[RESEND PATCH v3] MODSIGN: Fix including certificate twice when the signing_key.x509 already exists

From: Lee, Chun-Yi
Date: Wed Jan 15 2014 - 23:29:11 EST

Next message: David Fries: "[PATCH 00/14] w1: async netlink, search, fixes, and improvements"
Previous message: ethan zhao: "[PATCH 2/2 Net-next] ixgbe: set driver_max_VFs should be done beforeenabling SRIOV"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chun-Yi Lee <jlee@xxxxxxxx>

This issue was found in devel-pekey branch on linux-modsign.git tree.
The x509_certificate_list includes certificate twice when the
signing_key.x509 already exists.
We can reproduce this issue by making kernel twice, the build log of
second time looks like this:

...
CHK kernel/config_data.h
CERTS kernel/x509_certificate_list
- Including cert /ramdisk/working/joey/linux-modsign/signing_key.x509
- Including cert signing_key.x509
...

Actually the build path was the same with the srctree path when building
kernel. It causes the size of bzImage increased by packaging
certificates twice.

Originally this patch was signed and merged to devel-pekey in David
Howells's linux-modsign git:

http://lwn.net/Articles/540288/

git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-modsign.git
tags/pekey-20130221

But it is missed in mainline kernel.

v3:
Using realpath to compare current file path with source tree patch.
Thanks for Rusty Russell's suggestion.

v2:
Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
between different shells

Cc: Rusty Russell <rusty@xxxxxxxxxxxxxxx>
Cc: Josh Boyer <jwboyer@xxxxxxxxxx>
Cc: Randy Dunlap <rdunlap@xxxxxxxxxxxx>
Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
Cc: Michal Marek <mmarek@xxxxxxxx>
Signed-off-by: Chun-Yi Lee <jlee@xxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
---
kernel/Makefile | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/kernel/Makefile b/kernel/Makefile
index bc010ee..1d671b1 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -136,7 +136,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
#
###############################################################################
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
-X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
+X509_CERTIFICATES-y := $(wildcard *.x509)
+ifneq ($(realpath .), $(realpath $(srctree)))
+X509_CERTIFICATES-y += $(wildcard $(srctree)/*.x509)
+endif
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
$(or $(realpath $(CERT)),$(CERT))))
--
1.6.4.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Fries: "[PATCH 00/14] w1: async netlink, search, fixes, and improvements"
Previous message: ethan zhao: "[PATCH 2/2 Net-next] ixgbe: set driver_max_VFs should be done beforeenabling SRIOV"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]