1 # SPDX-License-Identifier: GPL-2.0
3 # Makefile for the linux kernel signature checking certificates.
6 obj-
$(CONFIG_SYSTEM_TRUSTED_KEYRING
) += system_keyring.o system_certificates.o common.o
7 obj-
$(CONFIG_SYSTEM_BLACKLIST_KEYRING
) += blacklist.o common.o
8 obj-
$(CONFIG_SYSTEM_REVOCATION_LIST
) += revocation_certificates.o
9 ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST
),)
10 obj-
$(CONFIG_SYSTEM_BLACKLIST_KEYRING
) += blacklist_hashes.o
12 obj-
$(CONFIG_SYSTEM_BLACKLIST_KEYRING
) += blacklist_nohashes.o
15 quiet_cmd_extract_certs
= CERT
$@
16 cmd_extract_certs
= $(obj
)/extract-cert
$(2) $@
18 $(obj
)/system_certificates.o
: $(obj
)/x509_certificate_list
20 $(obj
)/x509_certificate_list
: $(CONFIG_SYSTEM_TRUSTED_KEYS
) $(obj
)/extract-cert FORCE
21 $(call if_changed
,extract_certs
,$(if
$(CONFIG_SYSTEM_TRUSTED_KEYS
),$<,""))
23 targets
+= x509_certificate_list
25 ifeq ($(CONFIG_MODULE_SIG
),y
)
29 ifeq ($(CONFIG_IMA_APPRAISE_MODSIG
),y
)
30 ifeq ($(CONFIG_MODULES
),y
)
36 ###############################################################################
38 # If module signing is requested, say by allyesconfig, but a key has not been
39 # supplied, then one will need to be generated to make sure the build does not
40 # fail and that the kernel may be used afterwards.
42 ###############################################################################
44 # We do it this way rather than having a boolean option for enabling an
45 # external private key, because 'make randconfig' might enable such a
46 # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
47 ifeq ($(CONFIG_MODULE_SIG_KEY
),certs
/signing_key.pem
)
49 keytype-
$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA
) := -newkey ec
-pkeyopt ec_paramgen_curve
:secp384r1
51 quiet_cmd_gen_key
= GENKEY
$@
52 cmd_gen_key
= openssl req
-new
-nodes
-utf8
-$(CONFIG_MODULE_SIG_HASH
) -days
36500 \
53 -batch
-x509
-config
$< \
54 -outform PEM
-out
$@
-keyout
$@
$(keytype-y
) 2>&1
56 $(obj
)/signing_key.pem
: $(obj
)/x509.genkey FORCE
57 $(call if_changed
,gen_key
)
59 targets
+= signing_key.pem
61 quiet_cmd_copy_x509_config
= COPY
$@
62 cmd_copy_x509_config
= cat
$(srctree
)/$(src
)/default_x509.genkey
> $@
64 # You can provide your own config file. If not present, copy the default one.
66 $(call cmd
,copy_x509_config
)
68 endif # CONFIG_MODULE_SIG_KEY
70 # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
71 ifneq ($(filter-out pkcs11
:%, $(CONFIG_MODULE_SIG_KEY
)),)
72 X509_DEP
:= $(CONFIG_MODULE_SIG_KEY
)
75 $(obj
)/system_certificates.o
: $(obj
)/signing_key.x509
77 $(obj
)/signing_key.x509
: $(X509_DEP
) $(obj
)/extract-cert FORCE
78 $(call if_changed
,extract_certs
,$(if
$(CONFIG_MODULE_SIG_KEY
),$(if
$(X509_DEP
),$<,$(CONFIG_MODULE_SIG_KEY
)),""))
79 endif # CONFIG_MODULE_SIG
81 targets
+= signing_key.x509
83 $(obj
)/revocation_certificates.o
: $(obj
)/x509_revocation_list
85 $(obj
)/x509_revocation_list
: $(CONFIG_SYSTEM_REVOCATION_KEYS
) $(obj
)/extract-cert FORCE
86 $(call if_changed
,extract_certs
,$(if
$(CONFIG_SYSTEM_REVOCATION_KEYS
),$<,""))
88 targets
+= x509_revocation_list
90 hostprogs
:= extract-cert
92 HOSTCFLAGS_extract-cert.o
= $(shell pkg-config
--cflags libcrypto
2> /dev
/null
)
93 HOSTLDLIBS_extract-cert
= $(shell pkg-config
--libs libcrypto
2> /dev
/null || echo
-lcrypto
)