diff options
| author | David Howells <dhowells@redhat.com> | 2013-08-30 11:07:13 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2013-09-25 12:17:01 -0400 |
| commit | f0e6d220a7cd93afa0260ac5e7849f00b05e035a (patch) | |
| tree | dd9331cf8606bf6068261e1f02d67a26d1ba76f9 | |
| parent | 124df926090b32a998483f6e43ebeccdbe5b5302 (diff) | |
KEYS: Load *.x509 files into kernel keyring
Load all the files matching the pattern "*.x509" that are to be found in kernel
base source dir and base build dir into the module signing keyring.
The "extra_certificates" file is then redundant.
Signed-off-by: David Howells <dhowells@redhat.com>
| -rw-r--r-- | kernel/Makefile | 35 | ||||
| -rw-r--r-- | kernel/modsign_certificate.S | 3 |
2 files changed, 30 insertions, 8 deletions
diff --git a/kernel/Makefile b/kernel/Makefile index 1ce47553fb02..c34e5f993a21 100644 --- a/kernel/Makefile +++ b/kernel/Makefile | |||
| @@ -142,17 +142,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE | |||
| 142 | $(call if_changed,bc) | 142 | $(call if_changed,bc) |
| 143 | 143 | ||
| 144 | ifeq ($(CONFIG_MODULE_SIG),y) | 144 | ifeq ($(CONFIG_MODULE_SIG),y) |
| 145 | ############################################################################### | ||
| 145 | # | 146 | # |
| 146 | # Pull the signing certificate and any extra certificates into the kernel | 147 | # Roll all the X.509 certificates that we can find together and pull |
| 148 | # them into the kernel. | ||
| 147 | # | 149 | # |
| 150 | ############################################################################### | ||
| 151 | X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509) | ||
| 152 | X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509 | ||
| 153 | X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y)) | ||
| 154 | |||
| 155 | ifeq ($(X509_CERTIFICATES),) | ||
| 156 | $(warning *** No X.509 certificates found ***) | ||
| 157 | endif | ||
| 158 | |||
| 159 | ifneq ($(wildcard $(obj)/.x509.list),) | ||
| 160 | ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES)) | ||
| 161 | $(info X.509 certificate list changed) | ||
| 162 | $(shell rm $(obj)/.x509.list) | ||
| 163 | endif | ||
| 164 | endif | ||
| 165 | |||
| 166 | kernel/modsign_certificate.o: $(obj)/x509_certificate_list | ||
| 148 | 167 | ||
| 149 | quiet_cmd_touch = TOUCH $@ | 168 | quiet_cmd_x509certs = CERTS $@ |
| 150 | cmd_touch = touch $@ | 169 | cmd_x509certs = cat $(X509_CERTIFICATES) /dev/null >$@ |
| 170 | targets += $(obj)/x509_certificate_list | ||
| 171 | $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list | ||
| 172 | $(call if_changed,x509certs) | ||
| 151 | 173 | ||
| 152 | extra_certificates: | 174 | targets += $(obj)/.x509.list |
| 153 | $(call cmd,touch) | 175 | $(obj)/.x509.list: |
| 176 | @echo $(X509_CERTIFICATES) >$@ | ||
| 154 | 177 | ||
| 155 | kernel/modsign_certificate.o: signing_key.x509 extra_certificates | 178 | clean-files := x509_certificate_list .x509.list |
| 156 | 179 | ||
| 157 | ############################################################################### | 180 | ############################################################################### |
| 158 | # | 181 | # |
diff --git a/kernel/modsign_certificate.S b/kernel/modsign_certificate.S index 4a9a86d12c8b..6fe03c7ffe72 100644 --- a/kernel/modsign_certificate.S +++ b/kernel/modsign_certificate.S | |||
| @@ -7,6 +7,5 @@ | |||
| 7 | .section ".init.data","aw" | 7 | .section ".init.data","aw" |
| 8 | 8 | ||
| 9 | GLOBAL(modsign_certificate_list) | 9 | GLOBAL(modsign_certificate_list) |
| 10 | .incbin "signing_key.x509" | 10 | .incbin "kernel/x509_certificate_list" |
| 11 | .incbin "extra_certificates" | ||
| 12 | GLOBAL(modsign_certificate_list_end) | 11 | GLOBAL(modsign_certificate_list_end) |