diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2022-03-31 11:59:03 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2022-03-31 11:59:03 -0700 |
| commit | b8321ed4a40c02054f930ca59d3570caa27bc86c (patch) | |
| tree | 954fe1cab675a18e369505394c88f971d9dbea3c /certs | |
| parent | f87cbd0565eb7e2fa15296c74210658db1346431 (diff) | |
| parent | e9c281928c24dfeb86b11c31b53757b6a127f8aa (diff) | |
Merge tag 'kbuild-v5.18-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
Pull Kbuild updates from Masahiro Yamada:
- Add new environment variables, USERCFLAGS and USERLDFLAGS to allow
additional flags to be passed to user-space programs.
- Fix missing fflush() bugs in Kconfig and fixdep
- Fix a minor bug in the comment format of the .config file
- Make kallsyms ignore llvm's local labels, .L*
- Fix UAPI compile-test for cross-compiling with Clang
- Extend the LLVM= syntax to support LLVM=<suffix> form for using a
particular version of LLVm, and LLVM=<prefix> form for using custom
LLVM in a particular directory path.
- Clean up Makefiles
* tag 'kbuild-v5.18-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
kbuild: Make $(LLVM) more flexible
kbuild: add --target to correctly cross-compile UAPI headers with Clang
fixdep: use fflush() and ferror() to ensure successful write to files
arch: syscalls: simplify uapi/kapi directory creation
usr/include: replace extra-y with always-y
certs: simplify empty certs creation in certs/Makefile
certs: include certs/signing_key.x509 unconditionally
kallsyms: ignore all local labels prefixed by '.L'
kconfig: fix missing '# end of' for empty menu
kconfig: add fflush() before ferror() check
kbuild: replace $(if A,A,B) with $(or A,B)
kbuild: Add environment variables for userprogs flags
kbuild: unify cmd_copy and cmd_shipped
Diffstat (limited to 'certs')
| -rw-r--r-- | certs/Makefile | 37 | ||||
| -rw-r--r-- | certs/system_certificates.S | 3 |
2 files changed, 11 insertions, 29 deletions
diff --git a/certs/Makefile b/certs/Makefile index 3ea7fe60823f..d8443cfb1c40 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -13,34 +13,20 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o endif quiet_cmd_extract_certs = CERT $@ - cmd_extract_certs = $(obj)/extract-cert $(2) $@ + cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ +extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"") $(obj)/system_certificates.o: $(obj)/x509_certificate_list $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) + $(call if_changed,extract_certs) targets += x509_certificate_list -ifeq ($(CONFIG_MODULE_SIG),y) - SIGN_KEY = y -endif - -ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) -ifeq ($(CONFIG_MODULES),y) - SIGN_KEY = y -endif -endif - -ifdef SIGN_KEY -############################################################################### -# # If module signing is requested, say by allyesconfig, but a key has not been # supplied, then one will need to be generated to make sure the build does not # fail and that the kernel may be used afterwards. # -############################################################################### - # We do it this way rather than having a boolean option for enabling an # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. @@ -67,23 +53,22 @@ $(obj)/x509.genkey: endif # CONFIG_MODULE_SIG_KEY -# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it -ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),) -X509_DEP := $(CONFIG_MODULE_SIG_KEY) -endif - $(obj)/system_certificates.o: $(obj)/signing_key.x509 -$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE - $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),"")) -endif # CONFIG_MODULE_SIG +PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)) +ifdef PKCS11_URI +$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI) +endif + +$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE + $(call if_changed,extract_certs) targets += signing_key.x509 $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) + $(call if_changed,extract_certs) targets += x509_revocation_list diff --git a/certs/system_certificates.S b/certs/system_certificates.S index e1645e6f4d97..003e25d4a17e 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -9,10 +9,7 @@ system_certificate_list: __cert_list_start: __module_cert_start: -#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \ - && defined(CONFIG_MODULES)) .incbin "certs/signing_key.x509" -#endif __module_cert_end: .incbin "certs/x509_certificate_list" __cert_list_end: |