diff mbox series

[2/2] certs: simplify empty certs creation in certs/Makefile

Message ID 20220218044634.169520-2-masahiroy@kernel.org (mailing list archive)
State New
Headers show
Series [1/2] certs: include certs/signing_key.x509 unconditionally | expand

Commit Message

Masahiro Yamada Feb. 18, 2022, 4:46 a.m. UTC
To create an empty cert file, we need to pass "" to the extract-cert
tool, which is common for all the three call-sites of cmd_exract_certs.

Factor out the logic into extract-cert-in.

One exceptional case is PKCS#11 case, where we override extract-cert-in
with the URI.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
---

 certs/Makefile | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

Comments

Nicolas Schier Feb. 22, 2022, 8:12 a.m. UTC | #1
On Fri, Feb 18, 2022 at 01:46:34PM +0900, Masahiro Yamada wrote:
> To create an empty cert file, we need to pass "" to the extract-cert
> tool, which is common for all the three call-sites of cmd_exract_certs.

Missing a 't' in 'cmd_exract_certs'.

Reviewed-by: Nicolas Schier <n.schier@avm.de>

> 
> Factor out the logic into extract-cert-in.
> 
> One exceptional case is PKCS#11 case, where we override extract-cert-in
> with the URI.
> 
> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
> ---
> 
>  certs/Makefile | 21 +++++++++++----------
>  1 file changed, 11 insertions(+), 10 deletions(-)
> 
> diff --git a/certs/Makefile b/certs/Makefile
> index 68c1d7b9a388..d8443cfb1c40 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -13,12 +13,13 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
>  endif
>  
>  quiet_cmd_extract_certs  = CERT    $@
> -      cmd_extract_certs  = $(obj)/extract-cert $(2) $@
> +      cmd_extract_certs  = $(obj)/extract-cert $(extract-cert-in) $@
> +extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
>  
>  $(obj)/system_certificates.o: $(obj)/x509_certificate_list
>  
>  $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
> -	$(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,""))
> +	$(call if_changed,extract_certs)
>  
>  targets += x509_certificate_list
>  
> @@ -52,22 +53,22 @@ $(obj)/x509.genkey:
>  
>  endif # CONFIG_MODULE_SIG_KEY
>  
> -# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
> -ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
> -X509_DEP := $(CONFIG_MODULE_SIG_KEY)
> -endif
> -
>  $(obj)/system_certificates.o: $(obj)/signing_key.x509
>  
> -$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE
> -	$(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),""))
> +PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
> +ifdef PKCS11_URI
> +$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
> +endif
> +
> +$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
> +	$(call if_changed,extract_certs)
>  
>  targets += signing_key.x509
>  
>  $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
>  
>  $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE
> -	$(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,""))
> +	$(call if_changed,extract_certs)
>  
>  targets += x509_revocation_list
>  
> -- 
> 2.32.0
>
Masahiro Yamada March 3, 2022, 12:01 a.m. UTC | #2
On Tue, Feb 22, 2022 at 5:12 PM Nicolas Schier <n.schier@avm.de> wrote:
>
> On Fri, Feb 18, 2022 at 01:46:34PM +0900, Masahiro Yamada wrote:
> > To create an empty cert file, we need to pass "" to the extract-cert
> > tool, which is common for all the three call-sites of cmd_exract_certs.
>
> Missing a 't' in 'cmd_exract_certs'.
>
> Reviewed-by: Nicolas Schier <n.schier@avm.de>
>

Thanks. Fixed the typo, and applied to linux-kbuild.


--
Best Regards
Masahiro Yamada
diff mbox series

Patch

diff --git a/certs/Makefile b/certs/Makefile
index 68c1d7b9a388..d8443cfb1c40 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -13,12 +13,13 @@  obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
 endif
 
 quiet_cmd_extract_certs  = CERT    $@
-      cmd_extract_certs  = $(obj)/extract-cert $(2) $@
+      cmd_extract_certs  = $(obj)/extract-cert $(extract-cert-in) $@
+extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
 
 $(obj)/system_certificates.o: $(obj)/x509_certificate_list
 
 $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
-	$(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,""))
+	$(call if_changed,extract_certs)
 
 targets += x509_certificate_list
 
@@ -52,22 +53,22 @@  $(obj)/x509.genkey:
 
 endif # CONFIG_MODULE_SIG_KEY
 
-# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
-ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
-X509_DEP := $(CONFIG_MODULE_SIG_KEY)
-endif
-
 $(obj)/system_certificates.o: $(obj)/signing_key.x509
 
-$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE
-	$(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),""))
+PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
+ifdef PKCS11_URI
+$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
+endif
+
+$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
+	$(call if_changed,extract_certs)
 
 targets += signing_key.x509
 
 $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
 
 $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE
-	$(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,""))
+	$(call if_changed,extract_certs)
 
 targets += x509_revocation_list