summaryrefslogtreecommitdiff
path: root/certs/Makefile
diff options
context:
space:
mode:
authorMasahiro Yamada <masahiroy@kernel.org>2021-11-05 12:59:58 +0900
committerMasahiro Yamada <masahiroy@kernel.org>2021-12-11 22:09:14 +0900
commite06a61a89ccd3edda046c78f9d08aa045b8c4d32 (patch)
tree14f81b1ab99d156633b0c740c2f948e4fc7b11da /certs/Makefile
parent54c8b517d2955ada78ba553f4b6682483895f32a (diff)
certs: use if_changed to re-generate the key when the key type is changed
If the key type of the existing signing key does not match to CONFIG_MODULE_SIG_KEY_TYPE_*, the Makefile removes it so that it is re-generated. Use if_changed so that the key is re-generated when the key type is changed (that is, the openssl command line is changed). Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Diffstat (limited to 'certs/Makefile')
-rw-r--r--certs/Makefile30
1 files changed, 6 insertions, 24 deletions
diff --git a/certs/Makefile b/certs/Makefile
index fdf206022113..a702b70f3cb9 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -51,41 +51,23 @@ ifdef SIGN_KEY
#
###############################################################################
-openssl_available = $(shell openssl help 2>/dev/null && echo yes)
-
# We do it this way rather than having a boolean option for enabling an
# external private key, because 'make randconfig' might enable such a
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
-ifeq ($(openssl_available),yes)
-X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null)
-endif
-
-# Support user changing key type
-ifdef CONFIG_MODULE_SIG_KEY_TYPE_ECDSA
-keytype_openssl = -newkey ec -pkeyopt ec_paramgen_curve:secp384r1
-ifeq ($(openssl_available),yes)
-$(if $(findstring id-ecPublicKey,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
-endif
-endif # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA
-
-ifdef CONFIG_MODULE_SIG_KEY_TYPE_RSA
-ifeq ($(openssl_available),yes)
-$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
-endif
-endif # CONFIG_MODULE_SIG_KEY_TYPE_RSA
+keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) := -newkey ec -pkeyopt ec_paramgen_curve:secp384r1
quiet_cmd_gen_key = GENKEY $@
cmd_gen_key = openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-batch -x509 -config $(obj)/x509.genkey \
-outform PEM -out $(obj)/signing_key.pem \
- -keyout $(obj)/signing_key.pem \
- $(keytype_openssl) \
- 2>&1
+ -keyout $(obj)/signing_key.pem $(keytype-y) 2>&1
+
+$(obj)/signing_key.pem: $(obj)/x509.genkey FORCE
+ $(call if_changed,gen_key)
-$(obj)/signing_key.pem: $(obj)/x509.genkey
- $(call cmd,gen_key)
+targets += signing_key.pem
quiet_cmd_copy_x509_config = COPY $@
cmd_copy_x509_config = cat $(srctree)/$(src)/default_x509.genkey > $@