#
b1c3d2be |
| 31-Jan-2023 |
Jan Luebbe <jlu@pengutronix.de> |
certs: Fix build error when PKCS#11 URI contains semicolon
When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a semicolon, signing_key.x509 fails to build:
certs/extract-cert pkcs1
certs: Fix build error when PKCS#11 URI contains semicolon
When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a semicolon, signing_key.x509 fails to build:
certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 Usage: extract-cert <source> <dest>
Add quotes to the extract-cert argument to avoid splitting by the shell.
This approach was suggested by Masahiro Yamada <masahiroy@kernel.org>.
Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
31f6d95c |
| 11-Jun-2022 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: unify blacklist_hashes.c and blacklist_nohashes.c
These two files are very similar. Unify them.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.m
certs: unify blacklist_hashes.c and blacklist_nohashes.c
These two files are very similar. Unify them.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
show more ...
|
#
9008a676 |
| 11-Jun-2022 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: move scripts/check-blacklist-hashes.awk to certs/
This script is only used in certs/Makefile, so certs/ is a better home for it.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewe
certs: move scripts/check-blacklist-hashes.awk to certs/
This script is only used in certs/Makefile, so certs/ is a better home for it.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
show more ...
|
#
60050ffe |
| 18-May-2022 |
David Howells <dhowells@redhat.com> |
certs: Move load_certificate_list() to be with the asymmetric keys code
Move load_certificate_list(), which loads a series of binary X.509 certificates from a blob and inserts them as keys into a ke
certs: Move load_certificate_list() to be with the asymmetric keys code
Move load_certificate_list(), which loads a series of binary X.509 certificates from a blob and inserts them as keys into a keyring, to be with the asymmetric keys code that it drives.
This makes it easier to add FIPS selftest code in which we need to load up a private keyring for the tests to use.
Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Herbert Xu <herbert@gondor.apana.org.au> cc: keyrings@vger.kernel.org cc: linux-crypto@vger.kernel.org Link: https://lore.kernel.org/r/165515742145.1554877.13488098107542537203.stgit@warthog.procyon.org.uk/
show more ...
|
#
27b5b22d |
| 11-Jun-2022 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: fix and refactor CONFIG_SYSTEM_BLACKLIST_HASH_LIST build
Commit addf466389d9 ("certs: Check that builtin blacklist hashes are valid") was applied 8 months after the submission.
In the meanti
certs: fix and refactor CONFIG_SYSTEM_BLACKLIST_HASH_LIST build
Commit addf466389d9 ("certs: Check that builtin blacklist hashes are valid") was applied 8 months after the submission.
In the meantime, the base code had been removed by commit b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro").
Fix the Makefile.
Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is included from certs/blacklist_hashes.c and also works as a timestamp.
Send error messages from check-blacklist-hashes.awk to stderr instead of stdout.
Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
show more ...
|
#
d56fd986 |
| 10-Jun-2022 |
David Howells <dhowells@redhat.com> |
certs: Convert spaces in certs/Makefile to a tab
There's a rule in certs/Makefile for which the command begins with eight spaces. This results in:
../certs/Makefile:21: FORCE prerequisite
certs: Convert spaces in certs/Makefile to a tab
There's a rule in certs/Makefile for which the command begins with eight spaces. This results in:
../certs/Makefile:21: FORCE prerequisite is missing ../certs/Makefile:21: *** missing separator. Stop.
Fix this by turning the spaces into a tab.
Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/486b1b80-9932-aab6-138d-434c541c934a@digikod.net/ # v1 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
show more ...
|
#
addf4663 |
| 12-Jul-2021 |
Mickaël Salaün <mic@linux.microsoft.com> |
certs: Check that builtin blacklist hashes are valid
Add and use a check-blacklist-hashes.awk script to make sure that the builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will ef
certs: Check that builtin blacklist hashes are valid
Add and use a check-blacklist-hashes.awk script to make sure that the builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will effectively be taken into account as blacklisted hashes. This is useful to debug invalid hash formats, and it make sure that previous hashes which could have been loaded in the kernel, but silently ignored, are now noticed and deal with by the user at kernel build time.
This also prevent stricter blacklist key description checking (provided by following commits) to failed for builtin hashes.
Update CONFIG_SYSTEM_BLACKLIST_HASH_LIST help to explain the content of a hash string and how to generate certificate ones.
Cc: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Eric Snowberg <eric.snowberg@oracle.com> Cc: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Link: https://lore.kernel.org/r/20210712170313.884724-3-mic@digikod.net Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
show more ...
|
#
d5ea4fec |
| 01-Apr-2022 |
Chun-Tse Shao <ctshao@google.com> |
kbuild: Allow kernel installation packaging to override pkg-config
Add HOSTPKG_CONFIG to allow tooling that builds the kernel to override what pkg-config and parameters are used.
Signed-off-by: Chu
kbuild: Allow kernel installation packaging to override pkg-config
Add HOSTPKG_CONFIG to allow tooling that builds the kernel to override what pkg-config and parameters are used.
Signed-off-by: Chun-Tse Shao <ctshao@google.com> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
f44b645f |
| 18-Feb-2022 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: simplify empty certs creation in certs/Makefile
To create an empty cert file, we need to pass "" to the extract-cert tool, which is common for all the three call-sites of cmd_extract_certs.
certs: simplify empty certs creation in certs/Makefile
To create an empty cert file, we need to pass "" to the extract-cert tool, which is common for all the three call-sites of cmd_extract_certs.
Factor out the logic into extract-cert-in.
One exceptional case is PKCS#11 case, where we override extract-cert-in with the URI.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <n.schier@avm.de>
show more ...
|
#
6ce019f7 |
| 18-Feb-2022 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: include certs/signing_key.x509 unconditionally
I do not see much sense in the #if conditional in system_certificates.S; even if the condition is true, there exists no signing key when CONFIG_
certs: include certs/signing_key.x509 unconditionally
I do not see much sense in the #if conditional in system_certificates.S; even if the condition is true, there exists no signing key when CONFIG_MODULE_SIG_KEY="".
So, certs/Makefile generates empty certs/signing_key.x509 in such a case. We can always do this, irrespective of CONFIG_MODULE_SIG or (CONFIG_IMA_APPRAISE_MODSIG && CONFIG_MODULES).
We only need to check CONFIG_MODULE_SIG_KEY, then both *.S and Makefile will become much simpler.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
e6340b65 |
| 20-Jan-2022 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: Fix build error when CONFIG_MODULE_SIG_KEY is empty
Since b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro"), when CONFIG_MODULE_SIG_KEY is empty, signing_
certs: Fix build error when CONFIG_MODULE_SIG_KEY is empty
Since b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro"), when CONFIG_MODULE_SIG_KEY is empty, signing_key.x509 fails to build:
CERT certs/signing_key.x509 Usage: extract-cert <source> <dest> make[1]: *** [certs/Makefile:78: certs/signing_key.x509] Error 2 make: *** [Makefile:1831: certs] Error 2
Pass "" to the first argument of extract-cert to fix the build error.
Link: https://lore.kernel.org/linux-kbuild/20220120094606.2skuyb26yjlnu66q@lion.mk-sys.cz/T/#u Fixes: b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro") Reported-by: Michal Kubecek <mkubecek@suse.cz> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Tested-by: Michal Kubecek <mkubecek@suse.cz>
show more ...
|
#
ad29a2fb |
| 20-Jan-2022 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: Fix build error when CONFIG_MODULE_SIG_KEY is PKCS#11 URI
When CONFIG_MODULE_SIG_KEY is PKCS#11 URL (pkcs11:*), signing_key.x509 fails to build:
certs/Makefile:77: *** target pattern conta
certs: Fix build error when CONFIG_MODULE_SIG_KEY is PKCS#11 URI
When CONFIG_MODULE_SIG_KEY is PKCS#11 URL (pkcs11:*), signing_key.x509 fails to build:
certs/Makefile:77: *** target pattern contains no '%'. Stop.
Due to the typo, $(X509_DEP) contains a colon.
Fix it.
Fixes: b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
340a0253 |
| 14-Dec-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: move scripts/extract-cert to certs/
extract-cert is only used in certs/Makefile.
Move it there and build extract-cert on demand.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
|
#
129ab0d2 |
| 14-Dec-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
kbuild: do not quote string values in include/config/auto.conf
The previous commit fixed up all shell scripts to not include include/config/auto.conf.
Now that include/config/auto.conf is only incl
kbuild: do not quote string values in include/config/auto.conf
The previous commit fixed up all shell scripts to not include include/config/auto.conf.
Now that include/config/auto.conf is only included by Makefiles, we can change it into a more Make-friendly form.
Previously, Kconfig output string values enclosed with double-quotes (both in the .config and include/config/auto.conf):
CONFIG_X="foo bar"
Unlike shell, Make handles double-quotes (and single-quotes as well) verbatim. We must rip them off when used.
There are some patterns:
[1] $(patsubst "%",%,$(CONFIG_X)) [2] $(CONFIG_X:"%"=%) [3] $(subst ",,$(CONFIG_X)) [4] $(shell echo $(CONFIG_X))
These are not only ugly, but also fragile.
[1] and [2] do not work if the value contains spaces, like CONFIG_X=" foo bar "
[3] does not work correctly if the value contains double-quotes like CONFIG_X="foo\"bar"
[4] seems to work better, but has a cost of forking a process.
Anyway, quoted strings were always PITA for our Makefiles.
This commit changes Kconfig to stop quoting in include/config/auto.conf.
These are the string type symbols referenced in Makefiles or scripts:
ACPI_CUSTOM_DSDT_FILE ARC_BUILTIN_DTB_NAME ARC_TUNE_MCPU BUILTIN_DTB_SOURCE CC_IMPLICIT_FALLTHROUGH CC_VERSION_TEXT CFG80211_EXTRA_REGDB_KEYDIR EXTRA_FIRMWARE EXTRA_FIRMWARE_DIR EXTRA_TARGETS H8300_BUILTIN_DTB INITRAMFS_SOURCE LOCALVERSION MODULE_SIG_HASH MODULE_SIG_KEY NDS32_BUILTIN_DTB NIOS2_DTB_SOURCE OPENRISC_BUILTIN_DTB SOC_CANAAN_K210_DTB_SOURCE SYSTEM_BLACKLIST_HASH_LIST SYSTEM_REVOCATION_KEYS SYSTEM_TRUSTED_KEYS TARGET_CPU UNUSED_KSYMS_WHITELIST XILINX_MICROBLAZE0_FAMILY XILINX_MICROBLAZE0_HW_VER XTENSA_VARIANT_NAME
I checked them one by one, and fixed up the code where necessary.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
b8c96a6b |
| 14-Dec-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: simplify $(srctree)/ handling and remove config_filename macro
The complex macro, config_filename, was introduced to do:
[1] drop double-quotes from the string value [2] add $(srctree)/ pr
certs: simplify $(srctree)/ handling and remove config_filename macro
The complex macro, config_filename, was introduced to do:
[1] drop double-quotes from the string value [2] add $(srctree)/ prefix in case the file is not found in $(objtree) [3] escape spaces and more
[1] will be more generally handled by Kconfig later.
As for [2], Kbuild uses VPATH to search for files in $(objtree), $(srctree) in this order. GNU Make can natively handle it.
As for [3], converting $(space) to $(space_escape) back and forth looks questionable to me. It is well-known that GNU Make cannot handle file paths with spaces in the first place.
Instead of using the complex macro, use $< so it will be expanded to the file path of the key.
Remove config_filename, finally.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
5410f3e8 |
| 14-Dec-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: remove misleading comments about GCC PR
This dependency is necessary irrespective of the mentioned GCC PR because the embedded certificates are build artifacts and must be generated by extrac
certs: remove misleading comments about GCC PR
This dependency is necessary irrespective of the mentioned GCC PR because the embedded certificates are build artifacts and must be generated by extract_certs before *.S files are compiled.
The comment sounds like we are hoping to remove these dependencies someday. No, we cannot remove them.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
5cca3606 |
| 14-Dec-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: refactor file cleaning
'make clean' removes files listed in 'targets'. It is redundant to specify both 'targets' and 'clean-files'.
Move 'targets' assignments out of the ifeq-conditionals so
certs: refactor file cleaning
'make clean' removes files listed in 'targets'. It is redundant to specify both 'targets' and 'clean-files'.
Move 'targets' assignments out of the ifeq-conditionals so scripts/Makefile.clean can see them.
One effective change is that certs/certs/signing_key.x509 is now deleted by 'make clean' instead of 'make mrproper. This certificate is embedded in the kernel. It is not used in any way by external module builds.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <n.schier@avm.de>
show more ...
|
#
3958f215 |
| 14-Dec-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: remove unneeded -I$(srctree) option for system_certificates.o
The .incbin directive in certs/system_certificates.S includes certs/signing_key.x509 and certs/x509_certificate_list, both of whi
certs: remove unneeded -I$(srctree) option for system_certificates.o
The .incbin directive in certs/system_certificates.S includes certs/signing_key.x509 and certs/x509_certificate_list, both of which are generated by extract_certs, i.e. exist in $(objtree).
This option -I$(srctree) is unneeded.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
1c4bd9f7 |
| 14-Dec-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: unify duplicated cmd_extract_certs and improve the log
cmd_extract_certs is defined twice. Unify them.
The current log shows the input file $(2), which might be empty. You cannot know what i
certs: unify duplicated cmd_extract_certs and improve the log
cmd_extract_certs is defined twice. Unify them.
The current log shows the input file $(2), which might be empty. You cannot know what is being created from the log, "EXTRACT_CERTS".
Change the log to show the output file with better alignment.
[Before]
EXTRACT_CERTS certs/signing_key.pem CC certs/system_keyring.o EXTRACT_CERTS AS certs/system_certificates.o CC certs/common.o CC certs/blacklist.o EXTRACT_CERTS AS certs/revocation_certificates.o
[After]
CERT certs/signing_key.x509 CC certs/system_keyring.o CERT certs/x509_certificate_list AS certs/system_certificates.o CC certs/common.o CC certs/blacklist.o CERT certs/x509_revocation_list AS certs/revocation_certificates.o
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <n.schier@avm.de>
show more ...
|
#
c537e4d0 |
| 14-Dec-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: use $< and $@ to simplify the key generation rule
Do not repeat $(obj)/x509.genkey or $(obj)/signing_key.pem
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier
certs: use $< and $@ to simplify the key generation rule
Do not repeat $(obj)/x509.genkey or $(obj)/signing_key.pem
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <n.schier@avm.de>
show more ...
|
#
e06a61a8 |
| 05-Nov-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: use if_changed to re-generate the key when the key type is changed
If the key type of the existing signing key does not match to CONFIG_MODULE_SIG_KEY_TYPE_*, the Makefile removes it so that
certs: use if_changed to re-generate the key when the key type is changed
If the key type of the existing signing key does not match to CONFIG_MODULE_SIG_KEY_TYPE_*, the Makefile removes it so that it is re-generated.
Use if_changed so that the key is re-generated when the key type is changed (that is, the openssl command line is changed).
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
54c8b517 |
| 05-Nov-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: use 'cmd' to hide openssl output in silent builds more simply
Commit 5d06ee20b662 ("modsign: hide openssl output in silent builds") silenced the key generation log from openssl in silent buil
certs: use 'cmd' to hide openssl output in silent builds more simply
Commit 5d06ee20b662 ("modsign: hide openssl output in silent builds") silenced the key generation log from openssl in silent builds.
Since commit 174a1dcc9642 ("kbuild: sink stdout from cmd for silent build"), the 'cmd' macro can handle it in a cleaner way.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
f8487d28 |
| 05-Nov-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: remove noisy messages while generating the signing key
When you run Kbuild with the parallel option -j, the messages from this rule and others are interleaved, like follows:
### CC
certs: remove noisy messages while generating the signing key
When you run Kbuild with the parallel option -j, the messages from this rule and others are interleaved, like follows:
### CC arch/x86/mm/pat/set_memory.o ### Now generating an X.509 key pair to be used for signing modules. ### ### If this takes a long time, you might wish to run rngd in the ### background to keep the supply of entropy topped up. It CC arch/x86/events/intel/bts.o HDRTEST usr/include/linux/qnx4_fs.h CC arch/x86/events/zhaoxin/core.o ### needs to be run as root, and uses a hardware random ### number generator if one is available. AR init/built-in.a ###
On modern machines, it does not take a long time to generate the key.
Remove the ugly log messages.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
f3a2ba44 |
| 05-Nov-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: check-in the default x509 config file
When x509.genkey is created, it prints a log:
Generating X.509 key generation config
..., which is not the ordinary Kbuild log style.
Check-in the d
certs: check-in the default x509 config file
When x509.genkey is created, it prints a log:
Generating X.509 key generation config
..., which is not the ordinary Kbuild log style.
Check-in the default config as certs/default_x509.genkey to make it readable, and copy it to certs/x509.genkey if it is not present.
The log is shown in the Kbuild style.
COPY certs/x509.genkey
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|
#
54e2c77d |
| 05-Nov-2021 |
Masahiro Yamada <masahiroy@kernel.org> |
certs: remove meaningless $(error ...) in certs/Makefile
CONFIG_MODULE_SIG_HASH is defined by init/Kconfig. This $(error ...) is never reachable. (If it is, you need to fix the bug.)
Signed-off-by:
certs: remove meaningless $(error ...) in certs/Makefile
CONFIG_MODULE_SIG_HASH is defined by init/Kconfig. This $(error ...) is never reachable. (If it is, you need to fix the bug.)
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
show more ...
|