diff mbox series

[1/2] certs: Fix build error when PKCS#11 URI contains semicolon

Message ID 20230130141553.3825449-2-jlu@pengutronix.de
State New
Headers
Series Fix module signing with PKCS#11 URIs |

Commit Message

Jan Lübbe Jan. 30, 2023, 2:15 p.m. UTC 
  When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
semicolon, signing_key.x509 fails to build:

  certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509
  Usage: extract-cert <source> <dest>

Add quotes to the PKCS11_URI variable to avoid splitting by the shell.

Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf")
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
---
 certs/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Masahiro Yamada Jan. 30, 2023, 3:18 p.m. UTC | #1 
On Mon, Jan 30, 2023 at 11:16 PM Jan Luebbe <jlu@pengutronix.de> wrote:
>
> When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
> semicolon, signing_key.x509 fails to build:
>
>   certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509
>   Usage: extract-cert <source> <dest>
>
> Add quotes to the PKCS11_URI variable to avoid splitting by the shell.
>
> Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf")
> Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> ---
>  certs/Makefile | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/certs/Makefile b/certs/Makefile
> index 9486ed924731..cda21811ed88 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -67,7 +67,7 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509
>
>  PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
>  ifdef PKCS11_URI
> -$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
> +$(obj)/signing_key.x509: extract-cert-in := "$(PKCS11_URI)"
>  endif
>
>  $(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
> --
> 2.30.2
>

Instead, how about this?




diff --git a/certs/Makefile b/certs/Makefile
index 9486ed924731..799ad7b9e68a 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -23,8 +23,8 @@ $(obj)/blacklist_hash_list:
$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE
 targets += blacklist_hash_list

 quiet_cmd_extract_certs  = CERT    $@
-      cmd_extract_certs  = $(obj)/extract-cert $(extract-cert-in) $@
-extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
+      cmd_extract_certs  = $(obj)/extract-cert "$(extract-cert-in)" $@
+extract-cert-in = $(filter-out $(obj)/extract-cert, $(real-prereqs))

 $(obj)/system_certificates.o: $(obj)/x509_certificate_list






--
Best Regards
Masahiro Yamada
Jan Lübbe Jan. 30, 2023, 4:43 p.m. UTC | #2 
On Tue, 2023-01-31 at 00:18 +0900, Masahiro Yamada wrote:
> On Mon, Jan 30, 2023 at 11:16 PM Jan Luebbe <jlu@pengutronix.de> wrote:
> > 
> > When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
> > semicolon, signing_key.x509 fails to build:
> > 
> >   certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509
> >   Usage: extract-cert <source> <dest>
> > 
> > Add quotes to the PKCS11_URI variable to avoid splitting by the shell.
> > 
> > Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf")
> > Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> > ---
> >  certs/Makefile | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/certs/Makefile b/certs/Makefile
> > index 9486ed924731..cda21811ed88 100644
> > --- a/certs/Makefile
> > +++ b/certs/Makefile
> > @@ -67,7 +67,7 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509
> > 
> >  PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
> >  ifdef PKCS11_URI
> > -$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
> > +$(obj)/signing_key.x509: extract-cert-in := "$(PKCS11_URI)"
> >  endif
> > 
> >  $(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
> > --
> > 2.30.2
> > 
> 
> Instead, how about this?
> 
> 
> 
> 
> diff --git a/certs/Makefile b/certs/Makefile
> index 9486ed924731..799ad7b9e68a 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -23,8 +23,8 @@ $(obj)/blacklist_hash_list:
> $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE
>  targets += blacklist_hash_list
> 
>  quiet_cmd_extract_certs  = CERT    $@
> -      cmd_extract_certs  = $(obj)/extract-cert $(extract-cert-in) $@
> -extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
> +      cmd_extract_certs  = $(obj)/extract-cert "$(extract-cert-in)" $@
> +extract-cert-in = $(filter-out $(obj)/extract-cert, $(real-prereqs))
> 
>  $(obj)/system_certificates.o: $(obj)/x509_certificate_list

Thanks, this works im my tests, too.

Regards,
Jan
Masahiro Yamada Jan. 30, 2023, 5:21 p.m. UTC | #3 
On Tue, Jan 31, 2023 at 1:43 AM Jan Lübbe <jlu@pengutronix.de> wrote:
>
> On Tue, 2023-01-31 at 00:18 +0900, Masahiro Yamada wrote:
> > On Mon, Jan 30, 2023 at 11:16 PM Jan Luebbe <jlu@pengutronix.de> wrote:
> > >
> > > When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
> > > semicolon, signing_key.x509 fails to build:
> > >
> > >   certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509
> > >   Usage: extract-cert <source> <dest>
> > >
> > > Add quotes to the PKCS11_URI variable to avoid splitting by the shell.
> > >
> > > Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf")
> > > Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> > > ---
> > >  certs/Makefile | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/certs/Makefile b/certs/Makefile
> > > index 9486ed924731..cda21811ed88 100644
> > > --- a/certs/Makefile
> > > +++ b/certs/Makefile
> > > @@ -67,7 +67,7 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509
> > >
> > >  PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
> > >  ifdef PKCS11_URI
> > > -$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
> > > +$(obj)/signing_key.x509: extract-cert-in := "$(PKCS11_URI)"
> > >  endif
> > >
> > >  $(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
> > > --
> > > 2.30.2
> > >
> >
> > Instead, how about this?
> >
> >
> >
> >
> > diff --git a/certs/Makefile b/certs/Makefile
> > index 9486ed924731..799ad7b9e68a 100644
> > --- a/certs/Makefile
> > +++ b/certs/Makefile
> > @@ -23,8 +23,8 @@ $(obj)/blacklist_hash_list:
> > $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE
> >  targets += blacklist_hash_list
> >
> >  quiet_cmd_extract_certs  = CERT    $@
> > -      cmd_extract_certs  = $(obj)/extract-cert $(extract-cert-in) $@
> > -extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
> > +      cmd_extract_certs  = $(obj)/extract-cert "$(extract-cert-in)" $@
> > +extract-cert-in = $(filter-out $(obj)/extract-cert, $(real-prereqs))
> >
> >  $(obj)/system_certificates.o: $(obj)/x509_certificate_list
>
> Thanks, this works im my tests, too.



Can you send v2, please?

I do not come up with a cleaner way for 2/2,
so I am fine with it.







>
> Regards,
> Jan
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
diff mbox series

Patch

diff --git a/certs/Makefile b/certs/Makefile
index 9486ed924731..cda21811ed88 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -67,7 +67,7 @@  $(obj)/system_certificates.o: $(obj)/signing_key.x509
 
 PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
 ifdef PKCS11_URI
-$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
+$(obj)/signing_key.x509: extract-cert-in := "$(PKCS11_URI)"
 endif
 
 $(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE