| Message ID | 20210304175030.184131-1-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] certs: Fix wrong kconfig option used for x509_revocation_list | expand |
On Thu, Mar 04, 2021 at 12:50:30PM -0500, Eric Snowberg wrote: > Fix a build issue when x509_revocation_list is not defined. > > $ make ARCH=x86_64 O=build64 all > > EXTRACT_CERTS ../ > At main.c:154: > - SSL error:0909006C:PEM routines:get_name:no start line: crypto/pem/pem_lib.c:745 > extract-cert: ../: Is a directory > make[2]: [../certs/Makefile:119: certs/x509_revocation_list] Error 1 (ignored) > > When the new CONFIG_SYSTEM_REVOCATION_LIST was added [1], it was not carried > into the code for preloading the revocation certificates [2]. Change from > using the original CONFIG_SYSTEM_BLACKLIST_KEYRING to the new > CONFIG_SYSTEM_REVOCATION_LIST. > > [1] https://lore.kernel.org/keyrings/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/T/#m562c1b27bf402190e7bb573ad20eff5b6310d08f > [2] https://lore.kernel.org/keyrings/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/T/#m07e258bf019ccbac23820fad5192ceffa74fc6ab > > Reported-by: Randy Dunlap <rdunlap@infradead.org> > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> This seems to fix my build errors. Tested-by: Nathan Chancellor <nathan@kernel.org> > --- > v2 changes: > Use the new config option for extract-cert > Use the new config option when building revocation_certificates.o > --- > certs/Makefile | 5 +++-- > certs/blacklist.c | 4 ++++ > scripts/Makefile | 2 +- > 3 files changed, 8 insertions(+), 3 deletions(-) > > diff --git a/certs/Makefile b/certs/Makefile > index e3f4926fd21e..b6db52ebf0be 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -4,7 +4,8 @@ > # > > obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o > -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o revocation_certificates.o common.o > +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o > +obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o > ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o > else > @@ -105,7 +106,7 @@ $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE > $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) > endif # CONFIG_MODULE_SIG > > -ifeq ($(CONFIG_SYSTEM_BLACKLIST_KEYRING),y) > +ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) > > $(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) > > diff --git a/certs/blacklist.c b/certs/blacklist.c > index 723b19c96256..c9a435b15af4 100644 > --- a/certs/blacklist.c > +++ b/certs/blacklist.c > @@ -21,8 +21,10 @@ > > static struct key *blacklist_keyring; > > +#ifdef CONFIG_SYSTEM_REVOCATION_LIST > extern __initconst const u8 revocation_certificate_list[]; > extern __initconst const unsigned long revocation_certificate_list_size; > +#endif > > /* > * The description must be a type prefix, a colon and then an even number of > @@ -225,6 +227,7 @@ static int __init blacklist_init(void) > */ > device_initcall(blacklist_init); > > +#ifdef CONFIG_SYSTEM_REVOCATION_LIST > /* > * Load the compiled-in list of revocation X.509 certificates. > */ > @@ -237,3 +240,4 @@ static __init int load_revocation_certificate_list(void) > blacklist_keyring); > } > late_initcall(load_revocation_certificate_list); > +#endif > diff --git a/scripts/Makefile b/scripts/Makefile > index 983b785f13cb..bd0718f7c493 100644 > --- a/scripts/Makefile > +++ b/scripts/Makefile > @@ -11,7 +11,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler > hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file > hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert > hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert > - hostprogs-always-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += extract-cert > +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert > > HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include > HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include > -- > 2.18.4 >
Eric Snowberg <eric.snowberg@oracle.com> wrote: > @@ -11,7 +11,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler > hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file > hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert > hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert > - hostprogs-always-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += extract-cert > +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert Hmmm... We have extract-cert listed twice. Does that matter, I wonder? David
> On Mar 5, 2021, at 2:50 PM, David Howells <dhowells@redhat.com> wrote: > > Eric Snowberg <eric.snowberg@oracle.com> wrote: > >> @@ -11,7 +11,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler >> hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file >> hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert >> hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert >> - hostprogs-always-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += extract-cert >> +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert > > Hmmm... We have extract-cert listed twice. Does that matter, I wonder? Isn’t this necessary, since one could build with either CONFIG_SYSTEM_REVOCATION_LIST or CONFIG_SYSTEM_TRUSTED_KEYRING, without the other being defined?
Eric Snowberg <eric.snowberg@oracle.com> wrote: > >> @@ -11,7 +11,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler > >> hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file > >> hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert > >> hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert > >> - hostprogs-always-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += extract-cert > >> +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert > > > > Hmmm... We have extract-cert listed twice. Does that matter, I wonder? > > Isn’t this necessary, since one could build with either > CONFIG_SYSTEM_REVOCATION_LIST or CONFIG_SYSTEM_TRUSTED_KEYRING, without > the other being defined? Well, it could be handled with its own Kconfig, say CONFIG_BUILD_EXTRACT_CERT, but that would seem like overkill. I think make should handle a dependency being listed multiple times for a target, but it might make sense to list them next to each other. David
On Thu, Mar 04, 2021 at 12:50:30PM -0500, Eric Snowberg wrote: > Fix a build issue when x509_revocation_list is not defined. > > $ make ARCH=x86_64 O=build64 all > > EXTRACT_CERTS ../ > At main.c:154: > - SSL error:0909006C:PEM routines:get_name:no start line: crypto/pem/pem_lib.c:745 > extract-cert: ../: Is a directory > make[2]: [../certs/Makefile:119: certs/x509_revocation_list] Error 1 (ignored) > > When the new CONFIG_SYSTEM_REVOCATION_LIST was added [1], it was not carried > into the code for preloading the revocation certificates [2]. Change from > using the original CONFIG_SYSTEM_BLACKLIST_KEYRING to the new > CONFIG_SYSTEM_REVOCATION_LIST. > > [1] https://lore.kernel.org/keyrings/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/T/#m562c1b27bf402190e7bb573ad20eff5b6310d08f > [2] https://lore.kernel.org/keyrings/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/T/#m07e258bf019ccbac23820fad5192ceffa74fc6ab > > Reported-by: Randy Dunlap <rdunlap@infradead.org> > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Got my first ever chance to try out b4: $ b4 am 20210304175030.184131-1-eric.snowberg@oracle.com Looking up https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg%40oracle.com Grabbing thread from lore.kernel.org/keyrings Analyzing 5 messages in the thread --- Writing ./v2_20210304_eric_snowberg_certs_fix_wrong_kconfig_option_used_for_x509_revocation_list.mbx ✓ [PATCH v2] certs: Fix wrong kconfig option used for x509_revocation_list + Tested-by: Nathan Chancellor <nathan@kernel.org> (✓ DKIM/kernel.org) --- ✓ Attestation-by: DKIM/oracle.com (From: eric.snowberg@oracle.com) --- Total patches: 1 --- Link: https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg@oracle.com Base: not found git am ./v2_20210304_eric_snowberg_certs_fix_wrong_kconfig_option_used_for_x509_revocation_list.mbx Wondering tho, what "Base: not found" means? > --- > v2 changes: > Use the new config option for extract-cert > Use the new config option when building revocation_certificates.o > --- > certs/Makefile | 5 +++-- > certs/blacklist.c | 4 ++++ > scripts/Makefile | 2 +- > 3 files changed, 8 insertions(+), 3 deletions(-) > > diff --git a/certs/Makefile b/certs/Makefile > index e3f4926fd21e..b6db52ebf0be 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -4,7 +4,8 @@ > # > > obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o > -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o revocation_certificates.o common.o > +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o > +obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o > ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o > else > @@ -105,7 +106,7 @@ $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE > $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) > endif # CONFIG_MODULE_SIG > > -ifeq ($(CONFIG_SYSTEM_BLACKLIST_KEYRING),y) > +ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) > > $(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) > > diff --git a/certs/blacklist.c b/certs/blacklist.c > index 723b19c96256..c9a435b15af4 100644 > --- a/certs/blacklist.c > +++ b/certs/blacklist.c > @@ -21,8 +21,10 @@ > > static struct key *blacklist_keyring; > > +#ifdef CONFIG_SYSTEM_REVOCATION_LIST > extern __initconst const u8 revocation_certificate_list[]; > extern __initconst const unsigned long revocation_certificate_list_size; > +#endif > > /* > * The description must be a type prefix, a colon and then an even number of > @@ -225,6 +227,7 @@ static int __init blacklist_init(void) > */ > device_initcall(blacklist_init); > > +#ifdef CONFIG_SYSTEM_REVOCATION_LIST > /* > * Load the compiled-in list of revocation X.509 certificates. > */ > @@ -237,3 +240,4 @@ static __init int load_revocation_certificate_list(void) > blacklist_keyring); > } > late_initcall(load_revocation_certificate_list); > +#endif > diff --git a/scripts/Makefile b/scripts/Makefile > index 983b785f13cb..bd0718f7c493 100644 > --- a/scripts/Makefile > +++ b/scripts/Makefile > @@ -11,7 +11,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler > hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file > hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert > hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert > - hostprogs-always-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += extract-cert > +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert > > HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include > HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include > -- > 2.18.4 > > The patch does not apply: $ git am -3 v2_20210304_eric_snowberg_certs_fix_wrong_kconfig_option_used_for_x509_revocation_list.mbx Applying: certs: Fix wrong kconfig option used for x509_revocation_list error: sha1 information is lacking or useless (certs/Makefile). error: could not build fake ancestor Patch failed at 0001 certs: Fix wrong kconfig option used for x509_revocation_list hint: Use 'git am --show-current-patch=diff' to see the failed patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". /Jarkko
On Wed, Mar 10, 2021 at 09:43:33PM +0200, Jarkko Sakkinen wrote: > On Thu, Mar 04, 2021 at 12:50:30PM -0500, Eric Snowberg wrote: > > Fix a build issue when x509_revocation_list is not defined. > > > > $ make ARCH=x86_64 O=build64 all > > > > EXTRACT_CERTS ../ > > At main.c:154: > > - SSL error:0909006C:PEM routines:get_name:no start line: crypto/pem/pem_lib.c:745 > > extract-cert: ../: Is a directory > > make[2]: [../certs/Makefile:119: certs/x509_revocation_list] Error 1 (ignored) > > > > When the new CONFIG_SYSTEM_REVOCATION_LIST was added [1], it was not carried > > into the code for preloading the revocation certificates [2]. Change from > > using the original CONFIG_SYSTEM_BLACKLIST_KEYRING to the new > > CONFIG_SYSTEM_REVOCATION_LIST. > > > > [1] https://lore.kernel.org/keyrings/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/T/#m562c1b27bf402190e7bb573ad20eff5b6310d08f > > [2] https://lore.kernel.org/keyrings/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/T/#m07e258bf019ccbac23820fad5192ceffa74fc6ab > > > > Reported-by: Randy Dunlap <rdunlap@infradead.org> > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > Got my first ever chance to try out b4: > > $ b4 am 20210304175030.184131-1-eric.snowberg@oracle.com > Looking up https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg%40oracle.com > Grabbing thread from lore.kernel.org/keyrings > Analyzing 5 messages in the thread > --- > Writing ./v2_20210304_eric_snowberg_certs_fix_wrong_kconfig_option_used_for_x509_revocation_list.mbx > ✓ [PATCH v2] certs: Fix wrong kconfig option used for x509_revocation_list > + Tested-by: Nathan Chancellor <nathan@kernel.org> (✓ DKIM/kernel.org) > --- > ✓ Attestation-by: DKIM/oracle.com (From: eric.snowberg@oracle.com) > --- > Total patches: 1 > --- > Link: https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg@oracle.com > Base: not found > git am ./v2_20210304_eric_snowberg_certs_fix_wrong_kconfig_option_used_for_x509_revocation_list.mbx > > Wondering tho, what "Base: not found" means? > > > --- > > v2 changes: > > Use the new config option for extract-cert > > Use the new config option when building revocation_certificates.o > > --- > > certs/Makefile | 5 +++-- > > certs/blacklist.c | 4 ++++ > > scripts/Makefile | 2 +- > > 3 files changed, 8 insertions(+), 3 deletions(-) > > > > diff --git a/certs/Makefile b/certs/Makefile > > index e3f4926fd21e..b6db52ebf0be 100644 > > --- a/certs/Makefile > > +++ b/certs/Makefile > > @@ -4,7 +4,8 @@ > > # > > > > obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o > > -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o revocation_certificates.o common.o > > +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o > > +obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o > > ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o > > else > > @@ -105,7 +106,7 @@ $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE > > $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) > > endif # CONFIG_MODULE_SIG > > > > -ifeq ($(CONFIG_SYSTEM_BLACKLIST_KEYRING),y) > > +ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) > > > > $(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) > > > > diff --git a/certs/blacklist.c b/certs/blacklist.c > > index 723b19c96256..c9a435b15af4 100644 > > --- a/certs/blacklist.c > > +++ b/certs/blacklist.c > > @@ -21,8 +21,10 @@ > > > > static struct key *blacklist_keyring; > > > > +#ifdef CONFIG_SYSTEM_REVOCATION_LIST > > extern __initconst const u8 revocation_certificate_list[]; > > extern __initconst const unsigned long revocation_certificate_list_size; > > +#endif > > > > /* > > * The description must be a type prefix, a colon and then an even number of > > @@ -225,6 +227,7 @@ static int __init blacklist_init(void) > > */ > > device_initcall(blacklist_init); > > > > +#ifdef CONFIG_SYSTEM_REVOCATION_LIST > > /* > > * Load the compiled-in list of revocation X.509 certificates. > > */ > > @@ -237,3 +240,4 @@ static __init int load_revocation_certificate_list(void) > > blacklist_keyring); > > } > > late_initcall(load_revocation_certificate_list); > > +#endif > > diff --git a/scripts/Makefile b/scripts/Makefile > > index 983b785f13cb..bd0718f7c493 100644 > > --- a/scripts/Makefile > > +++ b/scripts/Makefile > > @@ -11,7 +11,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler > > hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file > > hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert > > hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert > > - hostprogs-always-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += extract-cert > > +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert > > > > HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include > > HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include > > -- > > 2.18.4 > > > > > The patch does not apply: > > $ git am -3 v2_20210304_eric_snowberg_certs_fix_wrong_kconfig_option_used_for_x509_revocation_list.mbx > Applying: certs: Fix wrong kconfig option used for x509_revocation_list > error: sha1 information is lacking or useless (certs/Makefile). > error: could not build fake ancestor > Patch failed at 0001 certs: Fix wrong kconfig option used for x509_revocation_list > hint: Use 'git am --show-current-patch=diff' to see the failed patch > When you have resolved this problem, run "git am --continue". > If you prefer to skip this patch, run "git am --skip" instead. > To restore the original branch and stop patching, run "git am --abort". Tried to apply to Linus' tree 9b1ea29bc0d7b94d420f96a0f4121403efc3dd85 /Jarkko
> On Mar 10, 2021, at 12:43 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > On Thu, Mar 04, 2021 at 12:50:30PM -0500, Eric Snowberg wrote: >> Fix a build issue when x509_revocation_list is not defined. >> >> $ make ARCH=x86_64 O=build64 all >> >> EXTRACT_CERTS ../ >> At main.c:154: >> - SSL error:0909006C:PEM routines:get_name:no start line: crypto/pem/pem_lib.c:745 >> extract-cert: ../: Is a directory >> make[2]: [../certs/Makefile:119: certs/x509_revocation_list] Error 1 (ignored) >> >> When the new CONFIG_SYSTEM_REVOCATION_LIST was added [1], it was not carried >> into the code for preloading the revocation certificates [2]. Change from >> using the original CONFIG_SYSTEM_BLACKLIST_KEYRING to the new >> CONFIG_SYSTEM_REVOCATION_LIST. >> >> [1] https://lore.kernel.org/keyrings/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/T/#m562c1b27bf402190e7bb573ad20eff5b6310d08f >> [2] https://lore.kernel.org/keyrings/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/T/#m07e258bf019ccbac23820fad5192ceffa74fc6ab >> >> Reported-by: Randy Dunlap <rdunlap@infradead.org> >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > Got my first ever chance to try out b4: > > $ b4 am 20210304175030.184131-1-eric.snowberg@oracle.com > Looking up https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg%40oracle.com > Grabbing thread from lore.kernel.org/keyrings > Analyzing 5 messages in the thread > --- > Writing ./v2_20210304_eric_snowberg_certs_fix_wrong_kconfig_option_used_for_x509_revocation_list.mbx > ✓ [PATCH v2] certs: Fix wrong kconfig option used for x509_revocation_list > + Tested-by: Nathan Chancellor <nathan@kernel.org> (✓ DKIM/kernel.org) > --- > ✓ Attestation-by: DKIM/oracle.com (From: eric.snowberg@oracle.com) > --- > Total patches: 1 > --- > Link: https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg@oracle.com > Base: not found > git am ./v2_20210304_eric_snowberg_certs_fix_wrong_kconfig_option_used_for_x509_revocation_list.mbx > > Wondering tho, what "Base: not found" means? This was based off David’s keys-next branch, which I think has now changed. I probably should have sent this with the following base-commit: base-commit: ea20ea8b8ba4d475ebc79da63350850780933a81 I’ll try to remember to make sure to have the base-commit added in the future.
diff --git a/certs/Makefile b/certs/Makefile index e3f4926fd21e..b6db52ebf0be 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -4,7 +4,8 @@ # obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o revocation_certificates.o common.o +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o +obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o else @@ -105,7 +106,7 @@ $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) endif # CONFIG_MODULE_SIG -ifeq ($(CONFIG_SYSTEM_BLACKLIST_KEYRING),y) +ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) $(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) diff --git a/certs/blacklist.c b/certs/blacklist.c index 723b19c96256..c9a435b15af4 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -21,8 +21,10 @@ static struct key *blacklist_keyring; +#ifdef CONFIG_SYSTEM_REVOCATION_LIST extern __initconst const u8 revocation_certificate_list[]; extern __initconst const unsigned long revocation_certificate_list_size; +#endif /* * The description must be a type prefix, a colon and then an even number of @@ -225,6 +227,7 @@ static int __init blacklist_init(void) */ device_initcall(blacklist_init); +#ifdef CONFIG_SYSTEM_REVOCATION_LIST /* * Load the compiled-in list of revocation X.509 certificates. */ @@ -237,3 +240,4 @@ static __init int load_revocation_certificate_list(void) blacklist_keyring); } late_initcall(load_revocation_certificate_list); +#endif diff --git a/scripts/Makefile b/scripts/Makefile index 983b785f13cb..bd0718f7c493 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -11,7 +11,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert - hostprogs-always-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += extract-cert +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
Fix a build issue when x509_revocation_list is not defined. $ make ARCH=x86_64 O=build64 all EXTRACT_CERTS ../ At main.c:154: - SSL error:0909006C:PEM routines:get_name:no start line: crypto/pem/pem_lib.c:745 extract-cert: ../: Is a directory make[2]: [../certs/Makefile:119: certs/x509_revocation_list] Error 1 (ignored) When the new CONFIG_SYSTEM_REVOCATION_LIST was added [1], it was not carried into the code for preloading the revocation certificates [2]. Change from using the original CONFIG_SYSTEM_BLACKLIST_KEYRING to the new CONFIG_SYSTEM_REVOCATION_LIST. [1] https://lore.kernel.org/keyrings/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/T/#m562c1b27bf402190e7bb573ad20eff5b6310d08f [2] https://lore.kernel.org/keyrings/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/T/#m07e258bf019ccbac23820fad5192ceffa74fc6ab Reported-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- v2 changes: Use the new config option for extract-cert Use the new config option when building revocation_certificates.o --- certs/Makefile | 5 +++-- certs/blacklist.c | 4 ++++ scripts/Makefile | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-)