1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 2cfc411e7SDavid Howells# 3cfc411e7SDavid Howells# Makefile for the linux kernel signature checking certificates. 4cfc411e7SDavid Howells# 5cfc411e7SDavid Howells 62565ca7fSEric Snowbergobj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o 7d1f04410SEric Snowbergobj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o 8d1f04410SEric Snowbergobj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o 9129ab0d2SMasahiro Yamadaifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) 10734114f8SDavid Howellsobj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o 11734114f8SDavid Howellselse 12734114f8SDavid Howellsobj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o 13734114f8SDavid Howellsendif 14cfc411e7SDavid Howells 151c4bd9f7SMasahiro Yamadaquiet_cmd_extract_certs = CERT $@ 16*f44b645fSMasahiro Yamada cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@ 17*f44b645fSMasahiro Yamadaextract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"") 181c4bd9f7SMasahiro Yamada 19cfc411e7SDavid Howells$(obj)/system_certificates.o: $(obj)/x509_certificate_list 20cfc411e7SDavid Howells 21340a0253SMasahiro Yamada$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE 22*f44b645fSMasahiro Yamada $(call if_changed,extract_certs) 23cfc411e7SDavid Howells 245cca3606SMasahiro Yamadatargets += x509_certificate_list 25cfc411e7SDavid Howells 26cfc411e7SDavid Howells# If module signing is requested, say by allyesconfig, but a key has not been 27cfc411e7SDavid Howells# supplied, then one will need to be generated to make sure the build does not 28cfc411e7SDavid Howells# fail and that the kernel may be used afterwards. 29cfc411e7SDavid Howells# 30cfc411e7SDavid Howells# We do it this way rather than having a boolean option for enabling an 31cfc411e7SDavid Howells# external private key, because 'make randconfig' might enable such a 32cfc411e7SDavid Howells# boolean option and we unfortunately can't make it depend on !RANDCONFIG. 33129ab0d2SMasahiro Yamadaifeq ($(CONFIG_MODULE_SIG_KEY),certs/signing_key.pem) 34ea35e0d5SStefan Berger 35e06a61a8SMasahiro Yamadakeytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) := -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 36ea35e0d5SStefan Berger 3754c8b517SMasahiro Yamadaquiet_cmd_gen_key = GENKEY $@ 3854c8b517SMasahiro Yamada cmd_gen_key = openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ 39c537e4d0SMasahiro Yamada -batch -x509 -config $< \ 40c537e4d0SMasahiro Yamada -outform PEM -out $@ -keyout $@ $(keytype-y) 2>&1 4154c8b517SMasahiro Yamada 42e06a61a8SMasahiro Yamada$(obj)/signing_key.pem: $(obj)/x509.genkey FORCE 43e06a61a8SMasahiro Yamada $(call if_changed,gen_key) 44e06a61a8SMasahiro Yamada 45e06a61a8SMasahiro Yamadatargets += signing_key.pem 46cfc411e7SDavid Howells 47f3a2ba44SMasahiro Yamadaquiet_cmd_copy_x509_config = COPY $@ 48f3a2ba44SMasahiro Yamada cmd_copy_x509_config = cat $(srctree)/$(src)/default_x509.genkey > $@ 49f3a2ba44SMasahiro Yamada 50f3a2ba44SMasahiro Yamada# You can provide your own config file. If not present, copy the default one. 51cfc411e7SDavid Howells$(obj)/x509.genkey: 52f3a2ba44SMasahiro Yamada $(call cmd,copy_x509_config) 53f3a2ba44SMasahiro Yamada 545ccbdbf9SJarkko Sakkinenendif # CONFIG_MODULE_SIG_KEY 55cfc411e7SDavid Howells 56cfc411e7SDavid Howells$(obj)/system_certificates.o: $(obj)/signing_key.x509 57cfc411e7SDavid Howells 58*f44b645fSMasahiro YamadaPKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)) 59*f44b645fSMasahiro Yamadaifdef PKCS11_URI 60*f44b645fSMasahiro Yamada$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI) 61*f44b645fSMasahiro Yamadaendif 62*f44b645fSMasahiro Yamada 63*f44b645fSMasahiro Yamada$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE 64*f44b645fSMasahiro Yamada $(call if_changed,extract_certs) 65d1f04410SEric Snowberg 665cca3606SMasahiro Yamadatargets += signing_key.x509 675cca3606SMasahiro Yamada 68d1f04410SEric Snowberg$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list 69d1f04410SEric Snowberg 70340a0253SMasahiro Yamada$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE 71*f44b645fSMasahiro Yamada $(call if_changed,extract_certs) 725cca3606SMasahiro Yamada 735cca3606SMasahiro Yamadatargets += x509_revocation_list 74340a0253SMasahiro Yamada 75340a0253SMasahiro Yamadahostprogs := extract-cert 76340a0253SMasahiro Yamada 77340a0253SMasahiro YamadaHOSTCFLAGS_extract-cert.o = $(shell pkg-config --cflags libcrypto 2> /dev/null) 78340a0253SMasahiro YamadaHOSTLDLIBS_extract-cert = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) 79