Re: [PATCH 2/2] localmodconfig: Reset certificate paths

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2016/04/26 10:02, Steven Rostedt wrote:
> On Sat,  2 Apr 2016 10:55:22 -0700
> Benjamin Poirier <bpoirier@xxxxxxxx> wrote:
> 
> > When using `make localmodconfig` and friends, if the input config comes
> > from a kernel that was built in a different environment (for example, the
> > canonical case of using localmodconfig to trim a distribution kernel
> > config) the key files for module signature checking will not be available
> > and should be regenerated or omitted. Otherwise, the user will be faced
> > with annoying errors when trying to build with the generated .config:
> > 
> > make[1]: *** No rule to make target 'keyring.crt', needed by 'certs/x509_certificate_list'.  Stop.
> > Makefile:1576: recipe for target 'certs/' failed
> > 
> > Signed-off-by: Benjamin Poirier <bpoirier@xxxxxxxx>
> > ---
> >  scripts/kconfig/streamline_config.pl | 34 ++++++++++++++++++++++++++++++++++
> >  1 file changed, 34 insertions(+)
> > 
> > diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl
> > index 7036ae3..514735d 100755
> > --- a/scripts/kconfig/streamline_config.pl
> > +++ b/scripts/kconfig/streamline_config.pl
> > @@ -610,6 +610,40 @@ foreach my $line (@config_file) {
> >  	next;
> >      }
> >  
> > +    if (/CONFIG_MODULE_SIG_KEY="(.+)"/) {
> > +        my $orig_cert = $1;
> > +        my $default_cert = "certs/signing_key.pem";
> > +
> > +        # Check that the logic in this script still matches the one in Kconfig
> > +        if (!defined($depends{"MODULE_SIG_KEY"}) ||
> > +            $depends{"MODULE_SIG_KEY"} !~ /"\Q$default_cert\E"/) {
> > +            die "Assertion failure, update needed";
> 
> Instead of dieing here, what about just going back to the current
> behavior, and ignore the sig keys?

I was concerned that the warning may go unnoticed but I think you're right. It
is the same kind of concern between a BUG() or a WARN_ON(). In this case it
certainly is possible to keep going and ignore the certificate check, as you
suggest.
--
To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux&nblp;USB Development]     [Linux Media]     [Video for Linux]     [Linux Audio Users]     [Yosemite Secrets]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux