summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2013-08-30 19:07:13 +0400
committerDavid Howells <dhowells@redhat.com>2013-09-25 20:17:01 +0400
commitf0e6d220a7cd93afa0260ac5e7849f00b05e035a (patch)
treedd9331cf8606bf6068261e1f02d67a26d1ba76f9
parent124df926090b32a998483f6e43ebeccdbe5b5302 (diff)
downloadlinux-f0e6d220a7cd93afa0260ac5e7849f00b05e035a.tar.xz
KEYS: Load *.x509 files into kernel keyring
Load all the files matching the pattern "*.x509" that are to be found in kernel base source dir and base build dir into the module signing keyring. The "extra_certificates" file is then redundant. Signed-off-by: David Howells <dhowells@redhat.com>
-rw-r--r--kernel/Makefile35
-rw-r--r--kernel/modsign_certificate.S3
2 files changed, 30 insertions, 8 deletions
diff --git a/kernel/Makefile b/kernel/Makefile
index 1ce47553fb02..c34e5f993a21 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -142,17 +142,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
$(call if_changed,bc)
ifeq ($(CONFIG_MODULE_SIG),y)
+###############################################################################
#
-# Pull the signing certificate and any extra certificates into the kernel
+# Roll all the X.509 certificates that we can find together and pull
+# them into the kernel.
#
+###############################################################################
+X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
+X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
+X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y))
+
+ifeq ($(X509_CERTIFICATES),)
+$(warning *** No X.509 certificates found ***)
+endif
+
+ifneq ($(wildcard $(obj)/.x509.list),)
+ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES))
+$(info X.509 certificate list changed)
+$(shell rm $(obj)/.x509.list)
+endif
+endif
+
+kernel/modsign_certificate.o: $(obj)/x509_certificate_list
-quiet_cmd_touch = TOUCH $@
- cmd_touch = touch $@
+quiet_cmd_x509certs = CERTS $@
+ cmd_x509certs = cat $(X509_CERTIFICATES) /dev/null >$@
+targets += $(obj)/x509_certificate_list
+$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
+ $(call if_changed,x509certs)
-extra_certificates:
- $(call cmd,touch)
+targets += $(obj)/.x509.list
+$(obj)/.x509.list:
+ @echo $(X509_CERTIFICATES) >$@
-kernel/modsign_certificate.o: signing_key.x509 extra_certificates
+clean-files := x509_certificate_list .x509.list
###############################################################################
#
diff --git a/kernel/modsign_certificate.S b/kernel/modsign_certificate.S
index 4a9a86d12c8b..6fe03c7ffe72 100644
--- a/kernel/modsign_certificate.S
+++ b/kernel/modsign_certificate.S
@@ -7,6 +7,5 @@
.section ".init.data","aw"
GLOBAL(modsign_certificate_list)
- .incbin "signing_key.x509"
- .incbin "extra_certificates"
+ .incbin "kernel/x509_certificate_list"
GLOBAL(modsign_certificate_list_end)