mirror of
https://github.com/torvalds/linux.git
synced 2024-11-11 06:31:49 +00:00
3f1e1bea34
Move to using PKCS#7 messages as module signatures because:
(1) We have to be able to support the use of X.509 certificates that don't
have a subjKeyId set. We're currently relying on this to look up the
X.509 certificate in the trusted keyring list.
(2) PKCS#7 message signed information blocks have a field that supplies the
data required to match with the X.509 certificate that signed it.
(3) The PKCS#7 certificate carries fields that specify the digest algorithm
used to generate the signature in a standardised way and the X.509
certificates specify the public key algorithm in a standardised way - so
we don't need our own methods of specifying these.
(4) We now have PKCS#7 message support in the kernel for signed kexec purposes
and we can make use of this.
To make this work, the old sign-file script has been replaced with a program
that needs compiling in a previous patch. The rules to build it are added
here.
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Vivek Goyal <vgoyal@redhat.com>
45 lines
1.5 KiB
Makefile
45 lines
1.5 KiB
Makefile
###
|
|
# scripts contains sources for various helper programs used throughout
|
|
# the kernel for the build process.
|
|
# ---------------------------------------------------------------------------
|
|
# kallsyms: Find all symbols in vmlinux
|
|
# pnmttologo: Convert pnm files to logo files
|
|
# conmakehash: Create chartable
|
|
# conmakehash: Create arrays for initializing the kernel console tables
|
|
# docproc: Used in Documentation/DocBook
|
|
|
|
HOST_EXTRACFLAGS += -I$(srctree)/tools/include
|
|
|
|
hostprogs-$(CONFIG_KALLSYMS) += kallsyms
|
|
hostprogs-$(CONFIG_LOGO) += pnmtologo
|
|
hostprogs-$(CONFIG_VT) += conmakehash
|
|
hostprogs-$(BUILD_C_RECORDMCOUNT) += recordmcount
|
|
hostprogs-$(CONFIG_BUILDTIME_EXTABLE_SORT) += sortextable
|
|
hostprogs-$(CONFIG_ASN1) += asn1_compiler
|
|
hostprogs-$(CONFIG_MODULE_SIG) += sign-file
|
|
|
|
HOSTCFLAGS_sortextable.o = -I$(srctree)/tools/include
|
|
HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
|
|
HOSTLOADLIBES_sign-file = -lcrypto
|
|
|
|
always := $(hostprogs-y) $(hostprogs-m)
|
|
|
|
# The following hostprogs-y programs are only build on demand
|
|
hostprogs-y += unifdef docproc
|
|
|
|
# These targets are used internally to avoid "is up to date" messages
|
|
PHONY += build_unifdef build_docproc
|
|
build_unifdef: $(obj)/unifdef
|
|
@:
|
|
build_docproc: $(obj)/docproc
|
|
@:
|
|
|
|
subdir-$(CONFIG_MODVERSIONS) += genksyms
|
|
subdir-y += mod
|
|
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
|
|
subdir-$(CONFIG_DTC) += dtc
|
|
subdir-$(CONFIG_GDB_SCRIPTS) += gdb
|
|
|
|
# Let clean descend into subdirs
|
|
subdir- += basic kconfig package
|