Hi,
here are two patches to fix kernel module signing when using a key via
PKCS#11, including the case where the URI contains semicolons to
separate components.
Compared to v1, I've used the change suggested by Masahiro Yamada in the
first patch.
Jan Luebbe (2):
certs: Fix build error when PKCS#11 URI contains semicolon
kbuild: modinst: Fix build error when CONFIG_MODULE_SIG_KEY is a
PKCS#11 URI
certs/Makefile | 4 ++--
scripts/Makefile.modinst | 6 +++++-
2 files changed, 7 insertions(+), 3 deletions(-)
--
2.30.2
When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
semicolon, signing_key.x509 fails to build:
certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509
Usage: extract-cert <source> <dest>
Add quotes to the extract-cert argument to avoid splitting by the shell.
This approach was suggested by Masahiro Yamada <[email protected]>.
Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf")
Signed-off-by: Jan Luebbe <[email protected]>
---
certs/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/certs/Makefile b/certs/Makefile
index 9486ed924731..799ad7b9e68a 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -23,8 +23,8 @@ $(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE
targets += blacklist_hash_list
quiet_cmd_extract_certs = CERT $@
- cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@
-extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
+ cmd_extract_certs = $(obj)/extract-cert "$(extract-cert-in)" $@
+extract-cert-in = $(filter-out $(obj)/extract-cert, $(real-prereqs))
$(obj)/system_certificates.o: $(obj)/x509_certificate_list
--
2.30.2
On Tue, Jan 31, 2023 at 5:43 PM Jan Luebbe <[email protected]> wrote:
>
> When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
> semicolon, signing_key.x509 fails to build:
>
> certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509
> Usage: extract-cert <source> <dest>
>
> Add quotes to the extract-cert argument to avoid splitting by the shell.
>
> This approach was suggested by Masahiro Yamada <[email protected]>.
>
> Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf")
> Signed-off-by: Jan Luebbe <[email protected]>
Both applied to linux-kbuild/fixes.
Thanks.
> ---
> certs/Makefile | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/certs/Makefile b/certs/Makefile
> index 9486ed924731..799ad7b9e68a 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -23,8 +23,8 @@ $(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE
> targets += blacklist_hash_list
>
> quiet_cmd_extract_certs = CERT $@
> - cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@
> -extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
> + cmd_extract_certs = $(obj)/extract-cert "$(extract-cert-in)" $@
> +extract-cert-in = $(filter-out $(obj)/extract-cert, $(real-prereqs))
>
> $(obj)/system_certificates.o: $(obj)/x509_certificate_list
>
> --
> 2.30.2
>
--
Best Regards
Masahiro Yamada