| Message ID | 20220218044634.169520-2-masahiroy@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] certs: include certs/signing_key.x509 unconditionally | expand |
On Fri, Feb 18, 2022 at 01:46:34PM +0900, Masahiro Yamada wrote: > To create an empty cert file, we need to pass "" to the extract-cert > tool, which is common for all the three call-sites of cmd_exract_certs. Missing a 't' in 'cmd_exract_certs'. Reviewed-by: Nicolas Schier <n.schier@avm.de> > > Factor out the logic into extract-cert-in. > > One exceptional case is PKCS#11 case, where we override extract-cert-in > with the URI. > > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > --- > > certs/Makefile | 21 +++++++++++---------- > 1 file changed, 11 insertions(+), 10 deletions(-) > > diff --git a/certs/Makefile b/certs/Makefile > index 68c1d7b9a388..d8443cfb1c40 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -13,12 +13,13 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o > endif > > quiet_cmd_extract_certs = CERT $@ > - cmd_extract_certs = $(obj)/extract-cert $(2) $@ > + cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ > +extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"") > > $(obj)/system_certificates.o: $(obj)/x509_certificate_list > > $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE > - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) > + $(call if_changed,extract_certs) > > targets += x509_certificate_list > > @@ -52,22 +53,22 @@ $(obj)/x509.genkey: > > endif # CONFIG_MODULE_SIG_KEY > > -# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it > -ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),) > -X509_DEP := $(CONFIG_MODULE_SIG_KEY) > -endif > - > $(obj)/system_certificates.o: $(obj)/signing_key.x509 > > -$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE > - $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),"")) > +PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)) > +ifdef PKCS11_URI > +$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI) > +endif > + > +$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE > + $(call if_changed,extract_certs) > > targets += signing_key.x509 > > $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list > > $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE > - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) > + $(call if_changed,extract_certs) > > targets += x509_revocation_list > > -- > 2.32.0 >
On Tue, Feb 22, 2022 at 5:12 PM Nicolas Schier <n.schier@avm.de> wrote: > > On Fri, Feb 18, 2022 at 01:46:34PM +0900, Masahiro Yamada wrote: > > To create an empty cert file, we need to pass "" to the extract-cert > > tool, which is common for all the three call-sites of cmd_exract_certs. > > Missing a 't' in 'cmd_exract_certs'. > > Reviewed-by: Nicolas Schier <n.schier@avm.de> > Thanks. Fixed the typo, and applied to linux-kbuild. -- Best Regards Masahiro Yamada
diff --git a/certs/Makefile b/certs/Makefile index 68c1d7b9a388..d8443cfb1c40 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -13,12 +13,13 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o endif quiet_cmd_extract_certs = CERT $@ - cmd_extract_certs = $(obj)/extract-cert $(2) $@ + cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ +extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"") $(obj)/system_certificates.o: $(obj)/x509_certificate_list $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) + $(call if_changed,extract_certs) targets += x509_certificate_list @@ -52,22 +53,22 @@ $(obj)/x509.genkey: endif # CONFIG_MODULE_SIG_KEY -# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it -ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),) -X509_DEP := $(CONFIG_MODULE_SIG_KEY) -endif - $(obj)/system_certificates.o: $(obj)/signing_key.x509 -$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE - $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),"")) +PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)) +ifdef PKCS11_URI +$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI) +endif + +$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE + $(call if_changed,extract_certs) targets += signing_key.x509 $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE - $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) + $(call if_changed,extract_certs) targets += x509_revocation_list
To create an empty cert file, we need to pass "" to the extract-cert tool, which is common for all the three call-sites of cmd_exract_certs. Factor out the logic into extract-cert-in. One exceptional case is PKCS#11 case, where we override extract-cert-in with the URI. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> --- certs/Makefile | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-)