[v9,4/7] sign-file: add support to sign modules in bulk

Message ID	20230809172211.343677-5-yesshedi@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-kbuild-owner@vger.kernel.org> From: Shreenidhi Shedi <yesshedi@gmail.com> To: dhowells@redhat.com, dwmw2@infradead.org, gregkh@linuxfoundation.org, masahiroy@kernel.org, nathan@kernel.org, ndesaulniers@google.com, nicolas@fjasle.eu Cc: yesshedi@gmail.com, linux-kernel@vger.kernel.org, sshedi@vmware.com, linux-kbuild@vger.kernel.org Subject: [PATCH v9 4/7] sign-file: add support to sign modules in bulk Date: Wed, 9 Aug 2023 22:52:07 +0530 Message-ID: <20230809172211.343677-5-yesshedi@gmail.com> In-Reply-To: <20230809172211.343677-1-yesshedi@gmail.com> References: <20230809172211.343677-1-yesshedi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	refactor file signing program \| expand [v9,0/7] refactor file signing program [v9,1/7] sign-file: use getopt_long_only for parsing input args [v9,2/7] sign-file: inntroduce few new flags to make argument processing easy. [v9,3/7] sign-file: move file signing logic to its own function [v9,4/7] sign-file: add support to sign modules in bulk [v9,5/7] sign-file: improve help message [v9,6/7] sign-file: use const with a global string constant [v9,7/7] sign-file: fix do while styling issue

Message ID

20230809172211.343677-5-yesshedi@gmail.com (mailing list archive)

State

New, archived

Headers

From: Shreenidhi Shedi <yesshedi@gmail.com>
To: dhowells@redhat.com, dwmw2@infradead.org,
        gregkh@linuxfoundation.org, masahiroy@kernel.org,
        nathan@kernel.org, ndesaulniers@google.com, nicolas@fjasle.eu
Cc: yesshedi@gmail.com, linux-kernel@vger.kernel.org,
        sshedi@vmware.com, linux-kbuild@vger.kernel.org
Subject: [PATCH v9 4/7] sign-file: add support to sign modules in bulk
Date: Wed,  9 Aug 2023 22:52:07 +0530
Message-ID: <20230809172211.343677-5-yesshedi@gmail.com>
In-Reply-To: <20230809172211.343677-1-yesshedi@gmail.com>
References: <20230809172211.343677-1-yesshedi@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

refactor file signing program | expand

Commit Message

Shreenidhi Shedi Aug. 9, 2023, 5:22 p.m. UTC

In the existing system, we need to invoke sign-file binary for every
module we want to sign. This patch adds support to give modules list
in bulk and it will sign them all one by one.

Signed-off-by: Shreenidhi Shedi <yesshedi@gmail.com>
---
 scripts/sign-file.c | 41 +++++++++++++++++++++++++++--------------
 1 file changed, 27 insertions(+), 14 deletions(-)

Comments

Greg KH Aug. 10, 2023, 5:50 a.m. UTC | #1

On Wed, Aug 09, 2023 at 10:52:07PM +0530, Shreenidhi Shedi wrote:
> In the existing system, we need to invoke sign-file binary for every
> module we want to sign. This patch adds support to give modules list
> in bulk and it will sign them all one by one.

But you never actually use this option in the kernel build process?  If
not, why add this at all?

thanks,

greg k-h

Masahiro Yamada Aug. 13, 2023, 12:26 p.m. UTC | #2

On Fri, Aug 11, 2023 at 6:10 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Wed, Aug 09, 2023 at 10:52:07PM +0530, Shreenidhi Shedi wrote:
> > In the existing system, we need to invoke sign-file binary for every
> > module we want to sign. This patch adds support to give modules list
> > in bulk and it will sign them all one by one.
>
> But you never actually use this option in the kernel build process?  If
> not, why add this at all?
>
> thanks,
>
> greg k-h


Agree.
The bulk-sign flag is never used in the upstream kernel.
We cannot accept this.

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 64d5e00f08e2..0a275256ca16 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -224,6 +224,7 @@  struct cmd_opts {
 	bool replace_orig;
 	bool raw_sig;
 	bool sign_only;
+	bool bulk_sign;
 #ifndef USE_PKCS7
 	unsigned int use_keyid;
 #endif
@@ -252,10 +253,10 @@  static void parse_args(int argc, char **argv, struct cmd_opts *opts)
 
 	do {
 #ifndef USE_PKCS7
-		opt = getopt_long_only(argc, argv, "hpds:i:a:x:t:r:",
+		opt = getopt_long_only(argc, argv, "hpdbs:i:a:x:t:r:",
 				cmd_options, &opt_index);
 #else
-		opt = getopt_long_only(argc, argv, "hpdks:i:a:x:t:r:",
+		opt = getopt_long_only(argc, argv, "hpdkbs:i:a:x:t:r:",
 				cmd_options, &opt_index);
 #endif
 		switch (opt) {
@@ -303,6 +304,10 @@  static void parse_args(int argc, char **argv, struct cmd_opts *opts)
 			opts->replace_orig = true;
 			break;
 
+		case 'b':
+			opts->bulk_sign = true;
+			break;
+
 		case -1:
 			break;
 
@@ -460,26 +465,34 @@  static int sign_single_file(struct cmd_opts *opts)
 
 int main(int argc, char **argv)
 {
+	int i;
 	struct cmd_opts opts = {};
 
 	parse_args(argc, argv, &opts);
 	argc -= optind;
 	argv += optind;
 
-	if (!argv[0] || argc != 1)
-		format();
-
-	if (opts.dest_name && strcmp(argv[0], opts.dest_name)) {
-		opts.replace_orig = false;
-	} else {
-		ERR(asprintf(&opts.dest_name, "%s.~signed~", opts.module_name) < 0,
-				"asprintf");
-		opts.replace_orig = true;
-	}
-
 	OpenSSL_add_all_algorithms();
 	ERR_load_crypto_strings();
 	ERR_clear_error();
 
-	return sign_single_file(&opts);
+	for (i = 0; i < argc; ++i) {
+		opts.module_name = argv[i];
+
+		if (!opts.bulk_sign && opts.dest_name && strcmp(argv[i], opts.dest_name)) {
+			opts.replace_orig = false;
+		} else {
+			ERR(asprintf(&opts.dest_name, "%s.~signed~", opts.module_name) < 0,
+				     "asprintf");
+			if (!opts.replace_orig)
+				opts.replace_orig = true;
+		}
+
+		if (sign_single_file(&opts)) {
+			fprintf(stderr, "Failed to sign: %s module\n", opts.module_name);
+			return -1;
+		}
+	}
+
+	return 0;
 }

[v9,4/7] sign-file: add support to sign modules in bulk

Commit Message

Comments

Patch