[PATCH 1/3] KEYS: Load *.x509 files into kernel keyring

2013-01-17 Thread David Howells 
Load all the files matching the pattern *.x509 that are to be found in kernel
base source dir and base build dir into the module signing keyring.

The extra_certificates file is then redundant.

Signed-off-by: David Howells dhowe...@redhat.com
---

 kernel/Makefile  |   33 +++--
 kernel/modsign_certificate.S |3 +--
 2 files changed, 28 insertions(+), 8 deletions(-)


diff --git a/kernel/Makefile b/kernel/Makefile
index 6c072b6..9fe74ff 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -134,17 +134,38 @@ $(obj)/timeconst.h: $(src)/timeconst.pl FORCE
$(call if_changed,timeconst)
 
 ifeq ($(CONFIG_MODULE_SIG),y)
+###
 #
-# Pull the signing certificate and any extra certificates into the kernel
+# Roll all the X.509 certificates that we can find together and pull
+# them into the kernel.
 #
+###
+X509_CERTIFICATES := $(sort signing_key.x509 $(wildcard *.x509) $(wildcard 
$(srctree)/*.x509))
+
+ifeq ($(X509_CERTIFICATES),)
+$(warning *** No X.509 certificates found ***)
+endif
+
+ifneq ($(wildcard $(obj)/.x509.list),)
+ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES))
+$(info X.509 certificate list changed)
+$(shell rm $(obj)/.x509.list)
+endif
+endif
+
+kernel/modsign_certificate.o: $(obj)/x509_certificate_list
 
-quiet_cmd_touch = TOUCH   $@
-  cmd_touch = touch   $@
+quiet_cmd_x509certs  = CERTS   $@
+  cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null $@
+targets += $(obj)/x509_certificate_list
+$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
+   $(call if_changed,x509certs)
 
-extra_certificates:
-   $(call cmd,touch)
+targets += $(obj)/.x509.list
+$(obj)/.x509.list:
+   @echo $(X509_CERTIFICATES) $@
 
-kernel/modsign_certificate.o: signing_key.x509 extra_certificates
+clean-files := x509_certificate_list .x509.list
 
 ###
 #
diff --git a/kernel/modsign_certificate.S b/kernel/modsign_certificate.S
index 246b4c6..0a60203 100644
--- a/kernel/modsign_certificate.S
+++ b/kernel/modsign_certificate.S
@@ -14,6 +14,5 @@
.section .init.data,aw
 
 GLOBAL(modsign_certificate_list)
-   .incbin signing_key.x509
-   .incbin extra_certificates
+   .incbin kernel/x509_certificate_list
 GLOBAL(modsign_certificate_list_end)

--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/3] KEYS: Load *.x509 files into kernel keyring

2013-01-17 Thread Mimi Zohar 
On Thu, 2013-01-17 at 18:03 +, David Howells wrote:
 Load all the files matching the pattern *.x509 that are to be found in 
 kernel
 base source dir and base build dir into the module signing keyring.

Do we really want certificates cluttering up the base source tree? Any
reason not to define an x509 directory?

 The extra_certificates file is then redundant.

Ok.

Mimi

--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html