2014-01-16 04:29:09

by Chun-Yi Lee

Subject: [RESEND PATCH v3] MODSIGN: Fix including certificate twice when the signing_key.x509 already exists

From: Chun-Yi Lee <[email protected]>

This issue was found in devel-pekey branch on linux-modsign.git tree.
The x509_certificate_list includes certificate twice when the
signing_key.x509 already exists.
We can reproduce this issue by making kernel twice, the build log of
second time looks like this:

...
CHK kernel/config_data.h
CERTS kernel/x509_certificate_list
- Including cert /ramdisk/working/joey/linux-modsign/signing_key.x509
- Including cert signing_key.x509
...

Actually the build path was the same with the srctree path when building
kernel. It causes the size of bzImage increased by packaging
certificates twice.

Originally this patch was signed and merged to devel-pekey in David
Howells's linux-modsign git:

http://lwn.net/Articles/540288/

git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-modsign.git
tags/pekey-20130221

But it is missed in mainline kernel.

v3:
Using realpath to compare current file path with source tree patch.
Thanks for Rusty Russell's suggestion.

v2:
Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
between different shells

Cc: Rusty Russell <[email protected]>
Cc: Josh Boyer <[email protected]>
Cc: Randy Dunlap <[email protected]>
Cc: Herbert Xu <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: Michal Marek <[email protected]>
Signed-off-by: Chun-Yi Lee <[email protected]>
Signed-off-by: David Howells <[email protected]>
---
kernel/Makefile | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/kernel/Makefile b/kernel/Makefile
index bc010ee..1d671b1 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -136,7 +136,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
#
###############################################################################
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
-X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
+X509_CERTIFICATES-y := $(wildcard *.x509)
+ifneq ($(realpath .), $(realpath $(srctree)))
+X509_CERTIFICATES-y += $(wildcard $(srctree)/*.x509)
+endif
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
$(or $(realpath $(CERT)),$(CERT))))
--
1.6.4.2

2014-01-16 12:44:38

by David Howells

Subject: Re: [RESEND PATCH v3] MODSIGN: Fix including certificate twice when the signing_key.x509 already exists

Lee, Chun-Yi <[email protected]> wrote:

> +ifneq ($(realpath .), $(realpath $(srctree)))
> +X509_CERTIFICATES-y += $(wildcard $(srctree)/*.x509)
> +endif

This ought to be unnecessary, given the $(sort ...) here:

> X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
> $(or $(realpath $(CERT)),$(CERT))))

as that is supposed to remove duplicates.

However, I will admit there's a snag with my idea: $(realpath ...) doesn't
work if the argument path does not exist (hence the $(or ...)).

David