18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0 28c2ecf20Sopenharmony_ci# 38c2ecf20Sopenharmony_ci# Makefile for the linux kernel signature checking certificates. 48c2ecf20Sopenharmony_ci# 58c2ecf20Sopenharmony_ci 68c2ecf20Sopenharmony_ciobj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o 78c2ecf20Sopenharmony_ciobj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o 88c2ecf20Sopenharmony_ciobj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o 98c2ecf20Sopenharmony_ciifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") 108c2ecf20Sopenharmony_ciobj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o 118c2ecf20Sopenharmony_cielse 128c2ecf20Sopenharmony_ciobj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o 138c2ecf20Sopenharmony_ciendif 148c2ecf20Sopenharmony_ci 158c2ecf20Sopenharmony_ciifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) 168c2ecf20Sopenharmony_ci 178c2ecf20Sopenharmony_ci$(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) 188c2ecf20Sopenharmony_ci 198c2ecf20Sopenharmony_ci# GCC doesn't include .incbin files in -MD generated dependencies (PR#66871) 208c2ecf20Sopenharmony_ci$(obj)/system_certificates.o: $(obj)/x509_certificate_list 218c2ecf20Sopenharmony_ci 228c2ecf20Sopenharmony_ci# Cope with signing_key.x509 existing in $(srctree) not $(objtree) 238c2ecf20Sopenharmony_ciAFLAGS_system_certificates.o := -I$(srctree) 248c2ecf20Sopenharmony_ci 258c2ecf20Sopenharmony_ciquiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) 268c2ecf20Sopenharmony_ci cmd_extract_certs = scripts/extract-cert $(2) $@ 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_citargets += x509_certificate_list 298c2ecf20Sopenharmony_ci$(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE 308c2ecf20Sopenharmony_ci $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) 318c2ecf20Sopenharmony_ciendif # CONFIG_SYSTEM_TRUSTED_KEYRING 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_ciclean-files := x509_certificate_list .x509.list x509_revocation_list 348c2ecf20Sopenharmony_ci 358c2ecf20Sopenharmony_ciifeq ($(CONFIG_MODULE_SIG),y) 368c2ecf20Sopenharmony_ci############################################################################### 378c2ecf20Sopenharmony_ci# 388c2ecf20Sopenharmony_ci# If module signing is requested, say by allyesconfig, but a key has not been 398c2ecf20Sopenharmony_ci# supplied, then one will need to be generated to make sure the build does not 408c2ecf20Sopenharmony_ci# fail and that the kernel may be used afterwards. 418c2ecf20Sopenharmony_ci# 428c2ecf20Sopenharmony_ci############################################################################### 438c2ecf20Sopenharmony_ciifndef CONFIG_MODULE_SIG_HASH 448c2ecf20Sopenharmony_ci$(error Could not determine digest type to use from kernel config) 458c2ecf20Sopenharmony_ciendif 468c2ecf20Sopenharmony_ci 478c2ecf20Sopenharmony_ciredirect_openssl = 2>&1 488c2ecf20Sopenharmony_ciquiet_redirect_openssl = 2>&1 498c2ecf20Sopenharmony_cisilent_redirect_openssl = 2>/dev/null 508c2ecf20Sopenharmony_ciopenssl_available = $(shell openssl help 2>/dev/null && echo yes) 518c2ecf20Sopenharmony_ci 528c2ecf20Sopenharmony_ci# We do it this way rather than having a boolean option for enabling an 538c2ecf20Sopenharmony_ci# external private key, because 'make randconfig' might enable such a 548c2ecf20Sopenharmony_ci# boolean option and we unfortunately can't make it depend on !RANDCONFIG. 558c2ecf20Sopenharmony_ciifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") 568c2ecf20Sopenharmony_ci 578c2ecf20Sopenharmony_ciifeq ($(openssl_available),yes) 588c2ecf20Sopenharmony_ciX509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null) 598c2ecf20Sopenharmony_ciendif 608c2ecf20Sopenharmony_ci 618c2ecf20Sopenharmony_ci# Support user changing key type 628c2ecf20Sopenharmony_ciifdef CONFIG_MODULE_SIG_KEY_TYPE_ECDSA 638c2ecf20Sopenharmony_cikeytype_openssl = -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 648c2ecf20Sopenharmony_ciifeq ($(openssl_available),yes) 658c2ecf20Sopenharmony_ci$(if $(findstring id-ecPublicKey,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem")) 668c2ecf20Sopenharmony_ciendif 678c2ecf20Sopenharmony_ciendif # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA 688c2ecf20Sopenharmony_ci 698c2ecf20Sopenharmony_ciifdef CONFIG_MODULE_SIG_KEY_TYPE_RSA 708c2ecf20Sopenharmony_ciifeq ($(openssl_available),yes) 718c2ecf20Sopenharmony_ci$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem")) 728c2ecf20Sopenharmony_ciendif 738c2ecf20Sopenharmony_ciendif # CONFIG_MODULE_SIG_KEY_TYPE_RSA 748c2ecf20Sopenharmony_ci 758c2ecf20Sopenharmony_ci$(obj)/signing_key.pem: $(obj)/x509.genkey 768c2ecf20Sopenharmony_ci @$(kecho) "###" 778c2ecf20Sopenharmony_ci @$(kecho) "### Now generating an X.509 key pair to be used for signing modules." 788c2ecf20Sopenharmony_ci @$(kecho) "###" 798c2ecf20Sopenharmony_ci @$(kecho) "### If this takes a long time, you might wish to run rngd in the" 808c2ecf20Sopenharmony_ci @$(kecho) "### background to keep the supply of entropy topped up. It" 818c2ecf20Sopenharmony_ci @$(kecho) "### needs to be run as root, and uses a hardware random" 828c2ecf20Sopenharmony_ci @$(kecho) "### number generator if one is available." 838c2ecf20Sopenharmony_ci @$(kecho) "###" 848c2ecf20Sopenharmony_ci $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ 858c2ecf20Sopenharmony_ci -batch -x509 -config $(obj)/x509.genkey \ 868c2ecf20Sopenharmony_ci -outform PEM -out $(obj)/signing_key.pem \ 878c2ecf20Sopenharmony_ci -keyout $(obj)/signing_key.pem \ 888c2ecf20Sopenharmony_ci $(keytype_openssl) \ 898c2ecf20Sopenharmony_ci $($(quiet)redirect_openssl) 908c2ecf20Sopenharmony_ci @$(kecho) "###" 918c2ecf20Sopenharmony_ci @$(kecho) "### Key pair generated." 928c2ecf20Sopenharmony_ci @$(kecho) "###" 938c2ecf20Sopenharmony_ci 948c2ecf20Sopenharmony_ci$(obj)/x509.genkey: 958c2ecf20Sopenharmony_ci @$(kecho) Generating X.509 key generation config 968c2ecf20Sopenharmony_ci @echo >$@ "[ req ]" 978c2ecf20Sopenharmony_ci @echo >>$@ "default_bits = 4096" 988c2ecf20Sopenharmony_ci @echo >>$@ "distinguished_name = req_distinguished_name" 998c2ecf20Sopenharmony_ci @echo >>$@ "prompt = no" 1008c2ecf20Sopenharmony_ci @echo >>$@ "string_mask = utf8only" 1018c2ecf20Sopenharmony_ci @echo >>$@ "x509_extensions = myexts" 1028c2ecf20Sopenharmony_ci @echo >>$@ 1038c2ecf20Sopenharmony_ci @echo >>$@ "[ req_distinguished_name ]" 1048c2ecf20Sopenharmony_ci @echo >>$@ "#O = Unspecified company" 1058c2ecf20Sopenharmony_ci @echo >>$@ "CN = Build time autogenerated kernel key" 1068c2ecf20Sopenharmony_ci @echo >>$@ "#emailAddress = unspecified.user@unspecified.company" 1078c2ecf20Sopenharmony_ci @echo >>$@ 1088c2ecf20Sopenharmony_ci @echo >>$@ "[ myexts ]" 1098c2ecf20Sopenharmony_ci @echo >>$@ "basicConstraints=critical,CA:FALSE" 1108c2ecf20Sopenharmony_ci @echo >>$@ "keyUsage=digitalSignature" 1118c2ecf20Sopenharmony_ci @echo >>$@ "subjectKeyIdentifier=hash" 1128c2ecf20Sopenharmony_ci @echo >>$@ "authorityKeyIdentifier=keyid" 1138c2ecf20Sopenharmony_ciendif # CONFIG_MODULE_SIG_KEY 1148c2ecf20Sopenharmony_ci 1158c2ecf20Sopenharmony_ci$(eval $(call config_filename,MODULE_SIG_KEY)) 1168c2ecf20Sopenharmony_ci 1178c2ecf20Sopenharmony_ci# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it 1188c2ecf20Sopenharmony_ciifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME))) 1198c2ecf20Sopenharmony_ciX509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME) 1208c2ecf20Sopenharmony_ciendif 1218c2ecf20Sopenharmony_ci 1228c2ecf20Sopenharmony_ci# GCC PR#66871 again. 1238c2ecf20Sopenharmony_ci$(obj)/system_certificates.o: $(obj)/signing_key.x509 1248c2ecf20Sopenharmony_ci 1258c2ecf20Sopenharmony_citargets += signing_key.x509 1268c2ecf20Sopenharmony_ci$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE 1278c2ecf20Sopenharmony_ci $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) 1288c2ecf20Sopenharmony_ciendif # CONFIG_MODULE_SIG 1298c2ecf20Sopenharmony_ci 1308c2ecf20Sopenharmony_ciifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) 1318c2ecf20Sopenharmony_ci 1328c2ecf20Sopenharmony_ci$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) 1338c2ecf20Sopenharmony_ci 1348c2ecf20Sopenharmony_ci$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list 1358c2ecf20Sopenharmony_ci 1368c2ecf20Sopenharmony_ciquiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) 1378c2ecf20Sopenharmony_ci cmd_extract_certs = scripts/extract-cert $(2) $@ 1388c2ecf20Sopenharmony_ci 1398c2ecf20Sopenharmony_citargets += x509_revocation_list 1408c2ecf20Sopenharmony_ci$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE 1418c2ecf20Sopenharmony_ci $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) 1428c2ecf20Sopenharmony_ciendif 143