From c537e4d04eb75274bf03e6a2a8d6ece25d9d16f6 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:45 +0900 Subject: [PATCH 1/7] certs: use $< and $@ to simplify the key generation rule Do not repeat $(obj)/x509.genkey or $(obj)/signing_key.pem Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- certs/Makefile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index a702b70f3cb9..aba9e782f940 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -60,9 +60,8 @@ keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) := -newkey ec -pkeyopt ec_paramgen_c quiet_cmd_gen_key = GENKEY $@ cmd_gen_key = openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ - -batch -x509 -config $(obj)/x509.genkey \ - -outform PEM -out $(obj)/signing_key.pem \ - -keyout $(obj)/signing_key.pem $(keytype-y) 2>&1 + -batch -x509 -config $< \ + -outform PEM -out $@ -keyout $@ $(keytype-y) 2>&1 $(obj)/signing_key.pem: $(obj)/x509.genkey FORCE $(call if_changed,gen_key) From 1c4bd9f77a1c1b8502ca929fdbe2ef45bfebd09a Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:46 +0900 Subject: [PATCH 2/7] certs: unify duplicated cmd_extract_certs and improve the log cmd_extract_certs is defined twice. Unify them. The current log shows the input file $(2), which might be empty. You cannot know what is being created from the log, "EXTRACT_CERTS". Change the log to show the output file with better alignment. [Before] EXTRACT_CERTS certs/signing_key.pem CC certs/system_keyring.o EXTRACT_CERTS AS certs/system_certificates.o CC certs/common.o CC certs/blacklist.o EXTRACT_CERTS AS certs/revocation_certificates.o [After] CERT certs/signing_key.x509 CC certs/system_keyring.o CERT certs/x509_certificate_list AS certs/system_certificates.o CC certs/common.o CC certs/blacklist.o CERT certs/x509_revocation_list AS certs/revocation_certificates.o Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- certs/Makefile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index aba9e782f940..bdddcd21cbb3 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -12,6 +12,9 @@ else obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o endif +quiet_cmd_extract_certs = CERT $@ + cmd_extract_certs = scripts/extract-cert $(2) $@ + ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) @@ -22,9 +25,6 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list # Cope with signing_key.x509 existing in $(srctree) not $(objtree) AFLAGS_system_certificates.o := -I$(srctree) -quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) - cmd_extract_certs = scripts/extract-cert $(2) $@ - targets += x509_certificate_list $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) @@ -98,9 +98,6 @@ $(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list -quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) - cmd_extract_certs = scripts/extract-cert $(2) $@ - targets += x509_revocation_list $(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) From 3958f2156b418c9dce0a4402a59d95b122a92a04 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:47 +0900 Subject: [PATCH 3/7] certs: remove unneeded -I$(srctree) option for system_certificates.o The .incbin directive in certs/system_certificates.S includes certs/signing_key.x509 and certs/x509_certificate_list, both of which are generated by extract_certs, i.e. exist in $(objtree). This option -I$(srctree) is unneeded. Signed-off-by: Masahiro Yamada --- certs/Makefile | 3 --- 1 file changed, 3 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index bdddcd21cbb3..d1e0dad038ca 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -22,9 +22,6 @@ $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) # GCC doesn't include .incbin files in -MD generated dependencies (PR#66871) $(obj)/system_certificates.o: $(obj)/x509_certificate_list -# Cope with signing_key.x509 existing in $(srctree) not $(objtree) -AFLAGS_system_certificates.o := -I$(srctree) - targets += x509_certificate_list $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) From 5cca36069d4c2942a46f98f47b9e7160fd547e03 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:48 +0900 Subject: [PATCH 4/7] certs: refactor file cleaning 'make clean' removes files listed in 'targets'. It is redundant to specify both 'targets' and 'clean-files'. Move 'targets' assignments out of the ifeq-conditionals so scripts/Makefile.clean can see them. One effective change is that certs/certs/signing_key.x509 is now deleted by 'make clean' instead of 'make mrproper. This certificate is embedded in the kernel. It is not used in any way by external module builds. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- Makefile | 2 +- certs/Makefile | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 8d58f65e226b..f1e3bb73bb74 100644 --- a/Makefile +++ b/Makefile @@ -1494,7 +1494,7 @@ MRPROPER_FILES += include/config include/generated \ debian snap tar-install \ .config .config.old .version \ Module.symvers \ - certs/signing_key.pem certs/signing_key.x509 \ + certs/signing_key.pem \ certs/x509.genkey \ vmlinux-gdb.py \ *.spec diff --git a/certs/Makefile b/certs/Makefile index d1e0dad038ca..bb1763150547 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -22,12 +22,11 @@ $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) # GCC doesn't include .incbin files in -MD generated dependencies (PR#66871) $(obj)/system_certificates.o: $(obj)/x509_certificate_list -targets += x509_certificate_list $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) endif # CONFIG_SYSTEM_TRUSTED_KEYRING -clean-files := x509_certificate_list .x509.list x509_revocation_list +targets += x509_certificate_list ifeq ($(CONFIG_MODULE_SIG),y) SIGN_KEY = y @@ -84,18 +83,20 @@ endif # GCC PR#66871 again. $(obj)/system_certificates.o: $(obj)/signing_key.x509 -targets += signing_key.x509 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) endif # CONFIG_MODULE_SIG +targets += signing_key.x509 + ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) $(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list -targets += x509_revocation_list $(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) endif + +targets += x509_revocation_list From 5410f3e810f64366ada353efa5e7559be040fb71 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:49 +0900 Subject: [PATCH 5/7] certs: remove misleading comments about GCC PR This dependency is necessary irrespective of the mentioned GCC PR because the embedded certificates are build artifacts and must be generated by extract_certs before *.S files are compiled. The comment sounds like we are hoping to remove these dependencies someday. No, we cannot remove them. Signed-off-by: Masahiro Yamada --- certs/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index bb1763150547..c3c8da03b04b 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -19,7 +19,6 @@ ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) -# GCC doesn't include .incbin files in -MD generated dependencies (PR#66871) $(obj)/system_certificates.o: $(obj)/x509_certificate_list $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE @@ -80,7 +79,6 @@ ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME) endif -# GCC PR#66871 again. $(obj)/system_certificates.o: $(obj)/signing_key.x509 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE From 4db9c2e3d055cc11e64b5c9bbaa70b5a552adf0f Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:50 +0900 Subject: [PATCH 6/7] kbuild: stop using config_filename in scripts/Makefile.modsign Toward the goal of removing the config_filename macro, drop the double-quotes and add $(srctree)/ prefix in an ad hoc way. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- scripts/Makefile.modinst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index ff9b09e4cfca..df7e3d578ef5 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -66,9 +66,10 @@ endif # Don't stop modules_install even if we can't sign external modules. # ifeq ($(CONFIG_MODULE_SIG_ALL),y) +CONFIG_MODULE_SIG_KEY := $(CONFIG_MODULE_SIG_KEY:"%"=%) +sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY) quiet_cmd_sign = SIGN $@ -$(eval $(call config_filename,MODULE_SIG_KEY)) - cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY) certs/signing_key.x509 $@ \ + cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) certs/signing_key.x509 $@ \ $(if $(KBUILD_EXTMOD),|| true) else quiet_cmd_sign := From b8c96a6b466ca3b91530a4ec7f7404f40f8f4d0b Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:51 +0900 Subject: [PATCH 7/7] certs: simplify $(srctree)/ handling and remove config_filename macro The complex macro, config_filename, was introduced to do: [1] drop double-quotes from the string value [2] add $(srctree)/ prefix in case the file is not found in $(objtree) [3] escape spaces and more [1] will be more generally handled by Kconfig later. As for [2], Kbuild uses VPATH to search for files in $(objtree), $(srctree) in this order. GNU Make can natively handle it. As for [3], converting $(space) to $(space_escape) back and forth looks questionable to me. It is well-known that GNU Make cannot handle file paths with spaces in the first place. Instead of using the complex macro, use $< so it will be expanded to the file path of the key. Remove config_filename, finally. Signed-off-by: Masahiro Yamada --- certs/Makefile | 32 ++++++++++++---------------- scripts/Kbuild.include | 47 ------------------------------------------ 2 files changed, 13 insertions(+), 66 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index c3c8da03b04b..69c1404152ef 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -15,15 +15,12 @@ endif quiet_cmd_extract_certs = CERT $@ cmd_extract_certs = scripts/extract-cert $(2) $@ -ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) - -$(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) - $(obj)/system_certificates.o: $(obj)/x509_certificate_list -$(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE - $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) -endif # CONFIG_SYSTEM_TRUSTED_KEYRING +CONFIG_SYSTEM_TRUSTED_KEYS := $(CONFIG_SYSTEM_TRUSTED_KEYS:"%"=%) + +$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) targets += x509_certificate_list @@ -72,29 +69,26 @@ $(obj)/x509.genkey: endif # CONFIG_MODULE_SIG_KEY -$(eval $(call config_filename,MODULE_SIG_KEY)) +CONFIG_MODULE_SIG_KEY := $(CONFIG_MODULE_SIG_KEY:"%"=%) # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it -ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME))) -X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME) +ifneq ($(filter-out pkcs11:%, %(CONFIG_MODULE_SIG_KEY)),) +X509_DEP := $(CONFIG_MODULE_SIG_KEY) endif $(obj)/system_certificates.o: $(obj)/signing_key.x509 -$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE - $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) +$(obj)/signing_key.x509: $(X509_DEP) scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY))) endif # CONFIG_MODULE_SIG targets += signing_key.x509 -ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) - -$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) - $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list -$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE - $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) -endif +CONFIG_SYSTEM_REVOCATION_KEYS := $(CONFIG_SYSTEM_REVOCATION_KEYS:"%"=%) + +$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) targets += x509_revocation_list diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include index cdec22088423..3514c2149e9d 100644 --- a/scripts/Kbuild.include +++ b/scripts/Kbuild.include @@ -195,53 +195,6 @@ why = \ echo-why = $(call escsq, $(strip $(why))) endif -############################################################################### -# -# When a Kconfig string contains a filename, it is suitable for -# passing to shell commands. It is surrounded by double-quotes, and -# any double-quotes or backslashes within it are escaped by -# backslashes. -# -# This is no use for dependencies or $(wildcard). We need to strip the -# surrounding quotes and the escaping from quotes and backslashes, and -# we *do* need to escape any spaces in the string. So, for example: -# -# Usage: $(eval $(call config_filename,FOO)) -# -# Defines FOO_FILENAME based on the contents of the CONFIG_FOO option, -# transformed as described above to be suitable for use within the -# makefile. -# -# Also, if the filename is a relative filename and exists in the source -# tree but not the build tree, define FOO_SRCPREFIX as $(srctree)/ to -# be prefixed to *both* command invocation and dependencies. -# -# Note: We also print the filenames in the quiet_cmd_foo text, and -# perhaps ought to have a version specially escaped for that purpose. -# But it's only cosmetic, and $(patsubst "%",%,$(CONFIG_FOO)) is good -# enough. It'll strip the quotes in the common case where there's no -# space and it's a simple filename, and it'll retain the quotes when -# there's a space. There are some esoteric cases in which it'll print -# the wrong thing, but we don't really care. The actual dependencies -# and commands *do* get it right, with various combinations of single -# and double quotes, backslashes and spaces in the filenames. -# -############################################################################### -# -define config_filename -ifneq ($$(CONFIG_$(1)),"") -$(1)_FILENAME := $$(subst \\,\,$$(subst \$$(quote),$$(quote),$$(subst $$(space_escape),\$$(space),$$(patsubst "%",%,$$(subst $$(space),$$(space_escape),$$(CONFIG_$(1))))))) -ifneq ($$(patsubst /%,%,$$(firstword $$($(1)_FILENAME))),$$(firstword $$($(1)_FILENAME))) -else -ifeq ($$(wildcard $$($(1)_FILENAME)),) -ifneq ($$(wildcard $$(srctree)/$$($(1)_FILENAME)),) -$(1)_SRCPREFIX := $(srctree)/ -endif -endif -endif -endif -endef -# ############################################################################### # delete partially updated (i.e. corrupted) files on error