18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0
28c2ecf20Sopenharmony_ci#
38c2ecf20Sopenharmony_ci# Makefile for the linux kernel signature checking certificates.
48c2ecf20Sopenharmony_ci#
58c2ecf20Sopenharmony_ci
68c2ecf20Sopenharmony_ciobj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
78c2ecf20Sopenharmony_ciobj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o
88c2ecf20Sopenharmony_ciobj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
98c2ecf20Sopenharmony_ciifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
108c2ecf20Sopenharmony_ciobj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
118c2ecf20Sopenharmony_cielse
128c2ecf20Sopenharmony_ciobj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
138c2ecf20Sopenharmony_ciendif
148c2ecf20Sopenharmony_ci
158c2ecf20Sopenharmony_ciifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
168c2ecf20Sopenharmony_ci
178c2ecf20Sopenharmony_ci$(eval $(call config_filename,SYSTEM_TRUSTED_KEYS))
188c2ecf20Sopenharmony_ci
198c2ecf20Sopenharmony_ci# GCC doesn't include .incbin files in -MD generated dependencies (PR#66871)
208c2ecf20Sopenharmony_ci$(obj)/system_certificates.o: $(obj)/x509_certificate_list
218c2ecf20Sopenharmony_ci
228c2ecf20Sopenharmony_ci# Cope with signing_key.x509 existing in $(srctree) not $(objtree)
238c2ecf20Sopenharmony_ciAFLAGS_system_certificates.o := -I$(srctree)
248c2ecf20Sopenharmony_ci
258c2ecf20Sopenharmony_ciquiet_cmd_extract_certs  = EXTRACT_CERTS   $(patsubst "%",%,$(2))
268c2ecf20Sopenharmony_ci      cmd_extract_certs  = scripts/extract-cert $(2) $@
278c2ecf20Sopenharmony_ci
288c2ecf20Sopenharmony_citargets += x509_certificate_list
298c2ecf20Sopenharmony_ci$(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE
308c2ecf20Sopenharmony_ci	$(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))
318c2ecf20Sopenharmony_ciendif # CONFIG_SYSTEM_TRUSTED_KEYRING
328c2ecf20Sopenharmony_ci
338c2ecf20Sopenharmony_ciclean-files := x509_certificate_list .x509.list x509_revocation_list
348c2ecf20Sopenharmony_ci
358c2ecf20Sopenharmony_ciifeq ($(CONFIG_MODULE_SIG),y)
368c2ecf20Sopenharmony_ci###############################################################################
378c2ecf20Sopenharmony_ci#
388c2ecf20Sopenharmony_ci# If module signing is requested, say by allyesconfig, but a key has not been
398c2ecf20Sopenharmony_ci# supplied, then one will need to be generated to make sure the build does not
408c2ecf20Sopenharmony_ci# fail and that the kernel may be used afterwards.
418c2ecf20Sopenharmony_ci#
428c2ecf20Sopenharmony_ci###############################################################################
438c2ecf20Sopenharmony_ciifndef CONFIG_MODULE_SIG_HASH
448c2ecf20Sopenharmony_ci$(error Could not determine digest type to use from kernel config)
458c2ecf20Sopenharmony_ciendif
468c2ecf20Sopenharmony_ci
478c2ecf20Sopenharmony_ciredirect_openssl	= 2>&1
488c2ecf20Sopenharmony_ciquiet_redirect_openssl	= 2>&1
498c2ecf20Sopenharmony_cisilent_redirect_openssl = 2>/dev/null
508c2ecf20Sopenharmony_ciopenssl_available       = $(shell openssl help 2>/dev/null && echo yes)
518c2ecf20Sopenharmony_ci
528c2ecf20Sopenharmony_ci# We do it this way rather than having a boolean option for enabling an
538c2ecf20Sopenharmony_ci# external private key, because 'make randconfig' might enable such a
548c2ecf20Sopenharmony_ci# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
558c2ecf20Sopenharmony_ciifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
568c2ecf20Sopenharmony_ci
578c2ecf20Sopenharmony_ciifeq ($(openssl_available),yes)
588c2ecf20Sopenharmony_ciX509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null)
598c2ecf20Sopenharmony_ciendif
608c2ecf20Sopenharmony_ci
618c2ecf20Sopenharmony_ci# Support user changing key type
628c2ecf20Sopenharmony_ciifdef CONFIG_MODULE_SIG_KEY_TYPE_ECDSA
638c2ecf20Sopenharmony_cikeytype_openssl = -newkey ec -pkeyopt ec_paramgen_curve:secp384r1
648c2ecf20Sopenharmony_ciifeq ($(openssl_available),yes)
658c2ecf20Sopenharmony_ci$(if $(findstring id-ecPublicKey,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
668c2ecf20Sopenharmony_ciendif
678c2ecf20Sopenharmony_ciendif # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA
688c2ecf20Sopenharmony_ci
698c2ecf20Sopenharmony_ciifdef CONFIG_MODULE_SIG_KEY_TYPE_RSA
708c2ecf20Sopenharmony_ciifeq ($(openssl_available),yes)
718c2ecf20Sopenharmony_ci$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
728c2ecf20Sopenharmony_ciendif
738c2ecf20Sopenharmony_ciendif # CONFIG_MODULE_SIG_KEY_TYPE_RSA
748c2ecf20Sopenharmony_ci
758c2ecf20Sopenharmony_ci$(obj)/signing_key.pem: $(obj)/x509.genkey
768c2ecf20Sopenharmony_ci	@$(kecho) "###"
778c2ecf20Sopenharmony_ci	@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
788c2ecf20Sopenharmony_ci	@$(kecho) "###"
798c2ecf20Sopenharmony_ci	@$(kecho) "### If this takes a long time, you might wish to run rngd in the"
808c2ecf20Sopenharmony_ci	@$(kecho) "### background to keep the supply of entropy topped up.  It"
818c2ecf20Sopenharmony_ci	@$(kecho) "### needs to be run as root, and uses a hardware random"
828c2ecf20Sopenharmony_ci	@$(kecho) "### number generator if one is available."
838c2ecf20Sopenharmony_ci	@$(kecho) "###"
848c2ecf20Sopenharmony_ci	$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
858c2ecf20Sopenharmony_ci		-batch -x509 -config $(obj)/x509.genkey \
868c2ecf20Sopenharmony_ci		-outform PEM -out $(obj)/signing_key.pem \
878c2ecf20Sopenharmony_ci		-keyout $(obj)/signing_key.pem \
888c2ecf20Sopenharmony_ci		$(keytype_openssl) \
898c2ecf20Sopenharmony_ci		$($(quiet)redirect_openssl)
908c2ecf20Sopenharmony_ci	@$(kecho) "###"
918c2ecf20Sopenharmony_ci	@$(kecho) "### Key pair generated."
928c2ecf20Sopenharmony_ci	@$(kecho) "###"
938c2ecf20Sopenharmony_ci
948c2ecf20Sopenharmony_ci$(obj)/x509.genkey:
958c2ecf20Sopenharmony_ci	@$(kecho) Generating X.509 key generation config
968c2ecf20Sopenharmony_ci	@echo  >$@ "[ req ]"
978c2ecf20Sopenharmony_ci	@echo >>$@ "default_bits = 4096"
988c2ecf20Sopenharmony_ci	@echo >>$@ "distinguished_name = req_distinguished_name"
998c2ecf20Sopenharmony_ci	@echo >>$@ "prompt = no"
1008c2ecf20Sopenharmony_ci	@echo >>$@ "string_mask = utf8only"
1018c2ecf20Sopenharmony_ci	@echo >>$@ "x509_extensions = myexts"
1028c2ecf20Sopenharmony_ci	@echo >>$@
1038c2ecf20Sopenharmony_ci	@echo >>$@ "[ req_distinguished_name ]"
1048c2ecf20Sopenharmony_ci	@echo >>$@ "#O = Unspecified company"
1058c2ecf20Sopenharmony_ci	@echo >>$@ "CN = Build time autogenerated kernel key"
1068c2ecf20Sopenharmony_ci	@echo >>$@ "#emailAddress = unspecified.user@unspecified.company"
1078c2ecf20Sopenharmony_ci	@echo >>$@
1088c2ecf20Sopenharmony_ci	@echo >>$@ "[ myexts ]"
1098c2ecf20Sopenharmony_ci	@echo >>$@ "basicConstraints=critical,CA:FALSE"
1108c2ecf20Sopenharmony_ci	@echo >>$@ "keyUsage=digitalSignature"
1118c2ecf20Sopenharmony_ci	@echo >>$@ "subjectKeyIdentifier=hash"
1128c2ecf20Sopenharmony_ci	@echo >>$@ "authorityKeyIdentifier=keyid"
1138c2ecf20Sopenharmony_ciendif # CONFIG_MODULE_SIG_KEY
1148c2ecf20Sopenharmony_ci
1158c2ecf20Sopenharmony_ci$(eval $(call config_filename,MODULE_SIG_KEY))
1168c2ecf20Sopenharmony_ci
1178c2ecf20Sopenharmony_ci# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
1188c2ecf20Sopenharmony_ciifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME)))
1198c2ecf20Sopenharmony_ciX509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME)
1208c2ecf20Sopenharmony_ciendif
1218c2ecf20Sopenharmony_ci
1228c2ecf20Sopenharmony_ci# GCC PR#66871 again.
1238c2ecf20Sopenharmony_ci$(obj)/system_certificates.o: $(obj)/signing_key.x509
1248c2ecf20Sopenharmony_ci
1258c2ecf20Sopenharmony_citargets += signing_key.x509
1268c2ecf20Sopenharmony_ci$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
1278c2ecf20Sopenharmony_ci	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
1288c2ecf20Sopenharmony_ciendif # CONFIG_MODULE_SIG
1298c2ecf20Sopenharmony_ci
1308c2ecf20Sopenharmony_ciifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y)
1318c2ecf20Sopenharmony_ci
1328c2ecf20Sopenharmony_ci$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS))
1338c2ecf20Sopenharmony_ci
1348c2ecf20Sopenharmony_ci$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
1358c2ecf20Sopenharmony_ci
1368c2ecf20Sopenharmony_ciquiet_cmd_extract_certs  = EXTRACT_CERTS   $(patsubst "%",%,$(2))
1378c2ecf20Sopenharmony_ci      cmd_extract_certs  = scripts/extract-cert $(2) $@
1388c2ecf20Sopenharmony_ci
1398c2ecf20Sopenharmony_citargets += x509_revocation_list
1408c2ecf20Sopenharmony_ci$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE
1418c2ecf20Sopenharmony_ci	$(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS))
1428c2ecf20Sopenharmony_ciendif
143