user/sven/linux.git/scripts/Makefile, branch v4.4.290

scripts: set proper OpenSSL include dir also for sign-file

2021-03-07T10:24:20Z

commit fe968c41ac4f4ec9ffe3c4cf16b72285f5e9674f upstream. Fixes: 2cea4a7a1885 ("scripts: use pkg-config to locate libcrypto") Signed-off-by: Rolf Eike Beer Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman

scripts: use pkg-config to locate libcrypto

2021-03-07T10:24:20Z

commit 2cea4a7a1885bd0c765089afc14f7ff0eb77864e upstream. Otherwise build fails if the headers are not in the default location. While at it also ask pkg-config for the libs, with fallback to the existing value. Signed-off-by: Rolf Eike Beer Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman

DocBook: Use a fixed encoding for output

2015-09-28T07:31:48Z

Currently the encoding of documents generated by DocBook depends on the current locale. Make the output reproducible independently of the locale, by setting the encoding to UTF-8 (LC_CTYPE=C.UTF-8) by preference, or ASCII (LC_CTYPE=C) as a fallback. LC_CTYPE can normally be overridden by LC_ALL, but the top-level Makefile unsets that. Signed-off-by: Ben Hutchings [jc: added check-lc_ctype to .gitignore] Signed-off-by: Jonathan Corbet

modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS

2015-08-12T16:01:01Z

Fix up the dependencies somewhat too, while we're at it. Signed-off-by: David Woodhouse Signed-off-by: David Howells

modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed

2015-08-07T15:26:14Z

Where an external PEM file or PKCS#11 URI is given, we can get the cert from it for ourselves instead of making the user drop signing_key.x509 in place for us. Signed-off-by: David Woodhouse Signed-off-by: David Howells

MODSIGN: Use PKCS#7 messages as module signatures

2015-08-07T15:26:13Z

Move to using PKCS#7 messages as module signatures because: (1) We have to be able to support the use of X.509 certificates that don't have a subjKeyId set. We're currently relying on this to look up the X.509 certificate in the trusted keyring list. (2) PKCS#7 message signed information blocks have a field that supplies the data required to match with the X.509 certificate that signed it. (3) The PKCS#7 certificate carries fields that specify the digest algorithm used to generate the signature in a standardised way and the X.509 certificates specify the public key algorithm in a standardised way - so we don't need our own methods of specifying these. (4) We now have PKCS#7 message support in the kernel for signed kexec purposes and we can make use of this. To make this work, the old sign-file script has been replaced with a program that needs compiling in a previous patch. The rules to build it are added here. Signed-off-by: David Howells Tested-by: Vivek Goyal

scripts/gdb: add infrastructure

2015-02-17T22:34:53Z

This provides the basic infrastructure to load kernel-specific python helper scripts when debugging the kernel in gdb. The loading mechanism is based on gdb loading for -gdb.py when opening . Therefore, this places a corresponding link to the main helper script into the output directory that contains vmlinux. The main scripts will pull in submodules containing Linux specific gdb commands and functions. To avoid polluting the source directory with compiled python modules, we link to them from the object directory. Due to gdb.parse_and_eval and string redirection for gdb.execute, we depend on gdb >= 7.2. This feature is enabled via CONFIG_GDB_SCRIPTS. Signed-off-by: Jan Kiszka Acked-by: Michal Marek [kbuild stuff] Cc: Thomas Gleixner Cc: Jason Wessel Cc: Andi Kleen Cc: Ben Widawsky Cc: Borislav Petkov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

bin2c: move bin2c in scripts/basic

2014-08-08T22:57:32Z

This patch series does not do kernel signature verification yet. I plan to post another patch series for that. Now distributions are already signing PE/COFF bzImage with PKCS7 signature I plan to parse and verify those signatures. Primary goal of this patchset is to prepare groundwork so that kernel image can be signed and signatures be verified during kexec load. This should help with two things. - It should allow kexec/kdump on secureboot enabled machines. - In general it can help even without secureboot. By being able to verify kernel image signature in kexec, it should help with avoiding module signing restrictions. Matthew Garret showed how to boot into a custom kernel, modify first kernel's memory and then jump back to old kernel and bypass any policy one wants to. This patch (of 15): Kexec wants to use bin2c and it wants to use it really early in the build process. See arch/x86/purgatory/ code in later patches. So move bin2c in scripts/basic so that it can be built very early and be usable by arch/x86/purgatory/ Signed-off-by: Vivek Goyal Cc: Borislav Petkov Cc: Michael Kerrisk Cc: Yinghai Lu Cc: Eric Biederman Cc: H. Peter Anvin Cc: Matthew Garrett Cc: Greg Kroah-Hartman Cc: Dave Young Cc: WANG Chao Cc: Baoquan He Cc: Andy Lutomirski Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

kbuild: do not add "selinux" to subdir- twice

2014-06-09T21:24:59Z

scripts/Makefile adds "selinux" to subdir-y or subdir- twice. subdir-$(CONFIG_MODVERSIONS) += genksyms subdir-y += mod subdir-$(CONFIG_SECURITY_SELINUX) += selinux <--- here subdir-$(CONFIG_DTC) += dtc # Let clean descend into subdirs subdir- += basic kconfig package selinux <--- again The latter is redundant. Signed-off-by: Masahiro Yamada Signed-off-by: Michal Marek

kbuild: specify build_docproc as a phony target

2014-03-14T16:44:17Z

PHONY target is more suitable for "build_docproc" target. Because PHONY targets are always executed, they do not have to take FORCE as a prerequisite. Signed-off-by: Masahiro Yamada Signed-off-by: Michal Marek