

[1] $(patsubst "%",%,$(CONFIG_X))
[2] $(CONFIG_X:"%"=%)
[3] $(subst ",,$(CONFIG_X))
[4] $(shell echo $(CONFIG_X))

These are not only ugly, but also fragile.

[1] and [2] do not work if the value contains spaces, like
CONFIG_X=" foo bar "

[3] does not work correctly if the value contains double-quotes like
CONFIG_X="foo\"bar"

[4] seems to work better, but has a cost of forking a process.

Anyway, quoted strings were always PITA for our Makefiles.

This commit changes Kconfig to stop quoting in include/config/auto.conf.

These are the string type symbols referenced in Makefiles or scripts:

ACPI_CUSTOM_DSDT_FILE
ARC_BUILTIN_DTB_NAME
ARC_TUNE_MCPU
BUILTIN_DTB_SOURCE
CC_IMPLICIT_FALLTHROUGH
CC_VERSION_TEXT
CFG80211_EXTRA_REGDB_KEYDIR
EXTRA_FIRMWARE
EXTRA_FIRMWARE_DIR
EXTRA_TARGETS
H8300_BUILTIN_DTB
INITRAMFS_SOURCE
LOCALVERSION
MODULE_SIG_HASH
MODULE_SIG_KEY
NDS32_BUILTIN_DTB
NIOS2_DTB_SOURCE
OPENRISC_BUILTIN_DTB
SOC_CANAAN_K210_DTB_SOURCE
SYSTEM_BLACKLIST_HASH_LIST
SYSTEM_REVOCATION_KEYS
SYSTEM_TRUSTED_KEYS
TARGET_CPU
UNUSED_KSYMS_WHITELIST
XILINX_MICROBLAZE0_FAMILY
XILINX_MICROBLAZE0_HW_VER
XTENSA_VARIANT_NAME

I checked them one by one, and fixed up the code where necessary.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: simplify $(srctree)/ handling and remove config_filename macro

The complex macro, config_filename, was introduced to do:

[1] drop double-quotes from the string value
[2] add $(srctree)/ pr

certs: simplify $(srctree)/ handling and remove config_filename macro

The complex macro, config_filename, was introduced to do:

[1] drop double-quotes from the string value
[2] add $(srctree)/ prefix in case the file is not found in $(objtree)
[3] escape spaces and more

[1] will be more generally handled by Kconfig later.

As for [2], Kbuild uses VPATH to search for files in $(objtree),
$(srctree) in this order. GNU Make can natively handle it.

As for [3], converting $(space) to $(space_escape) back and forth looks
questionable to me. It is well-known that GNU Make cannot handle file
paths with spaces in the first place.

Instead of using the complex macro, use $< so it will be expanded to
the file path of the key.

Remove config_filename, finally.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: remove misleading comments about GCC PR

This dependency is necessary irrespective of the mentioned GCC PR
because the embedded certificates are build artifacts and must be
generated by extrac

certs: remove misleading comments about GCC PR

This dependency is necessary irrespective of the mentioned GCC PR
because the embedded certificates are build artifacts and must be
generated by extract_certs before *.S files are compiled.

The comment sounds like we are hoping to remove these dependencies
someday. No, we cannot remove them.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: refactor file cleaning

'make clean' removes files listed in 'targets'. It is redundant to
specify both 'targets' and 'clean-files'.

Move 'targets' assignments out of the ifeq-conditionals so

certs: refactor file cleaning

'make clean' removes files listed in 'targets'. It is redundant to
specify both 'targets' and 'clean-files'.

Move 'targets' assignments out of the ifeq-conditionals so
scripts/Makefile.clean can see them.

One effective change is that certs/certs/signing_key.x509 is now
deleted by 'make clean' instead of 'make mrproper. This certificate
is embedded in the kernel. It is not used in any way by external
module builds.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>

show more ...

certs: remove unneeded -I$(srctree) option for system_certificates.o

The .incbin directive in certs/system_certificates.S includes
certs/signing_key.x509 and certs/x509_certificate_list, both of whi

certs: remove unneeded -I$(srctree) option for system_certificates.o

The .incbin directive in certs/system_certificates.S includes
certs/signing_key.x509 and certs/x509_certificate_list, both of which
are generated by extract_certs, i.e. exist in $(objtree).

This option -I$(srctree) is unneeded.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: unify duplicated cmd_extract_certs and improve the log

cmd_extract_certs is defined twice. Unify them.

The current log shows the input file $(2), which might be empty.
You cannot know what i

certs: unify duplicated cmd_extract_certs and improve the log

cmd_extract_certs is defined twice. Unify them.

The current log shows the input file $(2), which might be empty.
You cannot know what is being created from the log, "EXTRACT_CERTS".

Change the log to show the output file with better alignment.

[Before]

EXTRACT_CERTS certs/signing_key.pem
CC certs/system_keyring.o
EXTRACT_CERTS
AS certs/system_certificates.o
CC certs/common.o
CC certs/blacklist.o
EXTRACT_CERTS
AS certs/revocation_certificates.o

[After]

CERT certs/signing_key.x509
CC certs/system_keyring.o
CERT certs/x509_certificate_list
AS certs/system_certificates.o
CC certs/common.o
CC certs/blacklist.o
CERT certs/x509_revocation_list
AS certs/revocation_certificates.o

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>

show more ...

certs: use $< and $@ to simplify the key generation rule

Do not repeat $(obj)/x509.genkey or $(obj)/signing_key.pem

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier

certs: use $< and $@ to simplify the key generation rule

Do not repeat $(obj)/x509.genkey or $(obj)/signing_key.pem

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>

show more ...

certs: use if_changed to re-generate the key when the key type is changed

If the key type of the existing signing key does not match to
CONFIG_MODULE_SIG_KEY_TYPE_*, the Makefile removes it so that

certs: use if_changed to re-generate the key when the key type is changed

If the key type of the existing signing key does not match to
CONFIG_MODULE_SIG_KEY_TYPE_*, the Makefile removes it so that it is
re-generated.

Use if_changed so that the key is re-generated when the key type is
changed (that is, the openssl command line is changed).

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: use 'cmd' to hide openssl output in silent builds more simply

Commit 5d06ee20b662 ("modsign: hide openssl output in silent builds")
silenced the key generation log from openssl in silent buil

certs: use 'cmd' to hide openssl output in silent builds more simply

Commit 5d06ee20b662 ("modsign: hide openssl output in silent builds")
silenced the key generation log from openssl in silent builds.

Since commit 174a1dcc9642 ("kbuild: sink stdout from cmd for silent
build"), the 'cmd' macro can handle it in a cleaner way.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: remove noisy messages while generating the signing key

When you run Kbuild with the parallel option -j, the messages from this
rule and others are interleaved, like follows:

###
CC

certs: remove noisy messages while generating the signing key

When you run Kbuild with the parallel option -j, the messages from this
rule and others are interleaved, like follows:

###
CC arch/x86/mm/pat/set_memory.o
### Now generating an X.509 key pair to be used for signing modules.
###
### If this takes a long time, you might wish to run rngd in the
### background to keep the supply of entropy topped up. It
CC arch/x86/events/intel/bts.o
HDRTEST usr/include/linux/qnx4_fs.h
CC arch/x86/events/zhaoxin/core.o
### needs to be run as root, and uses a hardware random
### number generator if one is available.
AR init/built-in.a
###

On modern machines, it does not take a long time to generate the key.

Remove the ugly log messages.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: check-in the default x509 config file

When x509.genkey is created, it prints a log:

Generating X.509 key generation config

..., which is not the ordinary Kbuild log style.

Check-in the d

certs: check-in the default x509 config file

When x509.genkey is created, it prints a log:

Generating X.509 key generation config

..., which is not the ordinary Kbuild log style.

Check-in the default config as certs/default_x509.genkey to make it
readable, and copy it to certs/x509.genkey if it is not present.

The log is shown in the Kbuild style.

COPY certs/x509.genkey

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...

certs: remove meaningless $(error ...) in certs/Makefile

CONFIG_MODULE_SIG_HASH is defined by init/Kconfig. This $(error ...) is
never reachable. (If it is, you need to fix the bug.)

Signed-off-by:

certs: remove meaningless $(error ...) in certs/Makefile

CONFIG_MODULE_SIG_HASH is defined by init/Kconfig. This $(error ...) is
never reachable. (If it is, you need to fix the bug.)

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

show more ...