From: Chun-Yi Lee <[email protected]>
This issue was found in devel-pekey branch on linux-modsign.git tree.
The
x509_certificate_list includes certificate twice when the
signing_key.x509
already exists.
We can reproduce this issue by making kernel twice, the build log of
second time looks like this:
...
CHK kernel/config_data.h
CERTS kernel/x509_certificate_list
- Including cert /ramdisk/working/joey/linux-modsign/signing_key.x509
- Including cert signing_key.x509
...
Actually the build path was the same with the srctree path when building
kernel. It causes the size of bzImage increased by packaging
certificates
twice.
v2:
Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
between different shells
Cc: Rusty Russell <[email protected]>
Cc: Josh Boyer <[email protected]>
Cc: Randy Dunlap <[email protected]>
Cc: Herbert Xu <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: Michal Marek <[email protected]>
Signed-off-by: Chun-Yi Lee <[email protected]>
Signed-off-by: David Howells <[email protected]>
---
kernel/Makefile | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/Makefile b/kernel/Makefile
index bc010ee..582fa7a 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -136,7 +136,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
#
###############################################################################
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
-X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
+X509_CERTIFICATES-y := $(wildcard *.x509)
+ifneq ($(shell /bin/pwd), $(srctree))
+X509_CERTIFICATES-y += $(wildcard $(srctree)/*.x509)
+endif
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
$(or $(realpath $(CERT)),$(CERT))))
--
1.6.4.2
Punting to David Howells...
Cheers,
Rusty.
"Lee, Chun-Yi" <[email protected]> writes:
> From: Chun-Yi Lee <[email protected]>
>
> This issue was found in devel-pekey branch on linux-modsign.git tree.
> The
> x509_certificate_list includes certificate twice when the
> signing_key.x509
> already exists.
> We can reproduce this issue by making kernel twice, the build log of
> second time looks like this:
>
> ...
> CHK kernel/config_data.h
> CERTS kernel/x509_certificate_list
> - Including cert /ramdisk/working/joey/linux-modsign/signing_key.x509
> - Including cert signing_key.x509
> ...
>
> Actually the build path was the same with the srctree path when building
> kernel. It causes the size of bzImage increased by packaging
> certificates
> twice.
>
> v2:
> Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
> between different shells
Hmm, that's not a great test for equality. How about:
ifneq ($(realpath .), $(realpath $(srctree)))
That should cover all the cases.
Cheers,
Rusty.
>
> Cc: Rusty Russell <[email protected]>
> Cc: Josh Boyer <[email protected]>
> Cc: Randy Dunlap <[email protected]>
> Cc: Herbert Xu <[email protected]>
> Cc: "David S. Miller" <[email protected]>
> Cc: Michal Marek <[email protected]>
> Signed-off-by: Chun-Yi Lee <[email protected]>
> Signed-off-by: David Howells <[email protected]>
> ---
> kernel/Makefile | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/Makefile b/kernel/Makefile
> index bc010ee..582fa7a 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -136,7 +136,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
> #
> ###############################################################################
> ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
> -X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
> +X509_CERTIFICATES-y := $(wildcard *.x509)
> +ifneq ($(shell /bin/pwd), $(srctree))
> +X509_CERTIFICATES-y += $(wildcard $(srctree)/*.x509)
> +endif
> X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
> X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
> $(or $(realpath $(CERT)),$(CERT))))
> --
> 1.6.4.2
於 三,2014-01-15 於 15:09 +1030,Rusty Russell 提到:
> >
> > v2:
> > Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more
> reliable
> > between different shells
>
> Hmm, that's not a great test for equality. How about:
>
> ifneq ($(realpath .), $(realpath $(srctree)))
>
> That should cover all the cases.
>
> Cheers,
> Rusty.
Yes, it's better!
Thanks for your suggestion, I will send new version with changelog
updated.
Joey Lee
Lee, Chun-Yi <[email protected]> wrote:
> This issue was found in devel-pekey branch on linux-modsign.git tree.
> The
Are you asking for this to go upstream or into my devel-pekey branch?
If upstream you want it to go upstream, I presume commit
d7ec435fdd03cfee70dba934ee384acc87bd6d00 doesn't fix the problem?
David
On 15.1.2014 05:39, Rusty Russell wrote:
> "Lee, Chun-Yi" <[email protected]> writes:
>> From: Chun-Yi Lee <[email protected]>
>> v2:
>> Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
>> between different shells
>
> Hmm, that's not a great test for equality. How about:
>
> ifneq ($(realpath .), $(realpath $(srctree)))
>
> That should cover all the cases.
make 3.80 does not have realpath :(.
Michal
Michal Marek <[email protected]> writes:
> On 15.1.2014 05:39, Rusty Russell wrote:
>> "Lee, Chun-Yi" <[email protected]> writes:
>>> From: Chun-Yi Lee <[email protected]>
>>> v2:
>>> Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
>>> between different shells
>>
>> Hmm, that's not a great test for equality. How about:
>>
>> ifneq ($(realpath .), $(realpath $(srctree)))
>>
>> That should cover all the cases.
>
> make 3.80 does not have realpath :(.
OK, I guess the former is the best compromise then.
Thanks,
Rusty.
於 四,2014-01-16 於 12:31 +0000,David Howells 提到:
>
> Are you asking for this to go upstream or into my devel-pekey branch?
>
> If upstream you want it to go upstream, I presume commit
> d7ec435fdd03cfee70dba934ee384acc87bd6d00 doesn't fix the problem?
>
> David
You are right. I tried the d7ec435 patch fixed issue. Please ignore my
patch.
Thanks a lot!
Joey Lee