summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Poirier <bpoirier@suse.com>2016-04-26 11:52:01 -0700
committerSteven Rostedt <rostedt@goodmis.org>2016-04-26 15:48:20 -0400
commit96bab35d1c4ab706922abd7cef8262fdca07664a (patch)
tree9e742a1e9972ed8e60cf5cd8292a3cbfc77f212b
parent5169192bc1d51cac1ccd57757a849657fb3bdf93 (diff)
downloadlinux-96bab35d1c4ab706922abd7cef8262fdca07664a.tar.gz
linux-96bab35d1c4ab706922abd7cef8262fdca07664a.tar.bz2
linux-96bab35d1c4ab706922abd7cef8262fdca07664a.zip
localmodconfig: Reset certificate paths
When using `make localmodconfig` and friends, if the input config comes from a kernel that was built in a different environment (for example, the canonical case of using localmodconfig to trim a distribution kernel config) the key files for module signature checking will not be available and should be regenerated or omitted. Otherwise, the user will be faced with annoying errors when trying to build with the generated .config: make[1]: *** No rule to make target 'keyring.crt', needed by 'certs/x509_certificate_list'. Stop. Makefile:1576: recipe for target 'certs/' failed Link: http://lkml.kernel.org/r/1461696721-3001-1-git-send-email-bpoirier@suse.com Signed-off-by: Benjamin Poirier <bpoirier@suse.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
-rwxr-xr-xscripts/kconfig/streamline_config.pl34
1 files changed, 34 insertions, 0 deletions
diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl
index 01b53eccfe2f..95a6f2b888d4 100755
--- a/scripts/kconfig/streamline_config.pl
+++ b/scripts/kconfig/streamline_config.pl
@@ -610,6 +610,40 @@ foreach my $line (@config_file) {
next;
}
+ if (/CONFIG_MODULE_SIG_KEY="(.+)"/) {
+ my $orig_cert = $1;
+ my $default_cert = "certs/signing_key.pem";
+
+ # Check that the logic in this script still matches the one in Kconfig
+ if (!defined($depends{"MODULE_SIG_KEY"}) ||
+ $depends{"MODULE_SIG_KEY"} !~ /"\Q$default_cert\E"/) {
+ print STDERR "WARNING: MODULE_SIG_KEY assertion failure, ",
+ "update needed to ", __FILE__, " line ", __LINE__, "\n";
+ print;
+ } elsif ($orig_cert ne $default_cert && ! -f $orig_cert) {
+ print STDERR "Module signature verification enabled but ",
+ "module signing key \"$orig_cert\" not found. Resetting ",
+ "signing key to default value.\n";
+ print "CONFIG_MODULE_SIG_KEY=\"$default_cert\"\n";
+ } else {
+ print;
+ }
+ next;
+ }
+
+ if (/CONFIG_SYSTEM_TRUSTED_KEYS="(.+)"/) {
+ my $orig_keys = $1;
+
+ if (! -f $orig_keys) {
+ print STDERR "System keyring enabled but keys \"$orig_keys\" ",
+ "not found. Resetting keys to default value.\n";
+ print "CONFIG_SYSTEM_TRUSTED_KEYS=\"\"\n";
+ } else {
+ print;
+ }
+ next;
+ }
+
if (/^(CONFIG.*)=(m|y)/) {
if (defined($configs{$1})) {
if ($localyesconfig) {