mirror of
https://github.com/torvalds/linux.git
synced 2024-11-26 06:02:05 +00:00
22e46f6480
When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*), signing of modules
fails:
scripts/sign-file sha256 /.../linux/pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 /.../kernel/crypto/tcrypt.ko
Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]
First, we need to avoid adding the $(srctree)/ prefix to the URL.
Second, since the kconfig string values no longer include quotes, we need to add
them again when passing a PKCS#11 URI to sign-file. This avoids
splitting by the shell if the URI contains semicolons.
Fixes: 4db9c2e3d0 ("kbuild: stop using config_filename in scripts/Makefile.modsign")
Fixes: 129ab0d2d9 ("kbuild: do not quote string values in include/config/auto.conf")
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
119 lines
2.6 KiB
Makefile
119 lines
2.6 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
# ==========================================================================
|
|
# Installing modules
|
|
# ==========================================================================
|
|
|
|
PHONY := __modinst
|
|
__modinst:
|
|
|
|
include include/config/auto.conf
|
|
include $(srctree)/scripts/Kbuild.include
|
|
|
|
modules := $(call read-file, $(MODORDER))
|
|
|
|
ifeq ($(KBUILD_EXTMOD),)
|
|
dst := $(MODLIB)/kernel
|
|
else
|
|
INSTALL_MOD_DIR ?= extra
|
|
dst := $(MODLIB)/$(INSTALL_MOD_DIR)
|
|
endif
|
|
|
|
$(foreach x, % :, $(if $(findstring $x, $(dst)), \
|
|
$(error module installation path cannot contain '$x')))
|
|
|
|
suffix-y :=
|
|
suffix-$(CONFIG_MODULE_COMPRESS_GZIP) := .gz
|
|
suffix-$(CONFIG_MODULE_COMPRESS_XZ) := .xz
|
|
suffix-$(CONFIG_MODULE_COMPRESS_ZSTD) := .zst
|
|
|
|
modules := $(patsubst $(extmod_prefix)%.o, $(dst)/%.ko$(suffix-y), $(modules))
|
|
|
|
__modinst: $(modules)
|
|
@:
|
|
|
|
#
|
|
# Installation
|
|
#
|
|
quiet_cmd_install = INSTALL $@
|
|
cmd_install = mkdir -p $(dir $@); cp $< $@
|
|
|
|
# Strip
|
|
#
|
|
# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after they
|
|
# are installed. If INSTALL_MOD_STRIP is '1', then the default option
|
|
# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be used
|
|
# as the options to the strip command.
|
|
ifdef INSTALL_MOD_STRIP
|
|
|
|
ifeq ($(INSTALL_MOD_STRIP),1)
|
|
strip-option := --strip-debug
|
|
else
|
|
strip-option := $(INSTALL_MOD_STRIP)
|
|
endif
|
|
|
|
quiet_cmd_strip = STRIP $@
|
|
cmd_strip = $(STRIP) $(strip-option) $@
|
|
|
|
else
|
|
|
|
quiet_cmd_strip =
|
|
cmd_strip = :
|
|
|
|
endif
|
|
|
|
#
|
|
# Signing
|
|
# Don't stop modules_install even if we can't sign external modules.
|
|
#
|
|
ifeq ($(CONFIG_MODULE_SIG_ALL),y)
|
|
ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
|
|
sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
|
|
else
|
|
sig-key := $(CONFIG_MODULE_SIG_KEY)
|
|
endif
|
|
quiet_cmd_sign = SIGN $@
|
|
cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@ \
|
|
$(if $(KBUILD_EXTMOD),|| true)
|
|
else
|
|
quiet_cmd_sign :=
|
|
cmd_sign := :
|
|
endif
|
|
|
|
ifeq ($(modules_sign_only),)
|
|
|
|
$(dst)/%.ko: $(extmod_prefix)%.ko FORCE
|
|
$(call cmd,install)
|
|
$(call cmd,strip)
|
|
$(call cmd,sign)
|
|
|
|
else
|
|
|
|
$(dst)/%.ko: FORCE
|
|
$(call cmd,sign)
|
|
|
|
endif
|
|
|
|
#
|
|
# Compression
|
|
#
|
|
quiet_cmd_gzip = GZIP $@
|
|
cmd_gzip = $(KGZIP) -n -f $<
|
|
quiet_cmd_xz = XZ $@
|
|
cmd_xz = $(XZ) --lzma2=dict=2MiB -f $<
|
|
quiet_cmd_zstd = ZSTD $@
|
|
cmd_zstd = $(ZSTD) -T0 --rm -f -q $<
|
|
|
|
$(dst)/%.ko.gz: $(dst)/%.ko FORCE
|
|
$(call cmd,gzip)
|
|
|
|
$(dst)/%.ko.xz: $(dst)/%.ko FORCE
|
|
$(call cmd,xz)
|
|
|
|
$(dst)/%.ko.zst: $(dst)/%.ko FORCE
|
|
$(call cmd,zstd)
|
|
|
|
PHONY += FORCE
|
|
FORCE:
|
|
|
|
.PHONY: $(PHONY)
|