Re: [PATCH v3 07/15] crypto: rsa: include key name hint into CONFIG_CRYPTO_RSA_KEY

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Sep 11, 2024 at 10:27:42AM +0200, Ahmad Fatoum wrote:
> Hello Sascha,
> 
> On 06.09.24 12:40, Sascha Hauer wrote:
> > Set the key name hint in CONFIG_CRYPTO_RSA_KEY. CONFIG_CRYPTO_RSA_KEY
> > now has the form:
> > 
> > <key_name_hint>:<filename/uri>
> > 
> > This is done in preparation to make CONFIG_CRYPTO_RSA_KEY a list of
> > keys.
> 
> IIUC, existing users that do make oldconfig will:
> 
>   - either lose the key hint and need to add it back or just live with
>     an iteration of the list
> 
>   - have pkcs11:$uri URIs which will be interpreted as key hint and
>     result on some error message that the URI is not a valid path.

When a URI starts with "pkcs11:" then keytoc will take this as a pkcs11
URI, it won't interpret it as a key name hint. In other words, "pkcs11"
is not a valid key name hint. You will get an error in this case.

> > diff --git a/crypto/Makefile b/crypto/Makefile
> > index d7a06a721d..f3e49ab7ba 100644
> > --- a/crypto/Makefile
> > +++ b/crypto/Makefile
> > @@ -29,10 +29,9 @@ $(obj)/rsa.o: $(obj)/rsa-keys.h
> >  
> >  CONFIG_CRYPTO_RSA_KEY := $(CONFIG_CRYPTO_RSA_KEY:"%"=%)
> >  
> > -ifneq ($(filter-out pkcs11:% __ENV__%, $(CONFIG_CRYPTO_RSA_KEY)),)
> > -RSA_DEP := $(CONFIG_CRYPTO_RSA_KEY)
> > -endif
> > +RSA_DEP := $(filter-out pkcs11:% __ENV__%, $(CONFIG_CRYPTO_RSA_KEY))
> > +RSA_DEP := $(shell echo $(RSA_DEP) | sed -e "s/[[:alnum:]]*://g")

There still is a bug here though. The dependencies are wrong for pkcs11
URIs which have a key name hint, i.e. something like "hint:pkcs:foo". In
this case RSA_DEP contains 'foo' and we get:

make[2]: *** No rule to make target 'foo', needed by 'crypto/public-keys.h'.  Stop.

We can remove the dependencies altogether and just keep the FORCE. The
dependencies were introduced to avoid unnecessary rebuilds. However, the
public_keys cmd will only produce output when it actually changes, so
no rebuilds will occur even without the dependencies.

> >  
> >  $(obj)/rsa-keys.h: $(RSA_DEP) FORCE
> > -	$(call cmd,public_keys,$(CONFIG_CRYPTO_RSA_KEY_NAME_HINT):$(CONFIG_CRYPTO_RSA_KEY))
> > +	$(call cmd,public_keys,$(CONFIG_CRYPTO_RSA_KEY))
> >  endif

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
[Index of Archives]     [Linux Embedded]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux