diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2022-03-31 11:59:03 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2022-03-31 11:59:03 -0700 |
| commit | b8321ed4a40c02054f930ca59d3570caa27bc86c (patch) | |
| tree | 954fe1cab675a18e369505394c88f971d9dbea3c /certs | |
| parent | f87cbd0565eb7e2fa15296c74210658db1346431 (diff) | |
| parent | e9c281928c24dfeb86b11c31b53757b6a127f8aa (diff) | |
| download | linux-b8321ed4a40c02054f930ca59d3570caa27bc86c.tar.gz | |
Merge tag 'kbuild-v5.18-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
Pull Kbuild updates from Masahiro Yamada: - Add new environment variables, USERCFLAGS and USERLDFLAGS to allow additional flags to be passed to user-space programs. - Fix missing fflush() bugs in Kconfig and fixdep - Fix a minor bug in the comment format of the .config file - Make kallsyms ignore llvm's local labels, .L* - Fix UAPI compile-test for cross-compiling with Clang - Extend the LLVM= syntax to support LLVM=<suffix> form for using a particular version of LLVm, and LLVM=<prefix> form for using custom LLVM in a particular directory path. - Clean up Makefiles * tag 'kbuild-v5.18-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kbuild: Make $(LLVM) more flexible kbuild: add --target to correctly cross-compile UAPI headers with Clang fixdep: use fflush() and ferror() to ensure successful write to files arch: syscalls: simplify uapi/kapi directory creation usr/include: replace extra-y with always-y certs: simplify empty certs creation in certs/Makefile certs: include certs/signing_key.x509 unconditionally kallsyms: ignore all local labels prefixed by '.L' kconfig: fix missing '# end of' for empty menu kconfig: add fflush() before ferror() check kbuild: replace $(if A,A,B) with $(or A,B) kbuild: Add environment variables for userprogs flags kbuild: unify cmd_copy and cmd_shipped
Diffstat (limited to 'certs')
| -rw-r--r-- | certs/Makefile | 37 | ||||
| -rw-r--r-- | certs/system_certificates.S | 3 |
2 files changed, 11 insertions, 29 deletions
diff --git a/certs/Makefile b/certs/Makefile index 3ea7fe60823f..d8443cfb1c40 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -13,34 +13,20 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o endif quiet_cmd_extract_certs = CERT $@ - cmd_extract_certs = $(obj)/extract-cert $(2) $@ + cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ +extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"") $(obj)/system_certificates.o: $(obj)/x509_certificate_list $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) + $(call if_changed,extract_certs) targets += x509_certificate_list -ifeq ($(CONFIG_MODULE_SIG),y) - SIGN_KEY = y -endif - -ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) -ifeq ($(CONFIG_MODULES),y) - SIGN_KEY = y -endif -endif - -ifdef SIGN_KEY -############################################################################### -# # If module signing is requested, say by allyesconfig, but a key has not been # supplied, then one will need to be generated to make sure the build does not # fail and that the kernel may be used afterwards. # -############################################################################### - # We do it this way rather than having a boolean option for enabling an # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. @@ -67,23 +53,22 @@ $(obj)/x509.genkey: endif # CONFIG_MODULE_SIG_KEY -# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it -ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),) -X509_DEP := $(CONFIG_MODULE_SIG_KEY) -endif - $(obj)/system_certificates.o: $(obj)/signing_key.x509 -$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE - $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),"")) -endif # CONFIG_MODULE_SIG +PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)) +ifdef PKCS11_URI +$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI) +endif + +$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE + $(call if_changed,extract_certs) targets += signing_key.x509 $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) + $(call if_changed,extract_certs) targets += x509_revocation_list diff --git a/certs/system_certificates.S b/certs/system_certificates.S index e1645e6f4d97..003e25d4a17e 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -9,10 +9,7 @@ system_certificate_list: __cert_list_start: __module_cert_start: -#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \ - && defined(CONFIG_MODULES)) .incbin "certs/signing_key.x509" -#endif __module_cert_end: .incbin "certs/x509_certificate_list" __cert_list_end: |