From patchwork Fri Mar 12 11:19:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 12134377 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C939EC433E0 for ; Fri, 12 Mar 2021 11:20:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 89A4764F73 for ; Fri, 12 Mar 2021 11:20:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233799AbhCLLUF (ORCPT ); Fri, 12 Mar 2021 06:20:05 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:50424 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233691AbhCLLTh (ORCPT ); Fri, 12 Mar 2021 06:19:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1615547976; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lq8VZTvhiQyjj3632ogoEtY0kjN8T+zd6L5p5AcI2Ho=; b=MGZ7hCoKJRogEzDkMnFSH972/p1W4qXONZ4dTRaklKFKg0aIzCZqhxvpET2givVQBFYJYZ KVQWuaUw3Efspim82Az2EAqiKzssZk47wSCTnG4iY4KbEss/A+w2wkj4KQkcBFT+TWuVWu bnSTV4Th5/yQ3/c+h4ujjUVzsXt/JPg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-411-J4tJfRUMN6iVAt6BEQcGXw-1; Fri, 12 Mar 2021 06:19:34 -0500 X-MC-Unique: J4tJfRUMN6iVAt6BEQcGXw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id ACA98101F010; Fri, 12 Mar 2021 11:19:33 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-118-152.rdu2.redhat.com [10.10.118.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9124760D06; Fri, 12 Mar 2021 11:19:32 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <159991.1615539999@turing-police> References: <159991.1615539999@turing-police> <134696.1615510534@turing-police> <109018.1615463088@turing-police> <91190.1615444370@turing-police> <972381.1615459754@warthog.procyon.org.uk> <1486567.1615464259@warthog.procyon.org.uk> <2026575.1615539696@warthog.procyon.org.uk> To: Valdis Kl=?utf-8?Q?=c4=93?=tnieks Cc: dhowells@redhat.com, David Woodhouse , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] certs: Clean up signing_key.pem and x509.genkey on make mrproper MIME-Version: 1.0 Date: Fri, 12 Mar 2021 11:19:31 +0000 Message-ID: <2243141.1615547971@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Valdis Klētnieks wrote: > > Possibly I can add something like: > > > > clean-files := signing_key.pem x509.genkey > > > > inside the > > > > ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") > > ... > > endif > > Would that remove them on a 'make clean', or only a 'make mrproper'? > The latter sounds like the correct solution to me, as the signing key should > have (roughly) the same lifetime rules as the .config file. It would appear that it works on neither. Neither of them seem to have any CONFIG_xxx symbols set. How about the attached patch? David --- commit 95897dc8dc13ad13c637a477a1ead9b63ff1fafa Author: David Howells Date: Fri Mar 12 10:48:25 2021 +0000 certs: Clean up signing_key.pem and x509.genkey on make mrproper Autogenerated signing_key.pem and x509.genkey files aren't removed from the build certs/ directory when "make mrproper" is run. This is somewhat deliberate since the "file" is specified by the CONFIG_MODULE_SIG_KEY string option and may not be in the build tree - and may not even be a filename, but rather a PKCS#7 URI (also the config variables doesn't seem to be set when cleaning). Fix this by unconditionally listing signing_key.pem and x509.genkey for removal from the build certs/ directory - which will just do nothing if they're not there, and shouldn't remove signing keys that are configured to be elsewhere. Note that this will permanently erase the autogenerated private key, so anyone that is relying on it still being around after doing make mrproper will no longer find it. Fixes: cfc411e7fff3 ("Move certificate handling to its own directory") Reported-by: Valdis Klētnieks Signed-off-by: David Howells Link: https://lore.kernel.org/r/134696.1615510534@turing-police/ [1] diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..2ae1dd518bc7 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -104,3 +104,5 @@ targets += signing_key.x509 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) endif # CONFIG_MODULE_SIG + +clean-files += signing_key.pem x509.genkey