1 # SPDX-License-Identifier: GPL-2.0 1 # SPDX-License-Identifier: GPL-2.0 2 # 2 # 3 # Makefile for the linux kernel signature chec 3 # Makefile for the linux kernel signature checking certificates. 4 # 4 # 5 5 6 obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system !! 6 obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o 7 obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blac !! 7 obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o 8 obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revoca 8 obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o >> 9 ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") >> 10 obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o >> 11 else >> 12 obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o >> 13 endif 9 14 10 $(obj)/blacklist_hashes.o: $(obj)/blacklist_ha !! 15 ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) 11 CFLAGS_blacklist_hashes.o := -I $(obj) << 12 16 13 quiet_cmd_check_and_copy_blacklist_hash_list = !! 17 $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) 14 cmd_check_and_copy_blacklist_hash_list = << 15 $(if $(CONFIG_SYSTEM_BLACKLIST_HASH_LI << 16 $(AWK) -f $(src)/check-blacklist-hashe << 17 { cat $(CONFIG_SYSTEM_BLACKLIST_HASH_L << 18 echo NULL > $@) << 19 << 20 $(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BL << 21 $(call if_changed,check_and_copy_black << 22 << 23 targets += blacklist_hash_list << 24 << 25 quiet_cmd_extract_certs = CERT $@ << 26 cmd_extract_certs = $(obj)/extract-cert << 27 extract-cert-in = $(filter-out $(obj)/extract- << 28 18 >> 19 # GCC doesn't include .incbin files in -MD generated dependencies (PR#66871) 29 $(obj)/system_certificates.o: $(obj)/x509_cert 20 $(obj)/system_certificates.o: $(obj)/x509_certificate_list 30 21 31 $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_ !! 22 # Cope with signing_key.x509 existing in $(srctree) not $(objtree) 32 $(call if_changed,extract_certs) !! 23 AFLAGS_system_certificates.o := -I$(srctree) >> 24 >> 25 quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) >> 26 cmd_extract_certs = scripts/extract-cert $(2) $@ 33 27 34 targets += x509_certificate_list 28 targets += x509_certificate_list >> 29 $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE >> 30 $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) >> 31 endif # CONFIG_SYSTEM_TRUSTED_KEYRING >> 32 >> 33 clean-files := x509_certificate_list .x509.list x509_revocation_list 35 34 >> 35 ifeq ($(CONFIG_MODULE_SIG),y) >> 36 ############################################################################### >> 37 # 36 # If module signing is requested, say by allye 38 # If module signing is requested, say by allyesconfig, but a key has not been 37 # supplied, then one will need to be generated 39 # supplied, then one will need to be generated to make sure the build does not 38 # fail and that the kernel may be used afterwa 40 # fail and that the kernel may be used afterwards. 39 # 41 # >> 42 ############################################################################### >> 43 ifndef CONFIG_MODULE_SIG_HASH >> 44 $(error Could not determine digest type to use from kernel config) >> 45 endif >> 46 >> 47 redirect_openssl = 2>&1 >> 48 quiet_redirect_openssl = 2>&1 >> 49 silent_redirect_openssl = 2>/dev/null >> 50 openssl_available = $(shell openssl help 2>/dev/null && echo yes) >> 51 40 # We do it this way rather than having a boole 52 # We do it this way rather than having a boolean option for enabling an 41 # external private key, because 'make randconf 53 # external private key, because 'make randconfig' might enable such a 42 # boolean option and we unfortunately can't ma 54 # boolean option and we unfortunately can't make it depend on !RANDCONFIG. 43 ifeq ($(CONFIG_MODULE_SIG_KEY),certs/signing_k !! 55 ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") 44 << 45 keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) := << 46 << 47 quiet_cmd_gen_key = GENKEY $@ << 48 cmd_gen_key = openssl req -new -nodes -u << 49 -batch -x509 -config $< \ << 50 -outform PEM -out $@ -keyout $ << 51 56 52 $(obj)/signing_key.pem: $(obj)/x509.genkey FOR !! 57 ifeq ($(openssl_available),yes) 53 $(call if_changed,gen_key) !! 58 X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null) 54 59 55 targets += signing_key.pem !! 60 $(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem")) >> 61 endif 56 62 57 quiet_cmd_copy_x509_config = COPY $@ !! 63 $(obj)/signing_key.pem: $(obj)/x509.genkey 58 cmd_copy_x509_config = cat $(src)/defaul !! 64 @$(kecho) "###" >> 65 @$(kecho) "### Now generating an X.509 key pair to be used for signing modules." >> 66 @$(kecho) "###" >> 67 @$(kecho) "### If this takes a long time, you might wish to run rngd in the" >> 68 @$(kecho) "### background to keep the supply of entropy topped up. It" >> 69 @$(kecho) "### needs to be run as root, and uses a hardware random" >> 70 @$(kecho) "### number generator if one is available." >> 71 @$(kecho) "###" >> 72 $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ >> 73 -batch -x509 -config $(obj)/x509.genkey \ >> 74 -outform PEM -out $(obj)/signing_key.pem \ >> 75 -keyout $(obj)/signing_key.pem \ >> 76 $($(quiet)redirect_openssl) >> 77 @$(kecho) "###" >> 78 @$(kecho) "### Key pair generated." >> 79 @$(kecho) "###" 59 80 60 # You can provide your own config file. If not << 61 $(obj)/x509.genkey: 81 $(obj)/x509.genkey: 62 $(call cmd,copy_x509_config) !! 82 @$(kecho) Generating X.509 key generation config 63 !! 83 @echo >$@ "[ req ]" >> 84 @echo >>$@ "default_bits = 4096" >> 85 @echo >>$@ "distinguished_name = req_distinguished_name" >> 86 @echo >>$@ "prompt = no" >> 87 @echo >>$@ "string_mask = utf8only" >> 88 @echo >>$@ "x509_extensions = myexts" >> 89 @echo >>$@ >> 90 @echo >>$@ "[ req_distinguished_name ]" >> 91 @echo >>$@ "#O = Unspecified company" >> 92 @echo >>$@ "CN = Build time autogenerated kernel key" >> 93 @echo >>$@ "#emailAddress = unspecified.user@unspecified.company" >> 94 @echo >>$@ >> 95 @echo >>$@ "[ myexts ]" >> 96 @echo >>$@ "basicConstraints=critical,CA:FALSE" >> 97 @echo >>$@ "keyUsage=digitalSignature" >> 98 @echo >>$@ "subjectKeyIdentifier=hash" >> 99 @echo >>$@ "authorityKeyIdentifier=keyid" 64 endif # CONFIG_MODULE_SIG_KEY 100 endif # CONFIG_MODULE_SIG_KEY 65 101 66 $(obj)/system_certificates.o: $(obj)/signing_k !! 102 $(eval $(call config_filename,MODULE_SIG_KEY)) 67 103 68 PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODU !! 104 # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it 69 ifdef PKCS11_URI !! 105 ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME))) 70 $(obj)/signing_key.x509: extract-cert-in := $( !! 106 X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME) 71 endif 107 endif 72 108 73 $(obj)/signing_key.x509: $(filter-out $(PKCS11 !! 109 # GCC PR#66871 again. 74 $(call if_changed,extract_certs) !! 110 $(obj)/system_certificates.o: $(obj)/signing_key.x509 75 111 76 targets += signing_key.x509 112 targets += signing_key.x509 >> 113 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE >> 114 $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) >> 115 endif # CONFIG_MODULE_SIG 77 116 78 $(obj)/revocation_certificates.o: $(obj)/x509_ !! 117 ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) 79 118 80 $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_R !! 119 $(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) 81 $(call if_changed,extract_certs) << 82 120 83 targets += x509_revocation_list !! 121 $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list 84 122 85 hostprogs := extract-cert !! 123 quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) >> 124 cmd_extract_certs = scripts/extract-cert $(2) $@ 86 125 87 HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_ !! 126 targets += x509_revocation_list 88 HOSTLDLIBS_extract-cert = $(shell $(HOSTPKG_CO !! 127 $(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE >> 128 $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) >> 129 endif
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.