| Message ID | 1459619722-13695-2-git-send-email-bpoirier@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Sat, Apr 02, 2016 at 10:55:22AM -0700, Benjamin Poirier wrote: > When using `make localmodconfig` and friends, if the input config comes > from a kernel that was built in a different environment (for example, the > canonical case of using localmodconfig to trim a distribution kernel > config) the key files for module signature checking will not be available > and should be regenerated or omitted. Otherwise, the user will be faced > with annoying errors when trying to build with the generated .config: > > make[1]: *** No rule to make target 'keyring.crt', needed by 'certs/x509_certificate_list'. Stop. > Makefile:1576: recipe for target 'certs/' failed > > Signed-off-by: Benjamin Poirier <bpoirier@suse.com> Tested-by: Lee, Chun-Yi <jlee@suse.com> Regards Joey Lee > --- > scripts/kconfig/streamline_config.pl | 34 ++++++++++++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > > diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl > index 7036ae3..514735d 100755 > --- a/scripts/kconfig/streamline_config.pl > +++ b/scripts/kconfig/streamline_config.pl > @@ -610,6 +610,40 @@ foreach my $line (@config_file) { > next; > } > > + if (/CONFIG_MODULE_SIG_KEY="(.+)"/) { > + my $orig_cert = $1; > + my $default_cert = "certs/signing_key.pem"; > + > + # Check that the logic in this script still matches the one in Kconfig > + if (!defined($depends{"MODULE_SIG_KEY"}) || > + $depends{"MODULE_SIG_KEY"} !~ /"\Q$default_cert\E"/) { > + die "Assertion failure, update needed"; > + } > + > + if ($orig_cert ne $default_cert && ! -f $orig_cert) { > + print STDERR "Module signature verification enabled but ", > + "module signing key \"$orig_cert\" not found. Resetting ", > + "signing key to default value.\n"; > + print "CONFIG_MODULE_SIG_KEY=\"$default_cert\"\n"; > + } else { > + print; > + } > + next; > + } > + > + if (/CONFIG_SYSTEM_TRUSTED_KEYS="(.+)"/) { > + my $orig_keys = $1; > + > + if (! -f $orig_keys) { > + print STDERR "System keyring enabled but keys \"$orig_keys\" ", > + "not found. Resetting keys to default value.\n"; > + print "CONFIG_SYSTEM_TRUSTED_KEYS=\"\"\n"; > + } else { > + print; > + } > + next; > + } > + > if (/^(CONFIG.*)=(m|y)/) { > if (defined($configs{$1})) { > if ($localyesconfig) { > -- > 2.7.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, 2 Apr 2016 10:55:22 -0700 Benjamin Poirier <bpoirier@suse.com> wrote: > When using `make localmodconfig` and friends, if the input config comes > from a kernel that was built in a different environment (for example, the > canonical case of using localmodconfig to trim a distribution kernel > config) the key files for module signature checking will not be available > and should be regenerated or omitted. Otherwise, the user will be faced > with annoying errors when trying to build with the generated .config: > > make[1]: *** No rule to make target 'keyring.crt', needed by 'certs/x509_certificate_list'. Stop. > Makefile:1576: recipe for target 'certs/' failed > > Signed-off-by: Benjamin Poirier <bpoirier@suse.com> > --- > scripts/kconfig/streamline_config.pl | 34 ++++++++++++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > > diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl > index 7036ae3..514735d 100755 > --- a/scripts/kconfig/streamline_config.pl > +++ b/scripts/kconfig/streamline_config.pl > @@ -610,6 +610,40 @@ foreach my $line (@config_file) { > next; > } > > + if (/CONFIG_MODULE_SIG_KEY="(.+)"/) { > + my $orig_cert = $1; > + my $default_cert = "certs/signing_key.pem"; > + > + # Check that the logic in this script still matches the one in Kconfig > + if (!defined($depends{"MODULE_SIG_KEY"}) || > + $depends{"MODULE_SIG_KEY"} !~ /"\Q$default_cert\E"/) { > + die "Assertion failure, update needed"; Instead of dieing here, what about just going back to the current behavior, and ignore the sig keys? -- Steve > + } > + > + if ($orig_cert ne $default_cert && ! -f $orig_cert) { > + print STDERR "Module signature verification enabled but ", > + "module signing key \"$orig_cert\" not found. Resetting ", > + "signing key to default value.\n"; > + print "CONFIG_MODULE_SIG_KEY=\"$default_cert\"\n"; > + } else { > + print; > + } > + next; > + } > + > + if (/CONFIG_SYSTEM_TRUSTED_KEYS="(.+)"/) { > + my $orig_keys = $1; > + > + if (! -f $orig_keys) { > + print STDERR "System keyring enabled but keys \"$orig_keys\" ", > + "not found. Resetting keys to default value.\n"; > + print "CONFIG_SYSTEM_TRUSTED_KEYS=\"\"\n"; > + } else { > + print; > + } > + next; > + } > + > if (/^(CONFIG.*)=(m|y)/) { > if (defined($configs{$1})) { > if ($localyesconfig) { -- To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 2016/04/26 10:02, Steven Rostedt wrote: > On Sat, 2 Apr 2016 10:55:22 -0700 > Benjamin Poirier <bpoirier@suse.com> wrote: > > > When using `make localmodconfig` and friends, if the input config comes > > from a kernel that was built in a different environment (for example, the > > canonical case of using localmodconfig to trim a distribution kernel > > config) the key files for module signature checking will not be available > > and should be regenerated or omitted. Otherwise, the user will be faced > > with annoying errors when trying to build with the generated .config: > > > > make[1]: *** No rule to make target 'keyring.crt', needed by 'certs/x509_certificate_list'. Stop. > > Makefile:1576: recipe for target 'certs/' failed > > > > Signed-off-by: Benjamin Poirier <bpoirier@suse.com> > > --- > > scripts/kconfig/streamline_config.pl | 34 ++++++++++++++++++++++++++++++++++ > > 1 file changed, 34 insertions(+) > > > > diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl > > index 7036ae3..514735d 100755 > > --- a/scripts/kconfig/streamline_config.pl > > +++ b/scripts/kconfig/streamline_config.pl > > @@ -610,6 +610,40 @@ foreach my $line (@config_file) { > > next; > > } > > > > + if (/CONFIG_MODULE_SIG_KEY="(.+)"/) { > > + my $orig_cert = $1; > > + my $default_cert = "certs/signing_key.pem"; > > + > > + # Check that the logic in this script still matches the one in Kconfig > > + if (!defined($depends{"MODULE_SIG_KEY"}) || > > + $depends{"MODULE_SIG_KEY"} !~ /"\Q$default_cert\E"/) { > > + die "Assertion failure, update needed"; > > Instead of dieing here, what about just going back to the current > behavior, and ignore the sig keys? I was concerned that the warning may go unnoticed but I think you're right. It is the same kind of concern between a BUG() or a WARN_ON(). In this case it certainly is possible to keep going and ignore the certificate check, as you suggest. -- To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl index 7036ae3..514735d 100755 --- a/scripts/kconfig/streamline_config.pl +++ b/scripts/kconfig/streamline_config.pl @@ -610,6 +610,40 @@ foreach my $line (@config_file) { next; } + if (/CONFIG_MODULE_SIG_KEY="(.+)"/) { + my $orig_cert = $1; + my $default_cert = "certs/signing_key.pem"; + + # Check that the logic in this script still matches the one in Kconfig + if (!defined($depends{"MODULE_SIG_KEY"}) || + $depends{"MODULE_SIG_KEY"} !~ /"\Q$default_cert\E"/) { + die "Assertion failure, update needed"; + } + + if ($orig_cert ne $default_cert && ! -f $orig_cert) { + print STDERR "Module signature verification enabled but ", + "module signing key \"$orig_cert\" not found. Resetting ", + "signing key to default value.\n"; + print "CONFIG_MODULE_SIG_KEY=\"$default_cert\"\n"; + } else { + print; + } + next; + } + + if (/CONFIG_SYSTEM_TRUSTED_KEYS="(.+)"/) { + my $orig_keys = $1; + + if (! -f $orig_keys) { + print STDERR "System keyring enabled but keys \"$orig_keys\" ", + "not found. Resetting keys to default value.\n"; + print "CONFIG_SYSTEM_TRUSTED_KEYS=\"\"\n"; + } else { + print; + } + next; + } + if (/^(CONFIG.*)=(m|y)/) { if (defined($configs{$1})) { if ($localyesconfig) {
When using `make localmodconfig` and friends, if the input config comes from a kernel that was built in a different environment (for example, the canonical case of using localmodconfig to trim a distribution kernel config) the key files for module signature checking will not be available and should be regenerated or omitted. Otherwise, the user will be faced with annoying errors when trying to build with the generated .config: make[1]: *** No rule to make target 'keyring.crt', needed by 'certs/x509_certificate_list'. Stop. Makefile:1576: recipe for target 'certs/' failed Signed-off-by: Benjamin Poirier <bpoirier@suse.com> --- scripts/kconfig/streamline_config.pl | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)