| Message ID | 20220311210344.102396-4-nayna@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | integrity: support including firmware ".platform" keys at build time | expand |
On 3/11/22 16:03, Nayna Jain wrote: > This reverts commit 340a02535ee785c64c62a9c45706597a0139e972. > > extract-cert is used outside certs/ by INTEGRITY_PLATFORM_KEYRING. Hi Masahiro, Could you review and Ack this patch ? Thanks & Regards, - Nayna > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > --- > MAINTAINERS | 1 + > certs/.gitignore | 1 - > certs/Makefile | 13 ++++--------- > scripts/.gitignore | 1 + > scripts/Makefile | 11 +++++++++-- > {certs => scripts}/extract-cert.c | 2 +- > scripts/remove-stale-files | 2 -- > 7 files changed, 16 insertions(+), 15 deletions(-) > rename {certs => scripts}/extract-cert.c (98%) > > diff --git a/MAINTAINERS b/MAINTAINERS > index 05fd080b82f3..cf4cd22ca3a0 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -4471,6 +4471,7 @@ L: keyrings@vger.kernel.org > S: Maintained > F: Documentation/admin-guide/module-signing.rst > F: certs/ > +F: scripts/extract-cert.c > F: scripts/sign-file.c > > CFAG12864B LCD DRIVER > diff --git a/certs/.gitignore b/certs/.gitignore > index 9e42fe3e02f5..8c3763f80be3 100644 > --- a/certs/.gitignore > +++ b/certs/.gitignore > @@ -1,4 +1,3 @@ > # SPDX-License-Identifier: GPL-2.0-only > -/extract-cert > /x509_certificate_list > /x509_revocation_list > diff --git a/certs/Makefile b/certs/Makefile > index b92b6ff339d5..a4a6f6a78904 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -14,11 +14,11 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o > endif > > quiet_cmd_extract_certs = CERT $@ > - cmd_extract_certs = $(obj)/extract-cert $(2) $@ > + cmd_extract_certs = scripts/extract-cert $(2) $@ > > $(obj)/system_certificates.o: $(obj)/x509_certificate_list > > -$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE > +$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) scripts/extract-cert FORCE > $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) > > targets += x509_certificate_list > @@ -75,7 +75,7 @@ endif > > $(obj)/system_certificates.o: $(obj)/signing_key.x509 > > -$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE > +$(obj)/signing_key.x509: $(X509_DEP) scripts/extract-cert FORCE > $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),"")) > endif # CONFIG_MODULE_SIG > > @@ -83,12 +83,7 @@ targets += signing_key.x509 > > $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list > > -$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE > +$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) scripts/extract-cert FORCE > $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) > > targets += x509_revocation_list > - > -hostprogs := extract-cert > - > -HOSTCFLAGS_extract-cert.o = $(shell pkg-config --cflags libcrypto 2> /dev/null) > -HOSTLDLIBS_extract-cert = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) > diff --git a/scripts/.gitignore b/scripts/.gitignore > index eed308bef604..e83c620ef52c 100644 > --- a/scripts/.gitignore > +++ b/scripts/.gitignore > @@ -1,6 +1,7 @@ > # SPDX-License-Identifier: GPL-2.0-only > /asn1_compiler > /bin2c > +/extract-cert > /insert-sys-cert > /kallsyms > /module.lds > diff --git a/scripts/Makefile b/scripts/Makefile > index ce5aa9030b74..cedc1f0e21d8 100644 > --- a/scripts/Makefile > +++ b/scripts/Makefile > @@ -3,19 +3,26 @@ > # scripts contains sources for various helper programs used throughout > # the kernel for the build process. > > +CRYPTO_LIBS = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) > +CRYPTO_CFLAGS = $(shell pkg-config --cflags libcrypto 2> /dev/null) > + > hostprogs-always-$(CONFIG_BUILD_BIN2C) += bin2c > hostprogs-always-$(CONFIG_KALLSYMS) += kallsyms > hostprogs-always-$(BUILD_C_RECORDMCOUNT) += recordmcount > hostprogs-always-$(CONFIG_BUILDTIME_TABLE_SORT) += sorttable > hostprogs-always-$(CONFIG_ASN1) += asn1_compiler > hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file > +hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert > hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert > +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert > > HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include > HOSTLDLIBS_sorttable = -lpthread > HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include > -HOSTCFLAGS_sign-file.o = $(shell pkg-config --cflags libcrypto 2> /dev/null) > -HOSTLDLIBS_sign-file = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) > +HOSTCFLAGS_sign-file.o = $(CRYPTO_CFLAGS) > +HOSTLDLIBS_sign-file = $(CRYPTO_LIBS) > +HOSTCFLAGS_extract-cert.o = $(CRYPTO_CFLAGS) > +HOSTLDLIBS_extract-cert = $(CRYPTO_LIBS) > > ifdef CONFIG_UNWINDER_ORC > ifeq ($(ARCH),x86_64) > diff --git a/certs/extract-cert.c b/scripts/extract-cert.c > similarity index 98% > rename from certs/extract-cert.c > rename to scripts/extract-cert.c > index f7ef7862f207..3bc48c726c41 100644 > --- a/certs/extract-cert.c > +++ b/scripts/extract-cert.c > @@ -29,7 +29,7 @@ static __attribute__((noreturn)) > void format(void) > { > fprintf(stderr, > - "Usage: extract-cert <source> <dest>\n"); > + "Usage: scripts/extract-cert <source> <dest>\n"); > exit(2); > } > > diff --git a/scripts/remove-stale-files b/scripts/remove-stale-files > index 7adab4618035..80430b8fb617 100755 > --- a/scripts/remove-stale-files > +++ b/scripts/remove-stale-files > @@ -39,5 +39,3 @@ if [ -n "${building_out_of_srctree}" ]; then > rm -f arch/parisc/boot/compressed/${f} > done > fi > - > -rm -f scripts/extract-cert
diff --git a/MAINTAINERS b/MAINTAINERS index 05fd080b82f3..cf4cd22ca3a0 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4471,6 +4471,7 @@ L: keyrings@vger.kernel.org S: Maintained F: Documentation/admin-guide/module-signing.rst F: certs/ +F: scripts/extract-cert.c F: scripts/sign-file.c CFAG12864B LCD DRIVER diff --git a/certs/.gitignore b/certs/.gitignore index 9e42fe3e02f5..8c3763f80be3 100644 --- a/certs/.gitignore +++ b/certs/.gitignore @@ -1,4 +1,3 @@ # SPDX-License-Identifier: GPL-2.0-only -/extract-cert /x509_certificate_list /x509_revocation_list diff --git a/certs/Makefile b/certs/Makefile index b92b6ff339d5..a4a6f6a78904 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -14,11 +14,11 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o endif quiet_cmd_extract_certs = CERT $@ - cmd_extract_certs = $(obj)/extract-cert $(2) $@ + cmd_extract_certs = scripts/extract-cert $(2) $@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list -$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE +$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) scripts/extract-cert FORCE $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) targets += x509_certificate_list @@ -75,7 +75,7 @@ endif $(obj)/system_certificates.o: $(obj)/signing_key.x509 -$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE +$(obj)/signing_key.x509: $(X509_DEP) scripts/extract-cert FORCE $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),"")) endif # CONFIG_MODULE_SIG @@ -83,12 +83,7 @@ targets += signing_key.x509 $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list -$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE +$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) scripts/extract-cert FORCE $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) targets += x509_revocation_list - -hostprogs := extract-cert - -HOSTCFLAGS_extract-cert.o = $(shell pkg-config --cflags libcrypto 2> /dev/null) -HOSTLDLIBS_extract-cert = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) diff --git a/scripts/.gitignore b/scripts/.gitignore index eed308bef604..e83c620ef52c 100644 --- a/scripts/.gitignore +++ b/scripts/.gitignore @@ -1,6 +1,7 @@ # SPDX-License-Identifier: GPL-2.0-only /asn1_compiler /bin2c +/extract-cert /insert-sys-cert /kallsyms /module.lds diff --git a/scripts/Makefile b/scripts/Makefile index ce5aa9030b74..cedc1f0e21d8 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -3,19 +3,26 @@ # scripts contains sources for various helper programs used throughout # the kernel for the build process. +CRYPTO_LIBS = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) +CRYPTO_CFLAGS = $(shell pkg-config --cflags libcrypto 2> /dev/null) + hostprogs-always-$(CONFIG_BUILD_BIN2C) += bin2c hostprogs-always-$(CONFIG_KALLSYMS) += kallsyms hostprogs-always-$(BUILD_C_RECORDMCOUNT) += recordmcount hostprogs-always-$(CONFIG_BUILDTIME_TABLE_SORT) += sorttable hostprogs-always-$(CONFIG_ASN1) += asn1_compiler hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file +hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include HOSTLDLIBS_sorttable = -lpthread HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include -HOSTCFLAGS_sign-file.o = $(shell pkg-config --cflags libcrypto 2> /dev/null) -HOSTLDLIBS_sign-file = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) +HOSTCFLAGS_sign-file.o = $(CRYPTO_CFLAGS) +HOSTLDLIBS_sign-file = $(CRYPTO_LIBS) +HOSTCFLAGS_extract-cert.o = $(CRYPTO_CFLAGS) +HOSTLDLIBS_extract-cert = $(CRYPTO_LIBS) ifdef CONFIG_UNWINDER_ORC ifeq ($(ARCH),x86_64) diff --git a/certs/extract-cert.c b/scripts/extract-cert.c similarity index 98% rename from certs/extract-cert.c rename to scripts/extract-cert.c index f7ef7862f207..3bc48c726c41 100644 --- a/certs/extract-cert.c +++ b/scripts/extract-cert.c @@ -29,7 +29,7 @@ static __attribute__((noreturn)) void format(void) { fprintf(stderr, - "Usage: extract-cert <source> <dest>\n"); + "Usage: scripts/extract-cert <source> <dest>\n"); exit(2); } diff --git a/scripts/remove-stale-files b/scripts/remove-stale-files index 7adab4618035..80430b8fb617 100755 --- a/scripts/remove-stale-files +++ b/scripts/remove-stale-files @@ -39,5 +39,3 @@ if [ -n "${building_out_of_srctree}" ]; then rm -f arch/parisc/boot/compressed/${f} done fi - -rm -f scripts/extract-cert
This reverts commit 340a02535ee785c64c62a9c45706597a0139e972. extract-cert is used outside certs/ by INTEGRITY_PLATFORM_KEYRING. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- MAINTAINERS | 1 + certs/.gitignore | 1 - certs/Makefile | 13 ++++--------- scripts/.gitignore | 1 + scripts/Makefile | 11 +++++++++-- {certs => scripts}/extract-cert.c | 2 +- scripts/remove-stale-files | 2 -- 7 files changed, 16 insertions(+), 15 deletions(-) rename {certs => scripts}/extract-cert.c (98%)