| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Aug 2023 16:52:08 +0200
From: Nicolas Schier <nicolas@...sle.eu>
To: Masahiro Yamada <masahiroy@...nel.org>
Cc: linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org,
Nathan Chancellor <nathan@...nel.org>,
Nick Desaulniers <ndesaulniers@...gle.com>
Subject: Re: [PATCH 8/8] kbuild: support modules_sign for external modules as
well
On Wed 23 Aug 2023 20:50:48 GMT, Masahiro Yamada wrote:
> The modules_sign target is currently only available for in-tree modules,
> but it actually works for external modules as well.
>
> Move the modules_sign rule to the common part.
>
> Signed-off-by: Masahiro Yamada <masahiroy@...nel.org>
> ---
Reviewed-by: Nicolas Schier <nicolas@...sle.eu>
>
> Makefile | 32 ++++++++++++++++----------------
> scripts/Makefile.modinst | 4 ++--
> 2 files changed, 18 insertions(+), 18 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 82d22debf6c9..87a9eef3fb4b 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1461,20 +1461,6 @@ modules: modules_prepare
> modules_prepare: prepare
> $(Q)$(MAKE) $(build)=scripts scripts/module.lds
>
> -export modules_sign_only :=
> -
> -ifeq ($(CONFIG_MODULE_SIG),y)
> -PHONY += modules_sign
> -modules_sign: modules_install
> - @:
> -
> -# modules_sign is a subset of modules_install.
> -# 'make modules_install modules_sign' is equivalent to 'make modules_install'.
> -ifeq ($(filter modules_install,$(MAKECMDGOALS)),)
> -modules_sign_only := y
> -endif
> -endif
> -
> endif # CONFIG_MODULES
>
> ###
> @@ -1833,10 +1819,24 @@ endif # KBUILD_EXTMOD
> # ---------------------------------------------------------------------------
> # Modules
>
> -PHONY += modules modules_install modules_prepare
> +PHONY += modules modules_install modules_sign modules_prepare
>
> modules_install:
> - $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modinst
> + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modinst \
> + sign-only=$(if $(filter modules_install,$(MAKECMDGOALS)),,y)
> +
> +ifeq ($(CONFIG_MODULE_SIG),y)
> +# modules_sign is a subset of modules_install.
> +# 'make modules_install modules_sign' is equivalent to 'make modules_install'.
> +modules_sign: modules_install
> + @:
> +else
> +modules_sign:
> + @echo >&2 '***'
> + @echo >&2 '*** CONFIG_MODULE_SIG is disabled. You cannot sign modules.'
> + @echo >&2 '***'
> + @false
> +endif
>
> ifdef CONFIG_MODULES
>
> diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
> index 33d424a3f265..459cb1fed223 100644
> --- a/scripts/Makefile.modinst
> +++ b/scripts/Makefile.modinst
> @@ -13,7 +13,7 @@ install-y :=
>
> PHONY += prepare
>
> -ifeq ($(KBUILD_EXTMOD)$(modules_sign_only),)
> +ifeq ($(KBUILD_EXTMOD)$(sign-only),)
>
> # Install more files for in-tree modules_install
>
> @@ -115,7 +115,7 @@ quiet_cmd_sign = SIGN $@
> cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@ \
> $(if $(KBUILD_EXTMOD),|| true)
>
> -ifeq ($(modules_sign_only),)
> +ifeq ($(sign-only),)
>
> # During modules_install, modules are signed only when CONFIG_MODULE_SIG_ALL=y.
> ifndef CONFIG_MODULE_SIG_ALL
> --
> 2.39.2
--
Nicolas Schier
epost|xmpp: nicolas@...sle.eu irc://oftc.net/nsc
↳ gpg: 18ed 52db e34f 860e e9fb c82b 7d97 0932 55a0 ce7f
-- frykten for herren er opphav til kunnskap --
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists