0273fd423b
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEqG5UsNXhtOCrfGQP+7dXa6fLC2sFAmKx3toACgkQ+7dXa6fL C2sI+Q//cT5eOtYkkEZF8NR53sfjKKyrwNwPVYrYHniaaYnVtiq1ThyEQ9o0ws3f wuvJu30qthm2rCz9zfTtyoqsv0k5ifGfCiR5fGeQEGgHEA4hGiF7XQoagDsVeR7j dk7hF3veca5fUb2ZOG2v/gJ6jo19/afw5A4s4QnLK+74oiCvoIZyV5gM9LlQx/1f U1YJXfdR7TFaIiNcZYVt6v7nWrpJ2fptIRvml+VGC86JXll6oct6dJ7yO2D5zzCm XU0fgRDk4RJ+e1FkketQu2z1m+YjvJQyxrVH2kuXBmzt2Fl5Ds//+8OlPY6/PX2c 8+lkm0yEOMbfEi1Uht9h2Lfdfqx6BLgsi0BkaLWQJWRHjI8SNcNofVKfsl704wAI fOzqUGTFAY4i+kM6koXSBr8bUuT3tTie+OygwlZPMQnSmr0NM5G1YMm7EjBUJVQk TfCh81mEVmaKiQKBWatysxWyS/ZzCaMwFvlcNW1mvpLNIJ3kWcIeiGw54y49JWbW 2mR4cVMGf62KnAmFEmLuXp4wLh6HmXbdKFvPKrPo9lzatFeYFWfw5AVobOp+KpKY lTpvv6Q6WPwk0wQ4QjyLjw7X52Q5qRmh6oWSUvYDxHxDIcKr0ivtin5aAk48+plv t5hQOT7JYVwEW0B1Y6OUno0YbP+8lkack0BMEHVT3WjoqbzUyIY= =bAcJ -----END PGP SIGNATURE----- Merge tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull signature checking selftest from David Howells: "The signature checking code, as used by module signing, kexec, etc., is non-FIPS compliant as there is no selftest. For a kernel to be FIPS-compliant, signature checking would have to be tested before being used, and the box would need to panic if it's not available (probably reasonable as simply disabling signature checking would prevent you from loading any driver modules). Deal with this by adding a minimal test. This is split into two patches: the first moves load_certificate_list() to the same place as the X.509 code to make it more accessible internally; the second adds a selftest" * tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: certs: Add FIPS selftests certs: Move load_certificate_list() to be with the asymmetric keys code
91 lines
3.3 KiB
Makefile
91 lines
3.3 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# Makefile for the linux kernel signature checking certificates.
|
|
#
|
|
|
|
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
|
|
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
|
|
obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
|
|
ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),)
|
|
|
|
$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list
|
|
CFLAGS_blacklist_hashes.o := -I $(obj)
|
|
|
|
quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@
|
|
cmd_check_and_copy_blacklist_hash_list = \
|
|
$(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \
|
|
cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@
|
|
|
|
$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE
|
|
$(call if_changed,check_and_copy_blacklist_hash_list)
|
|
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
|
|
else
|
|
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
|
|
endif
|
|
targets += blacklist_hash_list
|
|
|
|
quiet_cmd_extract_certs = CERT $@
|
|
cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@
|
|
extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
|
|
|
|
$(obj)/system_certificates.o: $(obj)/x509_certificate_list
|
|
|
|
$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
|
|
$(call if_changed,extract_certs)
|
|
|
|
targets += x509_certificate_list
|
|
|
|
# If module signing is requested, say by allyesconfig, but a key has not been
|
|
# supplied, then one will need to be generated to make sure the build does not
|
|
# fail and that the kernel may be used afterwards.
|
|
#
|
|
# We do it this way rather than having a boolean option for enabling an
|
|
# external private key, because 'make randconfig' might enable such a
|
|
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
|
|
ifeq ($(CONFIG_MODULE_SIG_KEY),certs/signing_key.pem)
|
|
|
|
keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) := -newkey ec -pkeyopt ec_paramgen_curve:secp384r1
|
|
|
|
quiet_cmd_gen_key = GENKEY $@
|
|
cmd_gen_key = openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
|
|
-batch -x509 -config $< \
|
|
-outform PEM -out $@ -keyout $@ $(keytype-y) 2>&1
|
|
|
|
$(obj)/signing_key.pem: $(obj)/x509.genkey FORCE
|
|
$(call if_changed,gen_key)
|
|
|
|
targets += signing_key.pem
|
|
|
|
quiet_cmd_copy_x509_config = COPY $@
|
|
cmd_copy_x509_config = cat $(srctree)/$(src)/default_x509.genkey > $@
|
|
|
|
# You can provide your own config file. If not present, copy the default one.
|
|
$(obj)/x509.genkey:
|
|
$(call cmd,copy_x509_config)
|
|
|
|
endif # CONFIG_MODULE_SIG_KEY
|
|
|
|
$(obj)/system_certificates.o: $(obj)/signing_key.x509
|
|
|
|
PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
|
|
ifdef PKCS11_URI
|
|
$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
|
|
endif
|
|
|
|
$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
|
|
$(call if_changed,extract_certs)
|
|
|
|
targets += signing_key.x509
|
|
|
|
$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
|
|
|
|
$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE
|
|
$(call if_changed,extract_certs)
|
|
|
|
targets += x509_revocation_list
|
|
|
|
hostprogs := extract-cert
|
|
|
|
HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null)
|
|
HOSTLDLIBS_extract-cert = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto)
|