mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-10 15:10:38 +00:00
b0e22b47f6
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEqG5UsNXhtOCrfGQP+7dXa6fLC2sFAmBKRxMACgkQ+7dXa6fL C2trYg/7Brf6d0JUAw/MbjCcPVL5SmTHRGJwmKq7+du/Z4yqz3VcL/flk2cyvMr3 lvGQK+KTWTZLidovQA42e54XIaUh3cqwUhz9H3+X61gY7kWJvioEhvg1tD007L7O DrMMkRhh9nnAV5GOhHj1nxIcgmxwrKNkzevf157RRKWnm9VBNmeZsu0kd2Ffx0i0 EqsejQU+sP6MgeKjTTKXKVpvH2GGB0NJRrpQCJSR4t9GrAt+rGlcNJFdqqmyxhpj cGtEhtNO7MiigGHxCbzpK0g6l6f31si+WIAywdxF65DGQOF3gcgxHQlPDcNiC/RH PLPEchUH2fOv4koDQWM8HJ4XDS5eRZmYSh6WPrSxJwuNH/NDyWxKSxrBXGhRWTfx RaMe2wQcQq9Rge+e6PwR+nJEbdSL2BHxdAaBDqBlxY9A0c6onTy+XzVSLTKYUJ5u /Y/fND3eHvMPZt4WMMZDQzHVnHscXFYPI4y1EMDLcAof9ltNG5zLAJZ6mHi6rqGl q+VhSPFi6equ7szdV2cZ5ltSROdAnwkbycs1LgeSzh8LWe83Tkq0eDEHSTjGpQFY VWGBs6JGl1QPdQdSc3uqki1LdTYUy5w0Pr3h0Ff6L3NS9fUrzCMtsN+/4aQNzS+C cP22WM2IRDtN17pRASNjI4/6sL7X7/rLQ8KNq/QpQeD4+ZkINaI= =fLQY -----END PGP SIGNATURE----- Merge tag 'keys-cve-2020-26541-v3' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull x509 dbx/mokx UEFI support from David Howells: "Here's a set of patches from Eric Snowberg[1] that add support for EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries cause matching certificates to be rejected). These are currently ignored and only the hash entries are made use of. Additionally Eric included his patches to allow such certificates to be preloaded. These patches deal with CVE-2020-26541. To quote Eric: 'This is the fifth patch series for adding support for EFI_CERT_X509_GUID entries [2]. It has been expanded to not only include dbx entries but also entries in the mokx. Additionally my series to preload these certificate [3] has also been included'" Link: https://lore.kernel.org/r/20210122181054.32635-1-eric.snowberg@oracle.com [1] Link: https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/ [2] Link: https://lore.kernel.org/patchwork/cover/1315485/ [3] * tag 'keys-cve-2020-26541-v3' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: integrity: Load mokx variables into the blacklist keyring certs: Add ability to preload revocation certs certs: Move load_system_certificate_list to a common function certs: Add EFI_CERT_X509_GUID support for dbx entries
47 lines
1.6 KiB
Makefile
47 lines
1.6 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
###
|
|
# scripts contains sources for various helper programs used throughout
|
|
# the kernel for the build process.
|
|
|
|
CRYPTO_LIBS = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto)
|
|
CRYPTO_CFLAGS = $(shell pkg-config --cflags libcrypto 2> /dev/null)
|
|
|
|
hostprogs-always-$(CONFIG_BUILD_BIN2C) += bin2c
|
|
hostprogs-always-$(CONFIG_KALLSYMS) += kallsyms
|
|
hostprogs-always-$(BUILD_C_RECORDMCOUNT) += recordmcount
|
|
hostprogs-always-$(CONFIG_BUILDTIME_TABLE_SORT) += sorttable
|
|
hostprogs-always-$(CONFIG_ASN1) += asn1_compiler
|
|
hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file
|
|
hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert
|
|
hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert
|
|
hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert
|
|
|
|
HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include
|
|
HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
|
|
HOSTCFLAGS_sign-file.o = $(CRYPTO_CFLAGS)
|
|
HOSTLDLIBS_sign-file = $(CRYPTO_LIBS)
|
|
HOSTCFLAGS_extract-cert.o = $(CRYPTO_CFLAGS)
|
|
HOSTLDLIBS_extract-cert = $(CRYPTO_LIBS)
|
|
|
|
ifdef CONFIG_UNWINDER_ORC
|
|
ifeq ($(ARCH),x86_64)
|
|
ARCH := x86
|
|
endif
|
|
HOSTCFLAGS_sorttable.o += -I$(srctree)/tools/arch/x86/include
|
|
HOSTCFLAGS_sorttable.o += -DUNWINDER_ORC_ENABLED
|
|
HOSTLDLIBS_sorttable = -lpthread
|
|
endif
|
|
|
|
# The following programs are only built on demand
|
|
hostprogs += unifdef
|
|
|
|
# The module linker script is preprocessed on demand
|
|
targets += module.lds
|
|
|
|
subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins
|
|
subdir-$(CONFIG_MODVERSIONS) += genksyms
|
|
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
|
|
|
|
# Let clean descend into subdirs
|
|
subdir- += basic dtc gdb kconfig mod
|