diff options
author | Masahiro Yamada <masahiroy@kernel.org> | 2021-11-05 06:59:58 +0300 |
---|---|---|
committer | Masahiro Yamada <masahiroy@kernel.org> | 2021-12-11 16:09:14 +0300 |
commit | e06a61a89ccd3edda046c78f9d08aa045b8c4d32 (patch) | |
tree | 14f81b1ab99d156633b0c740c2f948e4fc7b11da /certs | |
parent | 54c8b517d2955ada78ba553f4b6682483895f32a (diff) | |
download | linux-e06a61a89ccd3edda046c78f9d08aa045b8c4d32.tar.xz |
certs: use if_changed to re-generate the key when the key type is changed
If the key type of the existing signing key does not match to
CONFIG_MODULE_SIG_KEY_TYPE_*, the Makefile removes it so that it is
re-generated.
Use if_changed so that the key is re-generated when the key type is
changed (that is, the openssl command line is changed).
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Diffstat (limited to 'certs')
-rw-r--r-- | certs/Makefile | 30 |
1 files changed, 6 insertions, 24 deletions
diff --git a/certs/Makefile b/certs/Makefile index fdf206022113..a702b70f3cb9 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -51,41 +51,23 @@ ifdef SIGN_KEY # ############################################################################### -openssl_available = $(shell openssl help 2>/dev/null && echo yes) - # We do it this way rather than having a boolean option for enabling an # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") -ifeq ($(openssl_available),yes) -X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null) -endif - -# Support user changing key type -ifdef CONFIG_MODULE_SIG_KEY_TYPE_ECDSA -keytype_openssl = -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -ifeq ($(openssl_available),yes) -$(if $(findstring id-ecPublicKey,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem")) -endif -endif # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA - -ifdef CONFIG_MODULE_SIG_KEY_TYPE_RSA -ifeq ($(openssl_available),yes) -$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem")) -endif -endif # CONFIG_MODULE_SIG_KEY_TYPE_RSA +keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) := -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 quiet_cmd_gen_key = GENKEY $@ cmd_gen_key = openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ -batch -x509 -config $(obj)/x509.genkey \ -outform PEM -out $(obj)/signing_key.pem \ - -keyout $(obj)/signing_key.pem \ - $(keytype_openssl) \ - 2>&1 + -keyout $(obj)/signing_key.pem $(keytype-y) 2>&1 + +$(obj)/signing_key.pem: $(obj)/x509.genkey FORCE + $(call if_changed,gen_key) -$(obj)/signing_key.pem: $(obj)/x509.genkey - $(call cmd,gen_key) +targets += signing_key.pem quiet_cmd_copy_x509_config = COPY $@ cmd_copy_x509_config = cat $(srctree)/$(src)/default_x509.genkey > $@ |