Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-10 06:01:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

certs: include certs/signing_key.x509 unconditionally

Browse Source 
I do not see much sense in the #if conditional in system_certificates.S;
even if the condition is true, there exists no signing key when
CONFIG_MODULE_SIG_KEY="".

So, certs/Makefile generates empty certs/signing_key.x509 in such a
case. We can always do this, irrespective of CONFIG_MODULE_SIG or
(CONFIG_IMA_APPRAISE_MODSIG && CONFIG_MODULES).

We only need to check CONFIG_MODULE_SIG_KEY, then both *.S and Makefile
will become much simpler.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
This commit is contained in:
Masahiro Yamada 2022-02-18 13:46:33 +09:00
parent d4c8586432
commit 6ce019f73d
2 changed files with 0 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
certs/Makefile
View File

@ -22,25 +22,10 @@ $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert
targets += x509_certificate_list targets += x509_certificate_list
ifeq ($(CONFIG_MODULE_SIG),y)
SIGN_KEY = y
endif
ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
ifeq ($(CONFIG_MODULES),y)
SIGN_KEY = y
endif
endif
ifdef SIGN_KEY
###############################################################################
#
# If module signing is requested, say by allyesconfig, but a key has not been # If module signing is requested, say by allyesconfig, but a key has not been
# supplied, then one will need to be generated to make sure the build does not # supplied, then one will need to be generated to make sure the build does not
# fail and that the kernel may be used afterwards. # fail and that the kernel may be used afterwards.
# #
###############################################################################
# We do it this way rather than having a boolean option for enabling an # We do it this way rather than having a boolean option for enabling an
# external private key, because 'make randconfig' might enable such a # external private key, because 'make randconfig' might enable such a
# boolean option and we unfortunately can't make it depend on !RANDCONFIG. # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
@ -76,7 +61,6 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509
$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE $(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE
$(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),"")) $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),""))
endif # CONFIG_MODULE_SIG
targets += signing_key.x509 targets += signing_key.x509

3
certs/system_certificates.S
View File

@ -9,10 +9,7 @@
system_certificate_list: system_certificate_list:
__cert_list_start: __cert_list_start:
__module_cert_start: __module_cert_start:
#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \
&& defined(CONFIG_MODULES))
.incbin "certs/signing_key.x509" .incbin "certs/signing_key.x509"
#endif
__module_cert_end: __module_cert_end:
.incbin "certs/x509_certificate_list" .incbin "certs/x509_certificate_list"
__cert_list_end: __cert_list_end: