mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-06 13:16:22 +00:00
65166bccd0
[ Upstream commit22e46f6480
] When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*), signing of modules fails: scripts/sign-file sha256 /.../linux/pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 /.../kernel/crypto/tcrypt.ko Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>] scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>] First, we need to avoid adding the $(srctree)/ prefix to the URL. Second, since the kconfig string values no longer include quotes, we need to add them again when passing a PKCS#11 URI to sign-file. This avoids splitting by the shell if the URI contains semicolons. Fixes:4db9c2e3d0
("kbuild: stop using config_filename in scripts/Makefile.modsign") Fixes:129ab0d2d9
("kbuild: do not quote string values in include/config/auto.conf") Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
119 lines
2.6 KiB
Makefile
119 lines
2.6 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
# ==========================================================================
|
|
# Installing modules
|
|
# ==========================================================================
|
|
|
|
PHONY := __modinst
|
|
__modinst:
|
|
|
|
include include/config/auto.conf
|
|
include $(srctree)/scripts/Kbuild.include
|
|
|
|
modules := $(sort $(shell cat $(MODORDER)))
|
|
|
|
ifeq ($(KBUILD_EXTMOD),)
|
|
dst := $(MODLIB)/kernel
|
|
else
|
|
INSTALL_MOD_DIR ?= extra
|
|
dst := $(MODLIB)/$(INSTALL_MOD_DIR)
|
|
endif
|
|
|
|
$(foreach x, % :, $(if $(findstring $x, $(dst)), \
|
|
$(error module installation path cannot contain '$x')))
|
|
|
|
suffix-y :=
|
|
suffix-$(CONFIG_MODULE_COMPRESS_GZIP) := .gz
|
|
suffix-$(CONFIG_MODULE_COMPRESS_XZ) := .xz
|
|
suffix-$(CONFIG_MODULE_COMPRESS_ZSTD) := .zst
|
|
|
|
modules := $(patsubst $(extmod_prefix)%, $(dst)/%$(suffix-y), $(modules))
|
|
|
|
__modinst: $(modules)
|
|
@:
|
|
|
|
#
|
|
# Installation
|
|
#
|
|
quiet_cmd_install = INSTALL $@
|
|
cmd_install = mkdir -p $(dir $@); cp $< $@
|
|
|
|
# Strip
|
|
#
|
|
# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after they
|
|
# are installed. If INSTALL_MOD_STRIP is '1', then the default option
|
|
# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be used
|
|
# as the options to the strip command.
|
|
ifdef INSTALL_MOD_STRIP
|
|
|
|
ifeq ($(INSTALL_MOD_STRIP),1)
|
|
strip-option := --strip-debug
|
|
else
|
|
strip-option := $(INSTALL_MOD_STRIP)
|
|
endif
|
|
|
|
quiet_cmd_strip = STRIP $@
|
|
cmd_strip = $(STRIP) $(strip-option) $@
|
|
|
|
else
|
|
|
|
quiet_cmd_strip =
|
|
cmd_strip = :
|
|
|
|
endif
|
|
|
|
#
|
|
# Signing
|
|
# Don't stop modules_install even if we can't sign external modules.
|
|
#
|
|
ifeq ($(CONFIG_MODULE_SIG_ALL),y)
|
|
ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
|
|
sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
|
|
else
|
|
sig-key := $(CONFIG_MODULE_SIG_KEY)
|
|
endif
|
|
quiet_cmd_sign = SIGN $@
|
|
cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@ \
|
|
$(if $(KBUILD_EXTMOD),|| true)
|
|
else
|
|
quiet_cmd_sign :=
|
|
cmd_sign := :
|
|
endif
|
|
|
|
ifeq ($(modules_sign_only),)
|
|
|
|
$(dst)/%.ko: $(extmod_prefix)%.ko FORCE
|
|
$(call cmd,install)
|
|
$(call cmd,strip)
|
|
$(call cmd,sign)
|
|
|
|
else
|
|
|
|
$(dst)/%.ko: FORCE
|
|
$(call cmd,sign)
|
|
|
|
endif
|
|
|
|
#
|
|
# Compression
|
|
#
|
|
quiet_cmd_gzip = GZIP $@
|
|
cmd_gzip = $(KGZIP) -n -f $<
|
|
quiet_cmd_xz = XZ $@
|
|
cmd_xz = $(XZ) --lzma2=dict=2MiB -f $<
|
|
quiet_cmd_zstd = ZSTD $@
|
|
cmd_zstd = $(ZSTD) -T0 --rm -f -q $<
|
|
|
|
$(dst)/%.ko.gz: $(dst)/%.ko FORCE
|
|
$(call cmd,gzip)
|
|
|
|
$(dst)/%.ko.xz: $(dst)/%.ko FORCE
|
|
$(call cmd,xz)
|
|
|
|
$(dst)/%.ko.zst: $(dst)/%.ko FORCE
|
|
$(call cmd,zstd)
|
|
|
|
PHONY += FORCE
|
|
FORCE:
|
|
|
|
.PHONY: $(PHONY)
|