diff options
author | Masahiro Yamada <masahiroy@kernel.org> | 2022-02-18 13:46:33 +0900 |
---|---|---|
committer | Masahiro Yamada <masahiroy@kernel.org> | 2022-03-03 08:16:19 +0900 |
commit | 6ce019f73d52513239314e75376a5ca622aa3632 (patch) | |
tree | d54854bb6f18328f11c897196cfec89e6c3762b6 | |
parent | d4c858643263cfde13f7d937eaff95c2ed87cdf1 (diff) | |
download | lwn-6ce019f73d52513239314e75376a5ca622aa3632.tar.gz lwn-6ce019f73d52513239314e75376a5ca622aa3632.zip |
certs: include certs/signing_key.x509 unconditionally
I do not see much sense in the #if conditional in system_certificates.S;
even if the condition is true, there exists no signing key when
CONFIG_MODULE_SIG_KEY="".
So, certs/Makefile generates empty certs/signing_key.x509 in such a
case. We can always do this, irrespective of CONFIG_MODULE_SIG or
(CONFIG_IMA_APPRAISE_MODSIG && CONFIG_MODULES).
We only need to check CONFIG_MODULE_SIG_KEY, then both *.S and Makefile
will become much simpler.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
-rw-r--r-- | certs/Makefile | 16 | ||||
-rw-r--r-- | certs/system_certificates.S | 3 |
2 files changed, 0 insertions, 19 deletions
diff --git a/certs/Makefile b/certs/Makefile index 3ea7fe60823f..68c1d7b9a388 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -22,25 +22,10 @@ $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert targets += x509_certificate_list -ifeq ($(CONFIG_MODULE_SIG),y) - SIGN_KEY = y -endif - -ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) -ifeq ($(CONFIG_MODULES),y) - SIGN_KEY = y -endif -endif - -ifdef SIGN_KEY -############################################################################### -# # If module signing is requested, say by allyesconfig, but a key has not been # supplied, then one will need to be generated to make sure the build does not # fail and that the kernel may be used afterwards. # -############################################################################### - # We do it this way rather than having a boolean option for enabling an # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. @@ -76,7 +61,6 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509 $(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE $(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),"")) -endif # CONFIG_MODULE_SIG targets += signing_key.x509 diff --git a/certs/system_certificates.S b/certs/system_certificates.S index e1645e6f4d97..003e25d4a17e 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -9,10 +9,7 @@ system_certificate_list: __cert_list_start: __module_cert_start: -#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \ - && defined(CONFIG_MODULES)) .incbin "certs/signing_key.x509" -#endif __module_cert_end: .incbin "certs/x509_certificate_list" __cert_list_end: |