From: Masahiro Yamada <masahiroy@kernel.org>
To: linux-kbuild@vger.kernel.org, David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
keyrings@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Masahiro Yamada <masahiroy@kernel.org>
Subject: [PATCH 1/2] certs: include certs/signing_key.x509 unconditionally
Date: Fri, 18 Feb 2022 13:46:33 +0900 [thread overview]
Message-ID: <20220218044634.169520-1-masahiroy@kernel.org> (raw)
I do not see much sense in the #if conditional in system_certificates.S;
even if the condition is true, there exists no signing key when
CONFIG_MODULE_SIG_KEY="".
So, certs/Makefile generates empty certs/signing_key.x509 in such a
case. We can always do this, irrespective of CONFIG_MODULE_SIG or
(CONFIG_IMA_APPRAISE_MODSIG && CONFIG_MODULES).
We only need to check CONFIG_MODULE_SIG_KEY, then both *.S and Makefile
will become much simpler.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
---
certs/Makefile | 16 ----------------
certs/system_certificates.S | 3 ---
2 files changed, 19 deletions(-)
diff --git a/certs/Makefile b/certs/Makefile
index 3ea7fe60823f..68c1d7b9a388 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -22,25 +22,10 @@ $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert
targets += x509_certificate_list
-ifeq ($(CONFIG_MODULE_SIG),y)
- SIGN_KEY = y
-endif
-
-ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
-ifeq ($(CONFIG_MODULES),y)
- SIGN_KEY = y
-endif
-endif
-
-ifdef SIGN_KEY
-###############################################################################
-#
# If module signing is requested, say by allyesconfig, but a key has not been
# supplied, then one will need to be generated to make sure the build does not
# fail and that the kernel may be used afterwards.
#
-###############################################################################
-
# We do it this way rather than having a boolean option for enabling an
# external private key, because 'make randconfig' might enable such a
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
@@ -76,7 +61,6 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509
$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE
$(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),""))
-endif # CONFIG_MODULE_SIG
targets += signing_key.x509
diff --git a/certs/system_certificates.S b/certs/system_certificates.S
index e1645e6f4d97..003e25d4a17e 100644
--- a/certs/system_certificates.S
+++ b/certs/system_certificates.S
@@ -9,10 +9,7 @@
system_certificate_list:
__cert_list_start:
__module_cert_start:
-#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \
- && defined(CONFIG_MODULES))
.incbin "certs/signing_key.x509"
-#endif
__module_cert_end:
.incbin "certs/x509_certificate_list"
__cert_list_end:
--
2.32.0
next reply other threads:[~2022-02-18 4:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-18 4:46 Masahiro Yamada [this message]
2022-02-18 4:46 ` [PATCH 2/2] certs: simplify empty certs creation in certs/Makefile Masahiro Yamada
2022-02-22 8:12 ` Nicolas Schier
2022-03-03 0:01 ` Masahiro Yamada
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220218044634.169520-1-masahiroy@kernel.org \
--to=masahiroy@kernel.org \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox