On Mon, Jun 13, 2022 at 9:36 PM Mickaël Salaün <mic@xxxxxxxxxxx> wrote:
>
>
>
> On 11/06/2022 19:22, Masahiro Yamada wrote:
> > This script is only used in certs/Makefile, so certs/ is a better
> > home for it.
> >
> > Signed-off-by: Masahiro Yamada <masahiroy@xxxxxxxxxx>
> > ---
> >
> > MAINTAINERS | 1 -
> > certs/Makefile | 2 +-
> > {scripts => certs}/check-blacklist-hashes.awk | 0
> > 3 files changed, 1 insertion(+), 2 deletions(-)
> > rename {scripts => certs}/check-blacklist-hashes.awk (100%)
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index 1fc9ead83d2a..7c2a7c304824 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -4627,7 +4627,6 @@ L: keyrings@xxxxxxxxxxxxxxx
> > S: Maintained
> > F: Documentation/admin-guide/module-signing.rst
> > F: certs/
> > -F: scripts/check-blacklist-hashes.awk > F: scripts/sign-file.c
> > F: tools/certs/
> >
> > diff --git a/certs/Makefile b/certs/Makefile
> > index a8d628fd5f7b..df7aaeafd19c 100644
> > --- a/certs/Makefile
> > +++ b/certs/Makefile
> > @@ -13,7 +13,7 @@ CFLAGS_blacklist_hashes.o := -I $(obj)
> >
> > quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@
> > cmd_check_and_copy_blacklist_hash_list = \
> > - $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \
> > + $(AWK) -f $(srctree)/$(src)/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \
> > cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@
> >
> > $(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE
> > diff --git a/scripts/check-blacklist-hashes.awk b/certs/check-blacklist-hashes.awk
> > similarity index 100%
> > rename from scripts/check-blacklist-hashes.awk
> > rename to certs/check-blacklist-hashes.awk
>
> It looks more appropriate and consistent to me to keep it in scripts/,
> close to other cert scripts. Is there some precedent to move such script?
I always did that. For example,
f6f57a46435d7253a52a1a07a58183678ad266a0
78a20a012ecea857e438b1f9e8091acb290bd0f5
28ba53c07638f31b153e3a32672a6124d0ff2a97
4484aa800ac588a1fe2175cd53076c21067f44b4
340a02535ee785c64c62a9c45706597a0139e972
Tools can stay in scripts/ if and only if:
- it is used globally during kernel builds
- it is still needed after the kernel builds.
"make clean" removes most of the build artifacts
but keeps ones under scripts/.
scripts/insert-sys-cert is apparently unneeded for building the kernel.
If the intended use is to manipulate vmlinux later,
that is the legitimate reason to stay in scripts/.
(but even better place might be tools/)
certs/signing_key.pem is needed even after kernel builds.
So, it should have been kept under scripts/ instead of certs/.
--
Best Regards
Masahiro Yamada
