8720164c1a
* refs/heads/tmp-5f7f76a
Linux 4.4.118
net: dst_cache_per_cpu_dst_set() can be static
crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
KVM: nVMX: invvpid handling improvements
KVM: VMX: clean up declaration of VPID/EPT invalidation types
kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types
KVM: nVMX: vmx_complete_nested_posted_interrupt() can't fail
KVM: nVMX: kmap() can't fail
x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL
x86/spectre: Simplify spectre_v2 command line parsing
x86/retpoline: Avoid retpolines for built-in __init functions
x86/kvm: Update spectre-v1 mitigation
x86/paravirt: Remove 'noreplace-paravirt' cmdline option
x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable"
x86/spectre: Report get_user mitigation for spectre_v1
nl80211: Sanitize array index in parse_txq_params
vfs, fdtable: Prevent bounds-check bypass via speculative execution
x86/syscall: Sanitize syscall table de-references under speculation
x86/get_user: Use pointer masking to limit speculation
x86: Introduce barrier_nospec
x86: Implement array_index_mask_nospec
array_index_nospec: Sanitize speculative array de-references
Documentation: Document array_index_nospec
x86/spectre: Check CONFIG_RETPOLINE in command line parser
x86/cpu/bugs: Make retpoline module warning conditional
x86/bugs: Drop one "mitigation" from dmesg
x86/nospec: Fix header guards names
module/retpoline: Warn about missing retpoline in module
KVM: VMX: Make indirect call speculation safe
KVM: x86: Make indirect calls in emulator speculation safe
x86/retpoline: Remove the esp/rsp thunk
KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously
kasan: rework Kconfig settings
drm/gma500: remove helper function
x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix preemptibility bug
genksyms: Fix segfault with invalid declarations
dell-wmi, dell-laptop: depends DMI
netlink: fix nla_put_{u8,u16,u32} for KASAN
ASoC: Intel: Kconfig: fix build when ACPI is not enabled
ARM: tegra: select USB_ULPI from EHCI rather than platform
ncr5380: shut up gcc indentation warning
usb: phy: msm add regulator dependency
idle: i7300: add PCI dependency
binfmt_elf: compat: avoid unused function warning
isdn: sc: work around type mismatch warning
power: bq27xxx_battery: mark some symbols __maybe_unused
Revert "power: bq27xxx_battery: Remove unneeded dependency in Kconfig"
ncpfs: fix unused variable warning
gpio: xgene: mark PM functions as __maybe_unused
net: hp100: remove unnecessary #ifdefs
dmaengine: zx: fix build warning
perf/x86: Shut up false-positive -Wmaybe-uninitialized warning
wireless: cw1200: use __maybe_unused to hide pm functions_
cw1200: fix bogus maybe-uninitialized warning
v4l: remove MEDIA_TUNER dependency for VIDEO_TUNER
hdpvr: hide unused variable
drm/gma500: Sanity-check pipe index
serial: 8250_mid: fix broken DMA dependency
ASoC: rockchip: use __maybe_unused to hide st_irq_syscfg_resume
ISDN: eicon: reduce stack size of sig_ind function
em28xx: only use mt9v011 if camera support is enabled
go7007: add MEDIA_CAMERA_SUPPORT dependency
KVM: add X86_LOCAL_APIC dependency
Input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning
drm/nouveau: hide gcc-4.9 -Wmaybe-uninitialized
tc358743: fix register i2c_rd/wr functions
staging: unisys: visorinput depends on INPUT
i2c: remove __init from i2c_register_board_info()
b2c2: flexcop: avoid unused function warnings
infiniband: cxgb4: use %pR format string for printing resources
iio: adc: axp288: remove redundant duplicate const on axp288_adc_channels
ASoC: mediatek: add i2c dependency
genirq/msi: Add stubs for get_cached_msi_msg/pci_write_msi_msg
tty: cyclades: cyz_interrupt is only used for PCI
drm/vmwgfx: use *_32_bits() macros
tlan: avoid unused label with PCI=n
tc1100-wmi: fix build warning when CONFIG_PM not enabled
ipv4: ipconfig: avoid unused ic_proto_used symbol
netfilter: ipvs: avoid unused variable warnings
x86/platform/olpc: Fix resume handler build warning
staging: wilc1000: fix kbuild test robot error
rtlwifi: fix gcc-6 indentation warning
USB: cdc_subset: only build when one driver is enabled
hwrng: exynos - use __maybe_unused to hide pm functions
fbdev: sm712fb: avoid unused function warnings
Drivers: hv: vmbus: fix build warning
modsign: hide openssl output in silent builds
fbdev: s6e8ax0: avoid unused function warnings
mtd: cfi: enforce valid geometry configuration
mtd: sh_flctl: pass FIFO as physical address
amd-xgbe: Fix unused suspend handlers build warning
fbdev: auo_k190x: avoid unused function warnings
driver-core: use 'dev' argument in dev_dbg_ratelimited stub
target/user: Fix cast from pointer to phys_addr_t
tty: hvc_xen: hide xen_console_remove when unused
usb: musb/ux500: remove duplicate check for dma_is_compatible
pwc: hide unused label
SCSI: initio: remove duplicate module device table
scsi: mvumi: use __maybe_unused to hide pm functions
video: Use bool instead int pointer for get_opt_bool() argument
fbdev: sis: enforce selection of at least one backend
staging: ste_rmi4: avoid unused function warnings
video: fbdev: sis: remove unused variable
scsi: fdomain: drop fdomain_pci_tbl when built-in
mptfusion: hide unused seq_mpt_print_ioc_summary function
mtd: maps: add __init attribute
mtd: ichxrom: maybe-uninitialized with gcc-4.9
md: avoid warning for 32-bit sector_t
profile: hide unused functions when !CONFIG_PROC_FS
dpt_i2o: fix build warning
drivers/net: fix eisa_driver probe section mismatch
scsi: sim710: fix build warning
x86/boot: Avoid warning for zero-filling .bss
thermal: spear: use __maybe_unused for PM functions
ssb: mark ssb_bus_register as __maybe_unused
reiserfs: avoid a -Wmaybe-uninitialized warning
ALSA: hda/ca0132 - fix possible NULL pointer use
arm64: Kconfig: select COMPAT_BINFMT_ELF only when BINFMT_ELF is set
scsi: advansys: fix uninitialized data access
x86/platform: Add PCI dependency for PUNIT_ATOM_DEBUG
x86: add MULTIUSER dependency for KVM
thermal: fix INTEL_SOC_DTS_IOSF_CORE dependencies
x86/build: Silence the build with "make -s"
tools build: Add tools tree support for 'make -s'
x86/fpu/math-emu: Fix possible uninitialized variable use
arm64: define BUG() instruction without CONFIG_BUG
x86/ras/inject: Make it depend on X86_LOCAL_APIC=y
scsi: advansys: fix build warning for PCI=n
video: fbdev: via: remove possibly unused variables
platform/x86: intel_mid_thermal: Fix suspend handlers unused warning
gpio: intel-mid: Fix build warning when !CONFIG_PM
vmxnet3: prevent building with 64K pages
isdn: icn: remove a #warning
virtio_balloon: prevent uninitialized variable use
hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close
xen: XEN_ACPI_PROCESSOR is Dom0-only
x86/mm/kmmio: Fix mmiotrace for page unaligned addresses
mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep
dmaengine: jz4740: disable/unprepare clk if probe fails
drm/armada: fix leak of crtc structure
xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
spi: sun4i: disable clocks in the remove function
ASoC: rockchip: disable clock on error
clk: fix a panic error caused by accessing NULL pointer
dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved
dmaengine: ioat: Fix error handling path
509: fix printing uninitialized stack memory when OID is empty
btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
net_sched: red: Avoid illegal values
net_sched: red: Avoid devision by zero
gianfar: fix a flooded alignment reports because of padding issue.
s390/dasd: prevent prefix I/O error
powerpc/perf: Fix oops when grouping different pmu events
ipvlan: Add the skb->mark as flow4's member to lookup route
scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none
RDMA/cma: Make sure that PSN is not over max allowed
pinctrl: sunxi: Fix A80 interrupt pin bank
media: s5k6aa: describe some function parameters
perf bench numa: Fixup discontiguous/sparse numa nodes
perf top: Fix window dimensions change handling
ARM: dts: am4372: Correct the interrupts_properties of McASP
ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen
ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function
ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context
usb: build drivers/usb/common/ when USB_SUPPORT is set
usbip: keep usbip_device sockfd state in sync with tcp_socket
staging: iio: adc: ad7192: fix external frequency setting
binder: check for binder_thread allocation failure in binder_poll()
staging: android: ashmem: Fix a race condition in pin ioctls
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
Make DST_CACHE a silent config option
arm64: dts: add #cooling-cells to CPU nodes
video: fbdev/mmp: add MODULE_LICENSE
ASoC: ux500: add MODULE_LICENSE tag
net: avoid skb_warn_bad_offload on IS_ERR
netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
netfilter: on sockopt() acquire sock lock only in the required scope
netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target}
netfilter: x_tables: fix int overflow in xt_alloc_table_info()
KVM: x86: fix escape of guest dr6 to the host
crypto: x86/twofish-3way - Fix %rbp usage
selinux: skip bounded transition processing if the policy isn't loaded
selinux: ensure the context is NUL terminated in security_context_to_sid_core()
Provide a function to create a NUL-terminated string from unterminated data
drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all
blktrace: fix unlocked registration of tracepoints
xfrm: check id proto in validate_tmpl()
xfrm: Fix stack-out-of-bounds read on socket policy lookup.
mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed.
cfg80211: check dev_set_name() return value
net: replace dst_cache ip6_tunnel implementation with the generic one
net: add dst_cache support
ANDROID: sdcardfs: Hold i_mutex for i_size_write
BACKPORT, FROMGIT: crypto: speck - add test vectors for Speck64-XTS
BACKPORT, FROMGIT: crypto: speck - add test vectors for Speck128-XTS
BACKPORT, FROMGIT: crypto: arm/speck - add NEON-accelerated implementation of Speck-XTS
FROMGIT: crypto: speck - export common helpers
BACKPORT, FROMGIT: crypto: speck - add support for the Speck block cipher
UPSTREAM: ANDROID: binder: synchronize_rcu() when using POLLFREE.
f2fs: updates on v4.16-rc1
Conflicts:
net/Kconfig
net/core/Makefile
Change-Id: I659b0444812b04252f1f1fba8bc62410ce42b061
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
103 lines
3.9 KiB
Makefile
103 lines
3.9 KiB
Makefile
#
|
|
# Makefile for the linux kernel signature checking certificates.
|
|
#
|
|
|
|
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
|
|
|
|
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
|
|
|
|
$(eval $(call config_filename,SYSTEM_TRUSTED_KEYS))
|
|
|
|
# GCC doesn't include .incbin files in -MD generated dependencies (PR#66871)
|
|
$(obj)/system_certificates.o: $(obj)/x509_certificate_list
|
|
|
|
# Cope with signing_key.x509 existing in $(srctree) not $(objtree)
|
|
AFLAGS_system_certificates.o := -I$(srctree)
|
|
|
|
quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2))
|
|
cmd_extract_certs = scripts/extract-cert $(2) $@ || ( rm $@; exit 1)
|
|
|
|
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYS),"verity.x509.pem")
|
|
SYSTEM_TRUSTED_KEYS_SRCPREFIX := $(srctree)/certs/
|
|
endif
|
|
|
|
targets += x509_certificate_list
|
|
$(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE
|
|
$(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))
|
|
endif
|
|
|
|
clean-files := x509_certificate_list .x509.list
|
|
|
|
ifeq ($(CONFIG_MODULE_SIG),y)
|
|
###############################################################################
|
|
#
|
|
# If module signing is requested, say by allyesconfig, but a key has not been
|
|
# supplied, then one will need to be generated to make sure the build does not
|
|
# fail and that the kernel may be used afterwards.
|
|
#
|
|
###############################################################################
|
|
ifndef CONFIG_MODULE_SIG_HASH
|
|
$(error Could not determine digest type to use from kernel config)
|
|
endif
|
|
|
|
redirect_openssl = 2>&1
|
|
quiet_redirect_openssl = 2>&1
|
|
silent_redirect_openssl = 2>/dev/null
|
|
|
|
# We do it this way rather than having a boolean option for enabling an
|
|
# external private key, because 'make randconfig' might enable such a
|
|
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
|
|
ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
|
|
$(obj)/signing_key.pem: $(obj)/x509.genkey
|
|
@$(kecho) "###"
|
|
@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
|
|
@$(kecho) "###"
|
|
@$(kecho) "### If this takes a long time, you might wish to run rngd in the"
|
|
@$(kecho) "### background to keep the supply of entropy topped up. It"
|
|
@$(kecho) "### needs to be run as root, and uses a hardware random"
|
|
@$(kecho) "### number generator if one is available."
|
|
@$(kecho) "###"
|
|
$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
|
|
-batch -x509 -config $(obj)/x509.genkey \
|
|
-outform PEM -out $(obj)/signing_key.pem \
|
|
-keyout $(obj)/signing_key.pem \
|
|
$($(quiet)redirect_openssl)
|
|
@$(kecho) "###"
|
|
@$(kecho) "### Key pair generated."
|
|
@$(kecho) "###"
|
|
|
|
$(obj)/x509.genkey:
|
|
@$(kecho) Generating X.509 key generation config
|
|
@echo >$@ "[ req ]"
|
|
@echo >>$@ "default_bits = 4096"
|
|
@echo >>$@ "distinguished_name = req_distinguished_name"
|
|
@echo >>$@ "prompt = no"
|
|
@echo >>$@ "string_mask = utf8only"
|
|
@echo >>$@ "x509_extensions = myexts"
|
|
@echo >>$@
|
|
@echo >>$@ "[ req_distinguished_name ]"
|
|
@echo >>$@ "#O = Unspecified company"
|
|
@echo >>$@ "CN = Build time autogenerated kernel key"
|
|
@echo >>$@ "#emailAddress = unspecified.user@unspecified.company"
|
|
@echo >>$@
|
|
@echo >>$@ "[ myexts ]"
|
|
@echo >>$@ "basicConstraints=critical,CA:FALSE"
|
|
@echo >>$@ "keyUsage=digitalSignature"
|
|
@echo >>$@ "subjectKeyIdentifier=hash"
|
|
@echo >>$@ "authorityKeyIdentifier=keyid"
|
|
endif
|
|
|
|
$(eval $(call config_filename,MODULE_SIG_KEY))
|
|
|
|
# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
|
|
ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME)))
|
|
X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME)
|
|
endif
|
|
|
|
# GCC PR#66871 again.
|
|
$(obj)/system_certificates.o: $(obj)/signing_key.x509
|
|
|
|
targets += signing_key.x509
|
|
$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
|
|
$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
|
|
endif
|