KEYS: Load *.x509 files into kernel keyring

Load all the files matching the pattern "*.x509" that are to be found in kernel base source dir and base build dir into the module signing keyring. The "extra_certificates" file is then redundant. Signed-off-by: David Howells <dhowells@redhat.com>

KEYS: Load *.x509 files into kernel keyring
Load all the files matching the pattern "*.x509" that are to be found in kernel base source dir and base build dir into the module signing keyring. The "extra_certificates" file is then redundant. Signed-off-by: David Howells <dhowells@redhat.com>
f0e6d220 · David Howells · 124df926 · f0e6d220 · f0e6d220
Commit f0e6d220 authored Aug 30, 2013 by David Howells
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 8 deletions

kernel/Makefile kernel/Makefile +29 -6

kernel/modsign_certificate.S kernel/modsign_certificate.S +1 -2

No files found.
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -142,17 +142,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
 	$(call if_changed,bc)
 ifeq ($(CONFIG_MODULE_SIG),y)
+###############################################################################
 #
-# Pull the signing certificate and any extra certificates into the kernel
+# Roll all the X.509 certificates that we can find together and pull
+# them into the kernel.
 #
+###############################################################################
+X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
+X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
+X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y))
+ifeq ($(X509_CERTIFICATES),)
+$(warning *** No X.509 certificates found ***)
+endif
+ifneq ($(wildcard $(obj)/.x509.list),)
+ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES))
+$(info X.509 certificate list changed)
+$(shell rm $(obj)/.x509.list)
+endif
+endif
+kernel/modsign_certificate.o: $(obj)/x509_certificate_list
-quiet_cmd_touch = TOUCH   $@
+quiet_cmd_x509certs  = CERTS   $@
-      cmd_touch = touch   $@
+      cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@
+targets += $(obj)/x509_certificate_list
+$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
+	$(call if_changed,x509certs)
-extra_certificates:
+targets += $(obj)/.x509.list
-	$(call cmd,touch)
+$(obj)/.x509.list:
+	@echo $(X509_CERTIFICATES) >$@
-kernel/modsign_certificate.o: signing_key.x509 extra_certificates
+clean-files := x509_certificate_list .x509.list
 ###############################################################################
 #

--- a/kernel/modsign_certificate.S
+++ b/kernel/modsign_certificate.S
@@ -7,6 +7,5 @@
 	.section ".init.data","aw"
 GLOBAL(modsign_certificate_list)
-	.incbin "signing_key.x509"
+	.incbin "kernel/x509_certificate_list"
-	.incbin "extra_certificates"
 GLOBAL(modsign_certificate_list_end)