Message ID | 20220611172233.1494073-2-masahiroy@kernel.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [1/4] certs/blacklist_hashes.c: fix const confusion in certs blacklist | expand |
On 11/06/2022 19:22, Masahiro Yamada wrote: > Commit addf466389d9 ("certs: Check that builtin blacklist hashes are > valid") was applied 8 months after the submission. > > In the meantime, the base code had been removed by commit b8c96a6b466c > ("certs: simplify $(srctree)/ handling and remove config_filename > macro"). > > Fix the Makefile. > > Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is > included from certs/blacklist_hashes.c and also works as a timestamp. > > Send error messages from check-blacklist-hashes.awk to stderr instead > of stdout. > > Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> As a side note, it may let an orphan certs/blacklist_hashes_checked file but we can't really do something about that and it's OK. Thanks! > --- > > certs/.gitignore | 2 +- > certs/Makefile | 20 ++++++++++---------- > certs/blacklist_hashes.c | 2 +- > 3 files changed, 12 insertions(+), 12 deletions(-) > > diff --git a/certs/.gitignore b/certs/.gitignore > index 56637aceaf81..cec5465f31c1 100644 > --- a/certs/.gitignore > +++ b/certs/.gitignore > @@ -1,5 +1,5 @@ > # SPDX-License-Identifier: GPL-2.0-only > -/blacklist_hashes_checked > +/blacklist_hash_list > /extract-cert > /x509_certificate_list > /x509_revocation_list > diff --git a/certs/Makefile b/certs/Makefile > index cb1a9da3fc58..a8d628fd5f7b 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -7,22 +7,22 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o c > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o > obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o > ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) > -quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) > - cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ > > -$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) > +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list > +CFLAGS_blacklist_hashes.o := -I $(obj) > > -$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked > +quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ > + cmd_check_and_copy_blacklist_hash_list = \ > + $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ > + cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ > > -CFLAGS_blacklist_hashes.o += -I$(srctree) > - > -targets += blacklist_hashes_checked > -$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE > - $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) > +$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE > + $(call if_changed,check_and_copy_blacklist_hash_list) > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o > else > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o > endif > +targets += blacklist_hash_list > > quiet_cmd_extract_certs = CERT $@ > cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ > @@ -33,7 +33,7 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list > $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE > $(call if_changed,extract_certs) > > -targets += x509_certificate_list blacklist_hashes_checked > +targets += x509_certificate_list > > # If module signing is requested, say by allyesconfig, but a key has not been > # supplied, then one will need to be generated to make sure the build does not > diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c > index d5961aa3d338..86d66fe11348 100644 > --- a/certs/blacklist_hashes.c > +++ b/certs/blacklist_hashes.c > @@ -2,6 +2,6 @@ > #include "blacklist.h" > > const char __initconst *const blacklist_hashes[] = { > -#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST > +#include "blacklist_hash_list" > , NULL > };
On Mon, Jun 13, 2022 at 9:34 PM Mickaël Salaün <mic@digikod.net> wrote: > > > > On 11/06/2022 19:22, Masahiro Yamada wrote: > > Commit addf466389d9 ("certs: Check that builtin blacklist hashes are > > valid") was applied 8 months after the submission. > > > > In the meantime, the base code had been removed by commit b8c96a6b466c > > ("certs: simplify $(srctree)/ handling and remove config_filename > > macro"). > > > > Fix the Makefile. > > > > Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is > > included from certs/blacklist_hashes.c and also works as a timestamp. > > > > Send error messages from check-blacklist-hashes.awk to stderr instead > > of stdout. > > > > Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") > > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > > Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> > > As a side note, it may let an orphan certs/blacklist_hashes_checked file > but we can't really do something about that and it's OK. GNU Make uses timestamps of files for dependency tracking, so Kbuild keeps all intermediate files. Keeping certs/blacklist_hashes_checked is the right thing to do. > Thanks! > > > --- > > > > certs/.gitignore | 2 +- > > certs/Makefile | 20 ++++++++++---------- > > certs/blacklist_hashes.c | 2 +- > > 3 files changed, 12 insertions(+), 12 deletions(-) > > > > diff --git a/certs/.gitignore b/certs/.gitignore > > index 56637aceaf81..cec5465f31c1 100644 > > --- a/certs/.gitignore > > +++ b/certs/.gitignore > > @@ -1,5 +1,5 @@ > > # SPDX-License-Identifier: GPL-2.0-only > > -/blacklist_hashes_checked > > +/blacklist_hash_list > > /extract-cert > > /x509_certificate_list > > /x509_revocation_list > > diff --git a/certs/Makefile b/certs/Makefile > > index cb1a9da3fc58..a8d628fd5f7b 100644 > > --- a/certs/Makefile > > +++ b/certs/Makefile > > @@ -7,22 +7,22 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o c > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o > > obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o > > ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) > > -quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) > > - cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ > > > > -$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) > > +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list > > +CFLAGS_blacklist_hashes.o := -I $(obj) > > > > -$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked > > +quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ > > + cmd_check_and_copy_blacklist_hash_list = \ > > + $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ > > + cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ > > > > -CFLAGS_blacklist_hashes.o += -I$(srctree) > > - > > -targets += blacklist_hashes_checked > > -$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE > > - $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) > > +$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE > > + $(call if_changed,check_and_copy_blacklist_hash_list) > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o > > else > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o > > endif > > +targets += blacklist_hash_list > > > > quiet_cmd_extract_certs = CERT $@ > > cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ > > @@ -33,7 +33,7 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list > > $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE > > $(call if_changed,extract_certs) > > > > -targets += x509_certificate_list blacklist_hashes_checked > > +targets += x509_certificate_list > > > > # If module signing is requested, say by allyesconfig, but a key has not been > > # supplied, then one will need to be generated to make sure the build does not > > diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c > > index d5961aa3d338..86d66fe11348 100644 > > --- a/certs/blacklist_hashes.c > > +++ b/certs/blacklist_hashes.c > > @@ -2,6 +2,6 @@ > > #include "blacklist.h" > > > > const char __initconst *const blacklist_hashes[] = { > > -#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST > > +#include "blacklist_hash_list" > > , NULL > > }; -- Best Regards Masahiro Yamada
On 13/06/2022 16:55, Masahiro Yamada wrote: > On Mon, Jun 13, 2022 at 9:34 PM Mickaël Salaün <mic@digikod.net> wrote: >> >> >> >> On 11/06/2022 19:22, Masahiro Yamada wrote: >>> Commit addf466389d9 ("certs: Check that builtin blacklist hashes are >>> valid") was applied 8 months after the submission. >>> >>> In the meantime, the base code had been removed by commit b8c96a6b466c >>> ("certs: simplify $(srctree)/ handling and remove config_filename >>> macro"). >>> >>> Fix the Makefile. >>> >>> Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is >>> included from certs/blacklist_hashes.c and also works as a timestamp. >>> >>> Send error messages from check-blacklist-hashes.awk to stderr instead >>> of stdout. >>> >>> Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") >>> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> >> >> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> >> >> As a side note, it may let an orphan certs/blacklist_hashes_checked file >> but we can't really do something about that and it's OK. > > > GNU Make uses timestamps of files for dependency tracking, > so Kbuild keeps all intermediate files. > > Keeping certs/blacklist_hashes_checked > is the right thing to do. blacklist_hashes_checked is the file you replaced with blacklist_hash_list, and is then not used in any Makefile anymore. There is then no timestamp issue. I just wanted to mention that it is normal that a git status will show it on build directories also used as source directories that were already using such feature. > > > >> Thanks! >> >>> --- >>> >>> certs/.gitignore | 2 +- >>> certs/Makefile | 20 ++++++++++---------- >>> certs/blacklist_hashes.c | 2 +- >>> 3 files changed, 12 insertions(+), 12 deletions(-) >>> >>> diff --git a/certs/.gitignore b/certs/.gitignore >>> index 56637aceaf81..cec5465f31c1 100644 >>> --- a/certs/.gitignore >>> +++ b/certs/.gitignore >>> @@ -1,5 +1,5 @@ >>> # SPDX-License-Identifier: GPL-2.0-only >>> -/blacklist_hashes_checked >>> +/blacklist_hash_list >>> /extract-cert >>> /x509_certificate_list >>> /x509_revocation_list >>> diff --git a/certs/Makefile b/certs/Makefile >>> index cb1a9da3fc58..a8d628fd5f7b 100644 >>> --- a/certs/Makefile >>> +++ b/certs/Makefile >>> @@ -7,22 +7,22 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o c >>> obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o >>> obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o >>> ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) >>> -quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) >>> - cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ >>> >>> -$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) >>> +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list >>> +CFLAGS_blacklist_hashes.o := -I $(obj) >>> >>> -$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked >>> +quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ >>> + cmd_check_and_copy_blacklist_hash_list = \ >>> + $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ >>> + cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ >>> >>> -CFLAGS_blacklist_hashes.o += -I$(srctree) >>> - >>> -targets += blacklist_hashes_checked >>> -$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE >>> - $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) >>> +$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE >>> + $(call if_changed,check_and_copy_blacklist_hash_list) >>> obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o >>> else >>> obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o >>> endif >>> +targets += blacklist_hash_list >>> >>> quiet_cmd_extract_certs = CERT $@ >>> cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ >>> @@ -33,7 +33,7 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list >>> $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE >>> $(call if_changed,extract_certs) >>> >>> -targets += x509_certificate_list blacklist_hashes_checked >>> +targets += x509_certificate_list >>> >>> # If module signing is requested, say by allyesconfig, but a key has not been >>> # supplied, then one will need to be generated to make sure the build does not >>> diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c >>> index d5961aa3d338..86d66fe11348 100644 >>> --- a/certs/blacklist_hashes.c >>> +++ b/certs/blacklist_hashes.c >>> @@ -2,6 +2,6 @@ >>> #include "blacklist.h" >>> >>> const char __initconst *const blacklist_hashes[] = { >>> -#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST >>> +#include "blacklist_hash_list" >>> , NULL >>> }; > > > > -- > Best Regards > Masahiro Yamada
On Tue, Jun 14, 2022 at 3:06 AM Mickaël Salaün <mic@digikod.net> wrote: > > > On 13/06/2022 16:55, Masahiro Yamada wrote: > > On Mon, Jun 13, 2022 at 9:34 PM Mickaël Salaün <mic@digikod.net> wrote: > >> > >> > >> > >> On 11/06/2022 19:22, Masahiro Yamada wrote: > >>> Commit addf466389d9 ("certs: Check that builtin blacklist hashes are > >>> valid") was applied 8 months after the submission. > >>> > >>> In the meantime, the base code had been removed by commit b8c96a6b466c > >>> ("certs: simplify $(srctree)/ handling and remove config_filename > >>> macro"). > >>> > >>> Fix the Makefile. > >>> > >>> Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is > >>> included from certs/blacklist_hashes.c and also works as a timestamp. > >>> > >>> Send error messages from check-blacklist-hashes.awk to stderr instead > >>> of stdout. > >>> > >>> Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") > >>> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > >> > >> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> > >> > >> As a side note, it may let an orphan certs/blacklist_hashes_checked file > >> but we can't really do something about that and it's OK. > > > > > > GNU Make uses timestamps of files for dependency tracking, > > so Kbuild keeps all intermediate files. > > > > Keeping certs/blacklist_hashes_checked > > is the right thing to do. > > blacklist_hashes_checked is the file you replaced with > blacklist_hash_list, and is then not used in any Makefile anymore. There > is then no timestamp issue. I just wanted to mention that it is normal > that a git status will show it on build directories also used as source > directories that were already using such feature. Ah, sorry, I misunderstood your feedback. If 'git status' is your concern, we can add certs/blacklist_hashes_checked to scripts/remove-stale-files. addf466389d9d78f255e8b15ac44ab4791029852 was merged into mainline just recently, and not contained in any release. But, if the orphan timestamp matters, I will do it. It is just a one-liner addition. -- Best Regards Masahiro Yamada
On 13/06/2022 20:56, Masahiro Yamada wrote: > On Tue, Jun 14, 2022 at 3:06 AM Mickaël Salaün <mic@digikod.net> wrote: >> >> >> On 13/06/2022 16:55, Masahiro Yamada wrote: >>> On Mon, Jun 13, 2022 at 9:34 PM Mickaël Salaün <mic@digikod.net> wrote: >>>> >>>> >>>> >>>> On 11/06/2022 19:22, Masahiro Yamada wrote: >>>>> Commit addf466389d9 ("certs: Check that builtin blacklist hashes are >>>>> valid") was applied 8 months after the submission. >>>>> >>>>> In the meantime, the base code had been removed by commit b8c96a6b466c >>>>> ("certs: simplify $(srctree)/ handling and remove config_filename >>>>> macro"). >>>>> >>>>> Fix the Makefile. >>>>> >>>>> Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is >>>>> included from certs/blacklist_hashes.c and also works as a timestamp. >>>>> >>>>> Send error messages from check-blacklist-hashes.awk to stderr instead >>>>> of stdout. >>>>> >>>>> Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") >>>>> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> >>>> >>>> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> >>>> >>>> As a side note, it may let an orphan certs/blacklist_hashes_checked file >>>> but we can't really do something about that and it's OK. >>> >>> >>> GNU Make uses timestamps of files for dependency tracking, >>> so Kbuild keeps all intermediate files. >>> >>> Keeping certs/blacklist_hashes_checked >>> is the right thing to do. >> >> blacklist_hashes_checked is the file you replaced with >> blacklist_hash_list, and is then not used in any Makefile anymore. There >> is then no timestamp issue. I just wanted to mention that it is normal >> that a git status will show it on build directories also used as source >> directories that were already using such feature. > > > Ah, sorry, I misunderstood your feedback. > > If 'git status' is your concern, > we can add certs/blacklist_hashes_checked > to scripts/remove-stale-files. > > addf466389d9d78f255e8b15ac44ab4791029852 > was merged into mainline just recently, and > not contained in any release. Indeed, it's all good then. > > But, if the orphan timestamp matters, I will do it. > It is just a one-liner addition.
On Sun, Jun 12, 2022 at 02:22:31AM +0900, Masahiro Yamada wrote: > Commit addf466389d9 ("certs: Check that builtin blacklist hashes are > valid") was applied 8 months after the submission. > > In the meantime, the base code had been removed by commit b8c96a6b466c > ("certs: simplify $(srctree)/ handling and remove config_filename > macro"). > > Fix the Makefile. > > Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is > included from certs/blacklist_hashes.c and also works as a timestamp. > > Send error messages from check-blacklist-hashes.awk to stderr instead > of stdout. > > Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > --- > > certs/.gitignore | 2 +- > certs/Makefile | 20 ++++++++++---------- > certs/blacklist_hashes.c | 2 +- > 3 files changed, 12 insertions(+), 12 deletions(-) > > diff --git a/certs/.gitignore b/certs/.gitignore > index 56637aceaf81..cec5465f31c1 100644 > --- a/certs/.gitignore > +++ b/certs/.gitignore > @@ -1,5 +1,5 @@ > # SPDX-License-Identifier: GPL-2.0-only > -/blacklist_hashes_checked > +/blacklist_hash_list > /extract-cert > /x509_certificate_list > /x509_revocation_list > diff --git a/certs/Makefile b/certs/Makefile > index cb1a9da3fc58..a8d628fd5f7b 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -7,22 +7,22 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o c > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o > obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o > ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) > -quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) > - cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ > > -$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) > +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list > +CFLAGS_blacklist_hashes.o := -I $(obj) > > -$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked > +quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ > + cmd_check_and_copy_blacklist_hash_list = \ > + $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ > + cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ > > -CFLAGS_blacklist_hashes.o += -I$(srctree) > - > -targets += blacklist_hashes_checked > -$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE > - $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) > +$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE > + $(call if_changed,check_and_copy_blacklist_hash_list) > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o > else > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o > endif > +targets += blacklist_hash_list > > quiet_cmd_extract_certs = CERT $@ > cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ > @@ -33,7 +33,7 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list > $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE > $(call if_changed,extract_certs) > > -targets += x509_certificate_list blacklist_hashes_checked > +targets += x509_certificate_list > > # If module signing is requested, say by allyesconfig, but a key has not been > # supplied, then one will need to be generated to make sure the build does not > diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c > index d5961aa3d338..86d66fe11348 100644 > --- a/certs/blacklist_hashes.c > +++ b/certs/blacklist_hashes.c > @@ -2,6 +2,6 @@ > #include "blacklist.h" > > const char __initconst *const blacklist_hashes[] = { > -#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST > +#include "blacklist_hash_list" > , NULL > }; > -- > 2.32.0 > Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> BR, Jarkko
On Mon, Jun 13, 2022 at 02:34:36PM +0200, Mickaël Salaün wrote: > > > On 11/06/2022 19:22, Masahiro Yamada wrote: > > Commit addf466389d9 ("certs: Check that builtin blacklist hashes are > > valid") was applied 8 months after the submission. > > > > In the meantime, the base code had been removed by commit b8c96a6b466c > > ("certs: simplify $(srctree)/ handling and remove config_filename > > macro"). > > > > Fix the Makefile. > > > > Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is > > included from certs/blacklist_hashes.c and also works as a timestamp. > > > > Send error messages from check-blacklist-hashes.awk to stderr instead > > of stdout. > > > > Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") > > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > > Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> > > As a side note, it may let an orphan certs/blacklist_hashes_checked file but > we can't really do something about that and it's OK. > > Thanks! > > > --- > > > > certs/.gitignore | 2 +- > > certs/Makefile | 20 ++++++++++---------- > > certs/blacklist_hashes.c | 2 +- > > 3 files changed, 12 insertions(+), 12 deletions(-) > > > > diff --git a/certs/.gitignore b/certs/.gitignore > > index 56637aceaf81..cec5465f31c1 100644 > > --- a/certs/.gitignore > > +++ b/certs/.gitignore > > @@ -1,5 +1,5 @@ > > # SPDX-License-Identifier: GPL-2.0-only > > -/blacklist_hashes_checked > > +/blacklist_hash_list > > /extract-cert > > /x509_certificate_list > > /x509_revocation_list > > diff --git a/certs/Makefile b/certs/Makefile > > index cb1a9da3fc58..a8d628fd5f7b 100644 > > --- a/certs/Makefile > > +++ b/certs/Makefile > > @@ -7,22 +7,22 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o c > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o > > obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o > > ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) > > -quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) > > - cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ > > -$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) > > +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list > > +CFLAGS_blacklist_hashes.o := -I $(obj) > > -$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked > > +quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ > > + cmd_check_and_copy_blacklist_hash_list = \ > > + $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ > > + cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ > > -CFLAGS_blacklist_hashes.o += -I$(srctree) > > - > > -targets += blacklist_hashes_checked > > -$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE > > - $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) > > +$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE > > + $(call if_changed,check_and_copy_blacklist_hash_list) > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o > > else > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o > > endif > > +targets += blacklist_hash_list > > quiet_cmd_extract_certs = CERT $@ > > cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ > > @@ -33,7 +33,7 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list > > $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE > > $(call if_changed,extract_certs) > > -targets += x509_certificate_list blacklist_hashes_checked > > +targets += x509_certificate_list > > # If module signing is requested, say by allyesconfig, but a key has not been > > # supplied, then one will need to be generated to make sure the build does not > > diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c > > index d5961aa3d338..86d66fe11348 100644 > > --- a/certs/blacklist_hashes.c > > +++ b/certs/blacklist_hashes.c > > @@ -2,6 +2,6 @@ > > #include "blacklist.h" > > const char __initconst *const blacklist_hashes[] = { > > -#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST > > +#include "blacklist_hash_list" > > , NULL > > }; I'll make a PR for 1/4 and 2/4 so that they get into 5.19. BR, Jarkko
On Thu, Jun 16, 2022 at 3:51 AM Jarkko Sakkinen <jarkko@kernel.org> wrote: > > On Mon, Jun 13, 2022 at 02:34:36PM +0200, Mickaël Salaün wrote: > > > > > > On 11/06/2022 19:22, Masahiro Yamada wrote: > > > Commit addf466389d9 ("certs: Check that builtin blacklist hashes are > > > valid") was applied 8 months after the submission. > > > > > > In the meantime, the base code had been removed by commit b8c96a6b466c > > > ("certs: simplify $(srctree)/ handling and remove config_filename > > > macro"). > > > > > > Fix the Makefile. > > > > > > Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is > > > included from certs/blacklist_hashes.c and also works as a timestamp. > > > > > > Send error messages from check-blacklist-hashes.awk to stderr instead > > > of stdout. > > > > > > Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") > > > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > > > > Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> > > > > As a side note, it may let an orphan certs/blacklist_hashes_checked file but > > we can't really do something about that and it's OK. > > > > Thanks! > > > > > --- > > > > > > certs/.gitignore | 2 +- > > > certs/Makefile | 20 ++++++++++---------- > > > certs/blacklist_hashes.c | 2 +- > > > 3 files changed, 12 insertions(+), 12 deletions(-) > > > > > > diff --git a/certs/.gitignore b/certs/.gitignore > > > index 56637aceaf81..cec5465f31c1 100644 > > > --- a/certs/.gitignore > > > +++ b/certs/.gitignore > > > @@ -1,5 +1,5 @@ > > > # SPDX-License-Identifier: GPL-2.0-only > > > -/blacklist_hashes_checked > > > +/blacklist_hash_list > > > /extract-cert > > > /x509_certificate_list > > > /x509_revocation_list > > > diff --git a/certs/Makefile b/certs/Makefile > > > index cb1a9da3fc58..a8d628fd5f7b 100644 > > > --- a/certs/Makefile > > > +++ b/certs/Makefile > > > @@ -7,22 +7,22 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o c > > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o > > > obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o > > > ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) > > > -quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) > > > - cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ > > > -$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) > > > +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list > > > +CFLAGS_blacklist_hashes.o := -I $(obj) > > > -$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked > > > +quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ > > > + cmd_check_and_copy_blacklist_hash_list = \ > > > + $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ > > > + cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ > > > -CFLAGS_blacklist_hashes.o += -I$(srctree) > > > - > > > -targets += blacklist_hashes_checked > > > -$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE > > > - $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) > > > +$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE > > > + $(call if_changed,check_and_copy_blacklist_hash_list) > > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o > > > else > > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o > > > endif > > > +targets += blacklist_hash_list > > > quiet_cmd_extract_certs = CERT $@ > > > cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ > > > @@ -33,7 +33,7 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list > > > $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE > > > $(call if_changed,extract_certs) > > > -targets += x509_certificate_list blacklist_hashes_checked > > > +targets += x509_certificate_list > > > # If module signing is requested, say by allyesconfig, but a key has not been > > > # supplied, then one will need to be generated to make sure the build does not > > > diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c > > > index d5961aa3d338..86d66fe11348 100644 > > > --- a/certs/blacklist_hashes.c > > > +++ b/certs/blacklist_hashes.c > > > @@ -2,6 +2,6 @@ > > > #include "blacklist.h" > > > const char __initconst *const blacklist_hashes[] = { > > > -#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST > > > +#include "blacklist_hash_list" > > > , NULL > > > }; > > I'll make a PR for 1/4 and 2/4 so that they get into 5.19. > > BR, Jarkko Thank you! What shall we do for 3/4 and 4/4? Do you have a plan to queue them up for the next MW? Or, shall I apply them to my kbuild tree with your reivewed-by?
On Sun, Jun 19, 2022 at 07:12:31AM +0900, Masahiro Yamada wrote: > On Thu, Jun 16, 2022 at 3:51 AM Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > On Mon, Jun 13, 2022 at 02:34:36PM +0200, Mickaël Salaün wrote: > > > > > > > > > On 11/06/2022 19:22, Masahiro Yamada wrote: > > > > Commit addf466389d9 ("certs: Check that builtin blacklist hashes are > > > > valid") was applied 8 months after the submission. > > > > > > > > In the meantime, the base code had been removed by commit b8c96a6b466c > > > > ("certs: simplify $(srctree)/ handling and remove config_filename > > > > macro"). > > > > > > > > Fix the Makefile. > > > > > > > > Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is > > > > included from certs/blacklist_hashes.c and also works as a timestamp. > > > > > > > > Send error messages from check-blacklist-hashes.awk to stderr instead > > > > of stdout. > > > > > > > > Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") > > > > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > > > > > > Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> > > > > > > As a side note, it may let an orphan certs/blacklist_hashes_checked file but > > > we can't really do something about that and it's OK. > > > > > > Thanks! > > > > > > > --- > > > > > > > > certs/.gitignore | 2 +- > > > > certs/Makefile | 20 ++++++++++---------- > > > > certs/blacklist_hashes.c | 2 +- > > > > 3 files changed, 12 insertions(+), 12 deletions(-) > > > > > > > > diff --git a/certs/.gitignore b/certs/.gitignore > > > > index 56637aceaf81..cec5465f31c1 100644 > > > > --- a/certs/.gitignore > > > > +++ b/certs/.gitignore > > > > @@ -1,5 +1,5 @@ > > > > # SPDX-License-Identifier: GPL-2.0-only > > > > -/blacklist_hashes_checked > > > > +/blacklist_hash_list > > > > /extract-cert > > > > /x509_certificate_list > > > > /x509_revocation_list > > > > diff --git a/certs/Makefile b/certs/Makefile > > > > index cb1a9da3fc58..a8d628fd5f7b 100644 > > > > --- a/certs/Makefile > > > > +++ b/certs/Makefile > > > > @@ -7,22 +7,22 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o c > > > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o > > > > obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o > > > > ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) > > > > -quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) > > > > - cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ > > > > -$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) > > > > +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list > > > > +CFLAGS_blacklist_hashes.o := -I $(obj) > > > > -$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked > > > > +quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ > > > > + cmd_check_and_copy_blacklist_hash_list = \ > > > > + $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ > > > > + cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ > > > > -CFLAGS_blacklist_hashes.o += -I$(srctree) > > > > - > > > > -targets += blacklist_hashes_checked > > > > -$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE > > > > - $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) > > > > +$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE > > > > + $(call if_changed,check_and_copy_blacklist_hash_list) > > > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o > > > > else > > > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o > > > > endif > > > > +targets += blacklist_hash_list > > > > quiet_cmd_extract_certs = CERT $@ > > > > cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ > > > > @@ -33,7 +33,7 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list > > > > $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE > > > > $(call if_changed,extract_certs) > > > > -targets += x509_certificate_list blacklist_hashes_checked > > > > +targets += x509_certificate_list > > > > # If module signing is requested, say by allyesconfig, but a key has not been > > > > # supplied, then one will need to be generated to make sure the build does not > > > > diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c > > > > index d5961aa3d338..86d66fe11348 100644 > > > > --- a/certs/blacklist_hashes.c > > > > +++ b/certs/blacklist_hashes.c > > > > @@ -2,6 +2,6 @@ > > > > #include "blacklist.h" > > > > const char __initconst *const blacklist_hashes[] = { > > > > -#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST > > > > +#include "blacklist_hash_list" > > > > , NULL > > > > }; > > > > I'll make a PR for 1/4 and 2/4 so that they get into 5.19. > > > > BR, Jarkko > > > Thank you! > > What shall we do for 3/4 and 4/4? > > Do you have a plan to queue them up for the next MW? > > Or, shall I apply them to my kbuild tree with your reivewed-by? If possible, please do, thank you for taking the trouble. BR, Jarkko
On Sun, Jun 26, 2022 at 3:16 PM Jarkko Sakkinen <jarkko@kernel.org> wrote: > > On Sun, Jun 19, 2022 at 07:12:31AM +0900, Masahiro Yamada wrote: > > On Thu, Jun 16, 2022 at 3:51 AM Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > On Mon, Jun 13, 2022 at 02:34:36PM +0200, Mickaël Salaün wrote: > > > > > > > > > > > > On 11/06/2022 19:22, Masahiro Yamada wrote: > > > > > Commit addf466389d9 ("certs: Check that builtin blacklist hashes are > > > > > valid") was applied 8 months after the submission. > > > > > > > > > > In the meantime, the base code had been removed by commit b8c96a6b466c > > > > > ("certs: simplify $(srctree)/ handling and remove config_filename > > > > > macro"). > > > > > > > > > > Fix the Makefile. > > > > > > > > > > Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is > > > > > included from certs/blacklist_hashes.c and also works as a timestamp. > > > > > > > > > > Send error messages from check-blacklist-hashes.awk to stderr instead > > > > > of stdout. > > > > > > > > > > Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") > > > > > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > > > > > > > > Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> > > > > > > > > As a side note, it may let an orphan certs/blacklist_hashes_checked file but > > > > we can't really do something about that and it's OK. > > > > > > > > Thanks! > > > > > > > > > --- > > > > > > > > > > certs/.gitignore | 2 +- > > > > > certs/Makefile | 20 ++++++++++---------- > > > > > certs/blacklist_hashes.c | 2 +- > > > > > 3 files changed, 12 insertions(+), 12 deletions(-) > > > > > > > > > > diff --git a/certs/.gitignore b/certs/.gitignore > > > > > index 56637aceaf81..cec5465f31c1 100644 > > > > > --- a/certs/.gitignore > > > > > +++ b/certs/.gitignore > > > > > @@ -1,5 +1,5 @@ > > > > > # SPDX-License-Identifier: GPL-2.0-only > > > > > -/blacklist_hashes_checked > > > > > +/blacklist_hash_list > > > > > /extract-cert > > > > > /x509_certificate_list > > > > > /x509_revocation_list > > > > > diff --git a/certs/Makefile b/certs/Makefile > > > > > index cb1a9da3fc58..a8d628fd5f7b 100644 > > > > > --- a/certs/Makefile > > > > > +++ b/certs/Makefile > > > > > @@ -7,22 +7,22 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o c > > > > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o > > > > > obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o > > > > > ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) > > > > > -quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) > > > > > - cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ > > > > > -$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) > > > > > +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list > > > > > +CFLAGS_blacklist_hashes.o := -I $(obj) > > > > > -$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked > > > > > +quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ > > > > > + cmd_check_and_copy_blacklist_hash_list = \ > > > > > + $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ > > > > > + cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ > > > > > -CFLAGS_blacklist_hashes.o += -I$(srctree) > > > > > - > > > > > -targets += blacklist_hashes_checked > > > > > -$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE > > > > > - $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) > > > > > +$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE > > > > > + $(call if_changed,check_and_copy_blacklist_hash_list) > > > > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o > > > > > else > > > > > obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o > > > > > endif > > > > > +targets += blacklist_hash_list > > > > > quiet_cmd_extract_certs = CERT $@ > > > > > cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ > > > > > @@ -33,7 +33,7 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list > > > > > $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE > > > > > $(call if_changed,extract_certs) > > > > > -targets += x509_certificate_list blacklist_hashes_checked > > > > > +targets += x509_certificate_list > > > > > # If module signing is requested, say by allyesconfig, but a key has not been > > > > > # supplied, then one will need to be generated to make sure the build does not > > > > > diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c > > > > > index d5961aa3d338..86d66fe11348 100644 > > > > > --- a/certs/blacklist_hashes.c > > > > > +++ b/certs/blacklist_hashes.c > > > > > @@ -2,6 +2,6 @@ > > > > > #include "blacklist.h" > > > > > const char __initconst *const blacklist_hashes[] = { > > > > > -#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST > > > > > +#include "blacklist_hash_list" > > > > > , NULL > > > > > }; > > > > > > I'll make a PR for 1/4 and 2/4 so that they get into 5.19. > > > > > > BR, Jarkko > > > > > > Thank you! > > > > What shall we do for 3/4 and 4/4? > > > > Do you have a plan to queue them up for the next MW? > > > > Or, shall I apply them to my kbuild tree with your reivewed-by? > > If possible, please do, thank you for taking the trouble. > > BR, Jarkko Now, 3/4 and 4/4 applied to linux-kbuild. Thanks.
diff --git a/certs/.gitignore b/certs/.gitignore index 56637aceaf81..cec5465f31c1 100644 --- a/certs/.gitignore +++ b/certs/.gitignore @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0-only -/blacklist_hashes_checked +/blacklist_hash_list /extract-cert /x509_certificate_list /x509_revocation_list diff --git a/certs/Makefile b/certs/Makefile index cb1a9da3fc58..a8d628fd5f7b 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -7,22 +7,22 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o c obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) -quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) - cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ -$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list +CFLAGS_blacklist_hashes.o := -I $(obj) -$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked +quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ + cmd_check_and_copy_blacklist_hash_list = \ + $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ + cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ -CFLAGS_blacklist_hashes.o += -I$(srctree) - -targets += blacklist_hashes_checked -$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE - $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) +$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE + $(call if_changed,check_and_copy_blacklist_hash_list) obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o else obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o endif +targets += blacklist_hash_list quiet_cmd_extract_certs = CERT $@ cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ @@ -33,7 +33,7 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE $(call if_changed,extract_certs) -targets += x509_certificate_list blacklist_hashes_checked +targets += x509_certificate_list # If module signing is requested, say by allyesconfig, but a key has not been # supplied, then one will need to be generated to make sure the build does not diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c index d5961aa3d338..86d66fe11348 100644 --- a/certs/blacklist_hashes.c +++ b/certs/blacklist_hashes.c @@ -2,6 +2,6 @@ #include "blacklist.h" const char __initconst *const blacklist_hashes[] = { -#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST +#include "blacklist_hash_list" , NULL };
Commit addf466389d9 ("certs: Check that builtin blacklist hashes are valid") was applied 8 months after the submission. In the meantime, the base code had been removed by commit b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro"). Fix the Makefile. Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is included from certs/blacklist_hashes.c and also works as a timestamp. Send error messages from check-blacklist-hashes.awk to stderr instead of stdout. Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> --- certs/.gitignore | 2 +- certs/Makefile | 20 ++++++++++---------- certs/blacklist_hashes.c | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-)