Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v6.1.59 2023-02-09T10:28:11Z 2023-02-09T10:28:11Z Jan Luebbe jlu@pengutronix.de 2023-01-31T08:43:22Z urn:sha1:10282d9daaf74f614b2ecbb71ad8b0a6c38bdf66 [ Upstream commit b1c3d2beed8ef3699fab106340e33a79052df116 ] When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a semicolon, signing_key.x509 fails to build: certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 Usage: extract-cert <source> <dest> Add quotes to the extract-cert argument to avoid splitting by the shell. This approach was suggested by Masahiro Yamada <masahiroy@kernel.org>. Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-09-23T19:31:18Z Masahiro Yamada masahiroy@kernel.org 2022-09-12T06:52:10Z urn:sha1:2154aca21408752eaa3eeaf2ba6e942724ff2a4d Commit e90886291c7c ("certs: make system keyring depend on x509 parser") is not the right fix because x509_load_certificate_list() can be modular. The combination of CONFIG_SYSTEM_TRUSTED_KEYRING=y and CONFIG_X509_CERTIFICATE_PARSER=m still results in the following error: LD .tmp_vmlinux.kallsyms1 ld: certs/system_keyring.o: in function `load_system_certificate_list': system_keyring.c:(.init.text+0x8c): undefined reference to `x509_load_certificate_list' make: *** [Makefile:1169: vmlinux] Error 1 Fixes: e90886291c7c ("certs: make system keyring depend on x509 parser") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Tested-by: Adam Borowski <kilobyte@angband.pl> 2022-08-10T17:40:41Z Linus Torvalds torvalds@linux-foundation.org 2022-08-10T17:40:41Z urn:sha1:0af5cb349a2c97fbabb3cede96efcde9d54b7940 Pull Kbuild updates from Masahiro Yamada: - Remove the support for -O3 (CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3) - Fix error of rpm-pkg cross-builds - Support riscv for checkstack tool - Re-enable -Wformwat warnings for Clang - Clean up modpost, Makefiles, and misc scripts * tag 'kbuild-v5.20' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: (30 commits) modpost: remove .symbol_white_list field entirely modpost: remove unneeded .symbol_white_list initializers modpost: add PATTERNS() helper macro modpost: shorten warning messages in report_sec_mismatch() Revert "Kbuild, lto, workaround: Don't warn for initcall_reference in modpost" modpost: use more reliable way to get fromsec in section_rel(a)() modpost: add array range check to sec_name() modpost: refactor get_secindex() kbuild: set EXIT trap before creating temporary directory modpost: remove unused Elf_Sword macro Makefile.extrawarn: re-enable -Wformat for clang kbuild: add dtbs_prepare target kconfig: Qt5: tell the user which packages are required modpost: use sym_get_data() to get module device_table data modpost: drop executable ELF support checkstack: add riscv support for scripts/checkstack.pl kconfig: shorten the temporary directory name for cc-option scripts: headers_install.sh: Update config leak ignore entries kbuild: error out if $(INSTALL_MOD_PATH) contains % or : kbuild: error out if $(KBUILD_EXTMOD) contains % or : ... 2022-07-27T12:17:59Z Masahiro Yamada masahiroy@kernel.org 2022-06-11T17:22:33Z urn:sha1:31f6d95c2cab1898c05a95f434f54a327431f158 These two files are very similar. Unify them. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> 2022-07-27T12:17:59Z Masahiro Yamada masahiroy@kernel.org 2022-06-11T17:22:32Z urn:sha1:9008a676662a77ab98727d05bdffa0e3c38cba53 This script is only used in certs/Makefile, so certs/ is a better home for it. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> 2022-07-24T19:53:55Z Adam Borowski kilobyte@angband.pl 2022-07-18T13:50:34Z urn:sha1:e90886291c7cd89577bf11729b205cc0ed42fbec This code requires x509_load_certificate_list() to be built-in. Fixes: 60050ffe3d77 ("certs: Move load_certificate_list() to be with the asymmetric keys code") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Steven Rostedt <rostedt@goodmis.org> Link: https://lore.kernel.org/all/202206221515.DqpUuvbQ-lkp@intel.com/ Link: https://lore.kernel.org/all/20220712104554.408dbf42@gandalf.local.home/ Signed-off-by: Adam Borowski <kilobyte@angband.pl> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2022-06-21T17:13:53Z Linus Torvalds torvalds@linux-foundation.org 2022-06-21T17:13:53Z urn:sha1:0273fd423b2fe10af96ff713273137c63a7736c0 Pull signature checking selftest from David Howells: "The signature checking code, as used by module signing, kexec, etc., is non-FIPS compliant as there is no selftest. For a kernel to be FIPS-compliant, signature checking would have to be tested before being used, and the box would need to panic if it's not available (probably reasonable as simply disabling signature checking would prevent you from loading any driver modules). Deal with this by adding a minimal test. This is split into two patches: the first moves load_certificate_list() to the same place as the X.509 code to make it more accessible internally; the second adds a selftest" * tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: certs: Add FIPS selftests certs: Move load_certificate_list() to be with the asymmetric keys code 2022-06-21T15:05:06Z David Howells dhowells@redhat.com 2022-05-18T22:48:09Z urn:sha1:60050ffe3d770dd1df5b641aa48f49d07a54bd84 Move load_certificate_list(), which loads a series of binary X.509 certificates from a blob and inserts them as keys into a keyring, to be with the asymmetric keys code that it drives. This makes it easier to add FIPS selftest code in which we need to load up a private keyring for the tests to use. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Herbert Xu <herbert@gondor.apana.org.au> cc: keyrings@vger.kernel.org cc: linux-crypto@vger.kernel.org Link: https://lore.kernel.org/r/165515742145.1554877.13488098107542537203.stgit@warthog.procyon.org.uk/ 2022-06-15T18:52:32Z Masahiro Yamada masahiroy@kernel.org 2022-06-11T17:22:31Z urn:sha1:27b5b22d252c6d71a2a37a4bdf18d0be6d25ee5a Commit addf466389d9 ("certs: Check that builtin blacklist hashes are valid") was applied 8 months after the submission. In the meantime, the base code had been removed by commit b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro"). Fix the Makefile. Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is included from certs/blacklist_hashes.c and also works as a timestamp. Send error messages from check-blacklist-hashes.awk to stderr instead of stdout. Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> 2022-06-15T18:52:32Z Masahiro Yamada masahiroy@kernel.org 2022-06-11T17:22:30Z urn:sha1:6a1c3767d82ed8233de1263aa7da81595e176087 This file fails to compile as follows: CC certs/blacklist_hashes.o certs/blacklist_hashes.c:4:1: error: ignoring attribute ‘section (".init.data")’ because it conflicts with previous ‘section (".init.rodata")’ [-Werror=attributes] 4 | const char __initdata *const blacklist_hashes[] = { | ^~~~~ In file included from certs/blacklist_hashes.c:2: certs/blacklist.h:5:38: note: previous declaration here 5 | extern const char __initconst *const blacklist_hashes[]; | ^~~~~~~~~~~~~~~~ Apply the same fix as commit 2be04df5668d ("certs/blacklist_nohashes.c: fix const confusion in certs blacklist"). Fixes: 734114f8782f ("KEYS: Add a system blacklist keyring") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>