Message ID | 20230130141553.3825449-2-jlu@pengutronix.de |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2202480wrn; Mon, 30 Jan 2023 06:17:10 -0800 (PST) X-Google-Smtp-Source: AK7set/Q/vGPhpV2jMshKtk6bCLURm+7ctZ+uLutogxjYUoN2LS0sz9fxZ51cDwIR40m2F1oYvK2 X-Received: by 2002:aa7:9984:0:b0:593:92b3:b757 with SMTP id k4-20020aa79984000000b0059392b3b757mr8628961pfh.3.1675088230069; Mon, 30 Jan 2023 06:17:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1675088230; cv=none; d=google.com; s=arc-20160816; b=SoWTJlDF/gfuiL0y66CJMF6VvlrHLsK7DsuVrHFguSqg367TAJmoVuAOeuOh+Mx92I bc/wfaa2HOg4ZkSMA3PZXgKB2Z4FV6L1R3vFV7S3+qFVal/eDoXnuKwKVqS+4MQd/FCm xt4GwMtM9Ai1Fu22RH7mtqCqk6rASGF26bAiPmT+aN7DSYLjSl4c8t7JFeW+tshuduCX +/9U38OT5pnoJuWxDAvYg5sTQUbZY+cfHHoYMMtv4T2N6LYWcNq96U9O/j96DB2Iy+gx I2PNz4EihmwPERiTULBW4SCKKqk+xfR+y9+OZCmpd98Qr6s8gEjLXSAfvRv4zGd3eKgw uz2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=YqB2LARHmnZnjMc/mpFfneNed4UTVdwD+Sogtw4g5cs=; b=ViJFlwCbyE3N3bna2k22p9lOF4mT+KNRY1t4Zwd68L3BXUgjzFTdbxFR/U0HM8cDZj ah+9J5FrU0CG5jKHDFD3Jf+2ZxkpoNO2MHGhOr6jd2hZmZzsR96uEGpWNDud5kI1jKdi u5psQ3dPVImvlYmh23JoIpw8fYHDiTZePf5g0OsQSLAqUEOudCo0fMoMMlgt5RQ6SOcD 4kWrRKcL9D3mZN9kJ9x6HPcrRaRpjjspoRA4JFZEpiKkCXhk4HL9XIsp4EbhwvKf6fPN 0F31hTJwmoayX+Zokz2MRlMSspVI1I253qaS3MQqvRZgpcr9W00vWdSoEgvBFguivYAD Ol/g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t9-20020a056a00138900b0058e12f778bbsi15483045pfg.308.2023.01.30.06.16.58; Mon, 30 Jan 2023 06:17:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237427AbjA3OQp (ORCPT <rfc822;n2h9z4@gmail.com> + 99 others); Mon, 30 Jan 2023 09:16:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60502 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237393AbjA3OQi (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 30 Jan 2023 09:16:38 -0500 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0842A3C2A7 for <linux-kernel@vger.kernel.org>; Mon, 30 Jan 2023 06:16:34 -0800 (PST) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <jlu@pengutronix.de>) id 1pMUxI-0004FU-3D; Mon, 30 Jan 2023 15:16:20 +0100 Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from <jlu@pengutronix.de>) id 1pMUxI-001UGx-DS; Mon, 30 Jan 2023 15:16:19 +0100 Received: from jlu by dude03.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from <jlu@pengutronix.de>) id 1pMUxG-00GG5L-TK; Mon, 30 Jan 2023 15:16:18 +0100 From: Jan Luebbe <jlu@pengutronix.de> To: Masahiro Yamada <masahiroy@kernel.org> Cc: Jan Luebbe <jlu@pengutronix.de>, David Howells <dhowells@redhat.com>, David Woodhouse <dwmw2@infradead.org>, keyrings@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, kernel@pengutronix.de Subject: [PATCH 1/2] certs: Fix build error when PKCS#11 URI contains semicolon Date: Mon, 30 Jan 2023 15:15:52 +0100 Message-Id: <20230130141553.3825449-2-jlu@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230130141553.3825449-1-jlu@pengutronix.de> References: <20230130141553.3825449-1-jlu@pengutronix.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: jlu@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1756457316194786533?= X-GMAIL-MSGID: =?utf-8?q?1756457316194786533?= |
Series |
Fix module signing with PKCS#11 URIs
|
|
Commit Message
Jan Lübbe
Jan. 30, 2023, 2:15 p.m. UTC
When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
semicolon, signing_key.x509 fails to build:
certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509
Usage: extract-cert <source> <dest>
Add quotes to the PKCS11_URI variable to avoid splitting by the shell.
Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf")
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
---
certs/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Mon, Jan 30, 2023 at 11:16 PM Jan Luebbe <jlu@pengutronix.de> wrote: > > When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a > semicolon, signing_key.x509 fails to build: > > certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 > Usage: extract-cert <source> <dest> > > Add quotes to the PKCS11_URI variable to avoid splitting by the shell. > > Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") > Signed-off-by: Jan Luebbe <jlu@pengutronix.de> > --- > certs/Makefile | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/certs/Makefile b/certs/Makefile > index 9486ed924731..cda21811ed88 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -67,7 +67,7 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509 > > PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)) > ifdef PKCS11_URI > -$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI) > +$(obj)/signing_key.x509: extract-cert-in := "$(PKCS11_URI)" > endif > > $(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE > -- > 2.30.2 > Instead, how about this? diff --git a/certs/Makefile b/certs/Makefile index 9486ed924731..799ad7b9e68a 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -23,8 +23,8 @@ $(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE targets += blacklist_hash_list quiet_cmd_extract_certs = CERT $@ - cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ -extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"") + cmd_extract_certs = $(obj)/extract-cert "$(extract-cert-in)" $@ +extract-cert-in = $(filter-out $(obj)/extract-cert, $(real-prereqs)) $(obj)/system_certificates.o: $(obj)/x509_certificate_list -- Best Regards Masahiro Yamada
On Tue, 2023-01-31 at 00:18 +0900, Masahiro Yamada wrote: > On Mon, Jan 30, 2023 at 11:16 PM Jan Luebbe <jlu@pengutronix.de> wrote: > > > > When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a > > semicolon, signing_key.x509 fails to build: > > > > certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 > > Usage: extract-cert <source> <dest> > > > > Add quotes to the PKCS11_URI variable to avoid splitting by the shell. > > > > Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") > > Signed-off-by: Jan Luebbe <jlu@pengutronix.de> > > --- > > certs/Makefile | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/certs/Makefile b/certs/Makefile > > index 9486ed924731..cda21811ed88 100644 > > --- a/certs/Makefile > > +++ b/certs/Makefile > > @@ -67,7 +67,7 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509 > > > > PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)) > > ifdef PKCS11_URI > > -$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI) > > +$(obj)/signing_key.x509: extract-cert-in := "$(PKCS11_URI)" > > endif > > > > $(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE > > -- > > 2.30.2 > > > > Instead, how about this? > > > > > diff --git a/certs/Makefile b/certs/Makefile > index 9486ed924731..799ad7b9e68a 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -23,8 +23,8 @@ $(obj)/blacklist_hash_list: > $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE > targets += blacklist_hash_list > > quiet_cmd_extract_certs = CERT $@ > - cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ > -extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"") > + cmd_extract_certs = $(obj)/extract-cert "$(extract-cert-in)" $@ > +extract-cert-in = $(filter-out $(obj)/extract-cert, $(real-prereqs)) > > $(obj)/system_certificates.o: $(obj)/x509_certificate_list Thanks, this works im my tests, too. Regards, Jan
On Tue, Jan 31, 2023 at 1:43 AM Jan Lübbe <jlu@pengutronix.de> wrote: > > On Tue, 2023-01-31 at 00:18 +0900, Masahiro Yamada wrote: > > On Mon, Jan 30, 2023 at 11:16 PM Jan Luebbe <jlu@pengutronix.de> wrote: > > > > > > When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a > > > semicolon, signing_key.x509 fails to build: > > > > > > certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 > > > Usage: extract-cert <source> <dest> > > > > > > Add quotes to the PKCS11_URI variable to avoid splitting by the shell. > > > > > > Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") > > > Signed-off-by: Jan Luebbe <jlu@pengutronix.de> > > > --- > > > certs/Makefile | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/certs/Makefile b/certs/Makefile > > > index 9486ed924731..cda21811ed88 100644 > > > --- a/certs/Makefile > > > +++ b/certs/Makefile > > > @@ -67,7 +67,7 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509 > > > > > > PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)) > > > ifdef PKCS11_URI > > > -$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI) > > > +$(obj)/signing_key.x509: extract-cert-in := "$(PKCS11_URI)" > > > endif > > > > > > $(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE > > > -- > > > 2.30.2 > > > > > > > Instead, how about this? > > > > > > > > > > diff --git a/certs/Makefile b/certs/Makefile > > index 9486ed924731..799ad7b9e68a 100644 > > --- a/certs/Makefile > > +++ b/certs/Makefile > > @@ -23,8 +23,8 @@ $(obj)/blacklist_hash_list: > > $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE > > targets += blacklist_hash_list > > > > quiet_cmd_extract_certs = CERT $@ > > - cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ > > -extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"") > > + cmd_extract_certs = $(obj)/extract-cert "$(extract-cert-in)" $@ > > +extract-cert-in = $(filter-out $(obj)/extract-cert, $(real-prereqs)) > > > > $(obj)/system_certificates.o: $(obj)/x509_certificate_list > > Thanks, this works im my tests, too. Can you send v2, please? I do not come up with a cleaner way for 2/2, so I am fine with it. > > Regards, > Jan > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
diff --git a/certs/Makefile b/certs/Makefile index 9486ed924731..cda21811ed88 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -67,7 +67,7 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509 PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)) ifdef PKCS11_URI -$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI) +$(obj)/signing_key.x509: extract-cert-in := "$(PKCS11_URI)" endif $(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE