| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Feb 2022 09:12:33 +0100
From: Nicolas Schier <n.schier@....de>
To: Masahiro Yamada <masahiroy@...nel.org>
Cc: linux-kbuild@...r.kernel.org, David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
keyrings@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] certs: simplify empty certs creation in
certs/Makefile
On Fri, Feb 18, 2022 at 01:46:34PM +0900, Masahiro Yamada wrote:
> To create an empty cert file, we need to pass "" to the extract-cert
> tool, which is common for all the three call-sites of cmd_exract_certs.
Missing a 't' in 'cmd_exract_certs'.
Reviewed-by: Nicolas Schier <n.schier@....de>
>
> Factor out the logic into extract-cert-in.
>
> One exceptional case is PKCS#11 case, where we override extract-cert-in
> with the URI.
>
> Signed-off-by: Masahiro Yamada <masahiroy@...nel.org>
> ---
>
> certs/Makefile | 21 +++++++++++----------
> 1 file changed, 11 insertions(+), 10 deletions(-)
>
> diff --git a/certs/Makefile b/certs/Makefile
> index 68c1d7b9a388..d8443cfb1c40 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -13,12 +13,13 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
> endif
>
> quiet_cmd_extract_certs = CERT $@
> - cmd_extract_certs = $(obj)/extract-cert $(2) $@
> + cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@
> +extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
>
> $(obj)/system_certificates.o: $(obj)/x509_certificate_list
>
> $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
> - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,""))
> + $(call if_changed,extract_certs)
>
> targets += x509_certificate_list
>
> @@ -52,22 +53,22 @@ $(obj)/x509.genkey:
>
> endif # CONFIG_MODULE_SIG_KEY
>
> -# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
> -ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
> -X509_DEP := $(CONFIG_MODULE_SIG_KEY)
> -endif
> -
> $(obj)/system_certificates.o: $(obj)/signing_key.x509
>
> -$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE
> - $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),""))
> +PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
> +ifdef PKCS11_URI
> +$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
> +endif
> +
> +$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
> + $(call if_changed,extract_certs)
>
> targets += signing_key.x509
>
> $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
>
> $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE
> - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,""))
> + $(call if_changed,extract_certs)
>
> targets += x509_revocation_list
>
> --
> 2.32.0
>
Powered by blists - more mailing lists