diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-10-14 16:39:34 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-10-14 16:39:34 -0400 |
| commit | d25282d1c9b9bc4cda7f9d3c0205108e99aa7a9d (patch) | |
| tree | f414482d768b015a609924293b779b4ad0b8f764 /scripts/Makefile.modpost | |
| parent | b6eea87fc6850d3531a64a27d2323a4498cd4e43 (diff) | |
| parent | dbadc17683e6c673a69b236c0f041b931cc55c42 (diff) | |
Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux
Pull module signing support from Rusty Russell:
"module signing is the highlight, but it's an all-over David Howells frenzy..."
Hmm "Magrathea: Glacier signing key". Somebody has been reading too much HHGTTG.
* 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: (37 commits)
X.509: Fix indefinite length element skip error handling
X.509: Convert some printk calls to pr_devel
asymmetric keys: fix printk format warning
MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking
MODSIGN: Make mrproper should remove generated files.
MODSIGN: Use utf8 strings in signer's name in autogenerated X.509 certs
MODSIGN: Use the same digest for the autogen key sig as for the module sig
MODSIGN: Sign modules during the build process
MODSIGN: Provide a script for generating a key ID from an X.509 cert
MODSIGN: Implement module signature checking
MODSIGN: Provide module signing public keys to the kernel
MODSIGN: Automatically generate module signing keys if missing
MODSIGN: Provide Kconfig options
MODSIGN: Provide gitignore and make clean rules for extra files
MODSIGN: Add FIPS policy
module: signature checking hook
X.509: Add a crypto key parser for binary (DER) X.509 certificates
MPILIB: Provide a function to read raw data into an MPI
X.509: Add an ASN.1 decoder
X.509: Add simple ASN.1 grammar compiler
...
Diffstat (limited to 'scripts/Makefile.modpost')
| -rw-r--r-- | scripts/Makefile.modpost | 77 |
1 files changed, 76 insertions, 1 deletions
diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost index a1cb0222ebe6..002089141df4 100644 --- a/scripts/Makefile.modpost +++ b/scripts/Makefile.modpost | |||
| @@ -14,7 +14,8 @@ | |||
| 14 | # 3) create one <module>.mod.c file pr. module | 14 | # 3) create one <module>.mod.c file pr. module |
| 15 | # 4) create one Module.symvers file with CRC for all exported symbols | 15 | # 4) create one Module.symvers file with CRC for all exported symbols |
| 16 | # 5) compile all <module>.mod.c files | 16 | # 5) compile all <module>.mod.c files |
| 17 | # 6) final link of the module to a <module.ko> file | 17 | # 6) final link of the module to a <module.ko> (or <module.unsigned>) file |
| 18 | # 7) signs the modules to a <module.ko> file | ||
| 18 | 19 | ||
| 19 | # Step 3 is used to place certain information in the module's ELF | 20 | # Step 3 is used to place certain information in the module's ELF |
| 20 | # section, including information such as: | 21 | # section, including information such as: |
| @@ -32,6 +33,8 @@ | |||
| 32 | # Step 4 is solely used to allow module versioning in external modules, | 33 | # Step 4 is solely used to allow module versioning in external modules, |
| 33 | # where the CRC of each module is retrieved from the Module.symvers file. | 34 | # where the CRC of each module is retrieved from the Module.symvers file. |
| 34 | 35 | ||
| 36 | # Step 7 is dependent on CONFIG_MODULE_SIG being enabled. | ||
| 37 | |||
| 35 | # KBUILD_MODPOST_WARN can be set to avoid error out in case of undefined | 38 | # KBUILD_MODPOST_WARN can be set to avoid error out in case of undefined |
| 36 | # symbols in the final module linking stage | 39 | # symbols in the final module linking stage |
| 37 | # KBUILD_MODPOST_NOFINAL can be set to skip the final link of modules. | 40 | # KBUILD_MODPOST_NOFINAL can be set to skip the final link of modules. |
| @@ -116,6 +119,7 @@ $(modules:.ko=.mod.o): %.mod.o: %.mod.c FORCE | |||
| 116 | targets += $(modules:.ko=.mod.o) | 119 | targets += $(modules:.ko=.mod.o) |
| 117 | 120 | ||
| 118 | # Step 6), final link of the modules | 121 | # Step 6), final link of the modules |
| 122 | ifneq ($(CONFIG_MODULE_SIG),y) | ||
| 119 | quiet_cmd_ld_ko_o = LD [M] $@ | 123 | quiet_cmd_ld_ko_o = LD [M] $@ |
| 120 | cmd_ld_ko_o = $(LD) -r $(LDFLAGS) \ | 124 | cmd_ld_ko_o = $(LD) -r $(LDFLAGS) \ |
| 121 | $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \ | 125 | $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \ |
| @@ -125,7 +129,78 @@ $(modules): %.ko :%.o %.mod.o FORCE | |||
| 125 | $(call if_changed,ld_ko_o) | 129 | $(call if_changed,ld_ko_o) |
| 126 | 130 | ||
| 127 | targets += $(modules) | 131 | targets += $(modules) |
| 132 | else | ||
| 133 | quiet_cmd_ld_ko_unsigned_o = LD [M] $@ | ||
| 134 | cmd_ld_ko_unsigned_o = \ | ||
| 135 | $(LD) -r $(LDFLAGS) \ | ||
| 136 | $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \ | ||
| 137 | -o $@ $(filter-out FORCE,$^) \ | ||
| 138 | $(if $(AFTER_LINK),; $(AFTER_LINK)) | ||
| 139 | |||
| 140 | $(modules:.ko=.ko.unsigned): %.ko.unsigned :%.o %.mod.o FORCE | ||
| 141 | $(call if_changed,ld_ko_unsigned_o) | ||
| 142 | |||
| 143 | targets += $(modules:.ko=.ko.unsigned) | ||
| 144 | |||
| 145 | # Step 7), sign the modules | ||
| 146 | MODSECKEY = ./signing_key.priv | ||
| 147 | MODPUBKEY = ./signing_key.x509 | ||
| 148 | |||
| 149 | ifeq ($(wildcard $(MODSECKEY))+$(wildcard $(MODPUBKEY)),$(MODSECKEY)+$(MODPUBKEY)) | ||
| 150 | ifeq ($(KBUILD_SRC),) | ||
| 151 | # no O= is being used | ||
| 152 | SCRIPTS_DIR := scripts | ||
| 153 | else | ||
| 154 | SCRIPTS_DIR := $(KBUILD_SRC)/scripts | ||
| 155 | endif | ||
| 156 | SIGN_MODULES := 1 | ||
| 157 | else | ||
| 158 | SIGN_MODULES := 0 | ||
| 159 | endif | ||
| 160 | |||
| 161 | # only sign if it's an in-tree module | ||
| 162 | ifneq ($(KBUILD_EXTMOD),) | ||
| 163 | SIGN_MODULES := 0 | ||
| 164 | endif | ||
| 128 | 165 | ||
| 166 | # We strip the module as best we can - note that using both strip and eu-strip | ||
| 167 | # results in a smaller module than using either alone. | ||
| 168 | EU_STRIP = $(shell which eu-strip || echo true) | ||
| 169 | |||
| 170 | quiet_cmd_sign_ko_stripped_ko_unsigned = STRIP [M] $@ | ||
| 171 | cmd_sign_ko_stripped_ko_unsigned = \ | ||
| 172 | cp $< $@ && \ | ||
| 173 | strip -x -g $@ && \ | ||
| 174 | $(EU_STRIP) $@ | ||
| 175 | |||
| 176 | ifeq ($(SIGN_MODULES),1) | ||
| 177 | |||
| 178 | quiet_cmd_genkeyid = GENKEYID $@ | ||
| 179 | cmd_genkeyid = \ | ||
| 180 | perl $(SCRIPTS_DIR)/x509keyid $< $<.signer $<.keyid | ||
| 181 | |||
| 182 | %.signer %.keyid: % | ||
| 183 | $(call if_changed,genkeyid) | ||
| 184 | |||
| 185 | KEYRING_DEP := $(MODSECKEY) $(MODPUBKEY) $(MODPUBKEY).signer $(MODPUBKEY).keyid | ||
| 186 | quiet_cmd_sign_ko_ko_stripped = SIGN [M] $@ | ||
| 187 | cmd_sign_ko_ko_stripped = \ | ||
| 188 | sh $(SCRIPTS_DIR)/sign-file $(MODSECKEY) $(MODPUBKEY) $< $@ | ||
| 189 | else | ||
| 190 | KEYRING_DEP := | ||
| 191 | quiet_cmd_sign_ko_ko_unsigned = NO SIGN [M] $@ | ||
| 192 | cmd_sign_ko_ko_unsigned = \ | ||
| 193 | cp $< $@ | ||
| 194 | endif | ||
| 195 | |||
| 196 | $(modules): %.ko :%.ko.stripped $(KEYRING_DEP) FORCE | ||
| 197 | $(call if_changed,sign_ko_ko_stripped) | ||
| 198 | |||
| 199 | $(patsubst %.ko,%.ko.stripped,$(modules)): %.ko.stripped :%.ko.unsigned FORCE | ||
| 200 | $(call if_changed,sign_ko_stripped_ko_unsigned) | ||
| 201 | |||
| 202 | targets += $(modules) | ||
| 203 | endif | ||
| 129 | 204 | ||
| 130 | # Add FORCE to the prequisites of a target to force it to be always rebuilt. | 205 | # Add FORCE to the prequisites of a target to force it to be always rebuilt. |
| 131 | # --------------------------------------------------------------------------- | 206 | # --------------------------------------------------------------------------- |