Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / mainline / linux / f71077a4d84bbe8c7b91b7db7c4ef815755ac5e3 / . / certs / Makefile
blob: 3ea7fe60823f5b1c85a1db07bf3cd80c3ffb463e [file] [log] [blame]
Greg Kroah-Hartmanb2441312017-11-01 15:07:57 +0100[diff] [blame]1# SPDX-License-Identifier: GPL-2.0
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]2#
3# Makefile for the linux kernel signature checking certificates.
4#
5
Eric Snowberg2565ca72021-01-22 13:10:52 -0500[diff] [blame]6obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
Eric Snowbergd1f04412021-01-22 13:10:53 -0500[diff] [blame]7obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o
8obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
Masahiro Yamada129ab0d2021-12-14 11:53:53 +0900[diff] [blame]9ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),)
David Howells734114f2017-04-03 16:07:24 +0100[diff] [blame]10obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
11else
12obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
13endif
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]14
Masahiro Yamada1c4bd9f2021-12-14 11:53:46 +0900[diff] [blame]15quiet_cmd_extract_certs = CERT $@
Masahiro Yamada340a0252021-12-14 11:53:54 +0900[diff] [blame]16 cmd_extract_certs = $(obj)/extract-cert $(2) $@
Masahiro Yamada1c4bd9f2021-12-14 11:53:46 +0900[diff] [blame]17
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]18$(obj)/system_certificates.o: $(obj)/x509_certificate_list
19
Masahiro Yamada340a0252021-12-14 11:53:54 +0900[diff] [blame]20$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
Masahiro Yamadab8c96a62021-12-14 11:53:51 +0900[diff] [blame]21 $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,""))
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]22
Masahiro Yamada5cca3602021-12-14 11:53:48 +0900[diff] [blame]23targets += x509_certificate_list
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]24
25ifeq ($(CONFIG_MODULE_SIG),y)
Nayna Jain0165f4c2021-04-09 10:35:06 -0400[diff] [blame]26 SIGN_KEY = y
27endif
28
29ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
Nayna Jain781a5732021-04-22 21:16:02 -0400[diff] [blame]30ifeq ($(CONFIG_MODULES),y)
Nayna Jain0165f4c2021-04-09 10:35:06 -0400[diff] [blame]31 SIGN_KEY = y
32endif
Nayna Jain781a5732021-04-22 21:16:02 -0400[diff] [blame]33endif
Nayna Jain0165f4c2021-04-09 10:35:06 -0400[diff] [blame]34
35ifdef SIGN_KEY
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]36###############################################################################
37#
38# If module signing is requested, say by allyesconfig, but a key has not been
39# supplied, then one will need to be generated to make sure the build does not
40# fail and that the kernel may be used afterwards.
41#
42###############################################################################
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]43
44# We do it this way rather than having a boolean option for enabling an
45# external private key, because 'make randconfig' might enable such a
46# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
Masahiro Yamada129ab0d2021-12-14 11:53:53 +0900[diff] [blame]47ifeq ($(CONFIG_MODULE_SIG_KEY),certs/signing_key.pem)
Stefan Bergerea35e0d2021-06-29 17:34:20 -0400[diff] [blame]48
Masahiro Yamadae06a61a2021-11-05 12:59:58 +0900[diff] [blame]49keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) := -newkey ec -pkeyopt ec_paramgen_curve:secp384r1
Stefan Bergerea35e0d2021-06-29 17:34:20 -0400[diff] [blame]50
Masahiro Yamada54c8b512021-11-05 12:59:57 +0900[diff] [blame]51quiet_cmd_gen_key = GENKEY $@
52 cmd_gen_key = openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
Masahiro Yamadac537e4d2021-12-14 11:53:45 +0900[diff] [blame]53 -batch -x509 -config $< \
54 -outform PEM -out $@ -keyout $@ $(keytype-y) 2>&1
Masahiro Yamada54c8b512021-11-05 12:59:57 +0900[diff] [blame]55
Masahiro Yamadae06a61a2021-11-05 12:59:58 +0900[diff] [blame]56$(obj)/signing_key.pem: $(obj)/x509.genkey FORCE
57 $(call if_changed,gen_key)
58
59targets += signing_key.pem
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]60
Masahiro Yamadaf3a2ba42021-11-05 12:59:55 +0900[diff] [blame]61quiet_cmd_copy_x509_config = COPY $@
62 cmd_copy_x509_config = cat $(srctree)/$(src)/default_x509.genkey > $@
63
64# You can provide your own config file. If not present, copy the default one.
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]65$(obj)/x509.genkey:
Masahiro Yamadaf3a2ba42021-11-05 12:59:55 +0900[diff] [blame]66 $(call cmd,copy_x509_config)
67
Jarkko Sakkinen5ccbdbf92017-07-13 13:16:49 +0100[diff] [blame]68endif # CONFIG_MODULE_SIG_KEY
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]69
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]70# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
Masahiro Yamadaad29a2f2022-01-21 04:22:04 +0900[diff] [blame]71ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
Masahiro Yamadab8c96a62021-12-14 11:53:51 +0900[diff] [blame]72X509_DEP := $(CONFIG_MODULE_SIG_KEY)
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]73endif
74
David Howellscfc411e2015-08-14 15:20:41 +0100[diff] [blame]75$(obj)/system_certificates.o: $(obj)/signing_key.x509
76
Masahiro Yamada340a0252021-12-14 11:53:54 +0900[diff] [blame]77$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE
Masahiro Yamadae6340b62022-01-21 04:22:05 +0900[diff] [blame]78 $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),""))
Jarkko Sakkinen5ccbdbf92017-07-13 13:16:49 +0100[diff] [blame]79endif # CONFIG_MODULE_SIG
Eric Snowbergd1f04412021-01-22 13:10:53 -0500[diff] [blame]80
Masahiro Yamada5cca3602021-12-14 11:53:48 +0900[diff] [blame]81targets += signing_key.x509
82
Eric Snowbergd1f04412021-01-22 13:10:53 -0500[diff] [blame]83$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
84
Masahiro Yamada340a0252021-12-14 11:53:54 +0900[diff] [blame]85$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE
Masahiro Yamadab8c96a62021-12-14 11:53:51 +0900[diff] [blame]86 $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,""))
Masahiro Yamada5cca3602021-12-14 11:53:48 +0900[diff] [blame]87
88targets += x509_revocation_list
Masahiro Yamada340a0252021-12-14 11:53:54 +0900[diff] [blame]89
90hostprogs := extract-cert
91
92HOSTCFLAGS_extract-cert.o = $(shell pkg-config --cflags libcrypto 2> /dev/null)
93HOSTLDLIBS_extract-cert = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto)