certs: simplify empty certs creation in certs/Makefile
To create an empty cert file, we need to pass "" to the extract-cert tool, which is common for all the three call-sites of cmd_extract_certs. Factor out the logic into extract-cert-in. One exceptional case is PKCS#11 case, where we override extract-cert-in with the URI. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <n.schier@avm.de>
This commit is contained in:
parent
6ce019f73d
commit
f44b645fe0
|
@ -13,12 +13,13 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
|
||||||
endif
|
endif
|
||||||
|
|
||||||
quiet_cmd_extract_certs = CERT $@
|
quiet_cmd_extract_certs = CERT $@
|
||||||
cmd_extract_certs = $(obj)/extract-cert $(2) $@
|
cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@
|
||||||
|
extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
|
||||||
|
|
||||||
$(obj)/system_certificates.o: $(obj)/x509_certificate_list
|
$(obj)/system_certificates.o: $(obj)/x509_certificate_list
|
||||||
|
|
||||||
$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
|
$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
|
||||||
$(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,""))
|
$(call if_changed,extract_certs)
|
||||||
|
|
||||||
targets += x509_certificate_list
|
targets += x509_certificate_list
|
||||||
|
|
||||||
|
@ -52,22 +53,22 @@ $(obj)/x509.genkey:
|
||||||
|
|
||||||
endif # CONFIG_MODULE_SIG_KEY
|
endif # CONFIG_MODULE_SIG_KEY
|
||||||
|
|
||||||
# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
|
|
||||||
ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
|
|
||||||
X509_DEP := $(CONFIG_MODULE_SIG_KEY)
|
|
||||||
endif
|
|
||||||
|
|
||||||
$(obj)/system_certificates.o: $(obj)/signing_key.x509
|
$(obj)/system_certificates.o: $(obj)/signing_key.x509
|
||||||
|
|
||||||
$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE
|
PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
|
||||||
$(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),""))
|
ifdef PKCS11_URI
|
||||||
|
$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
|
||||||
|
endif
|
||||||
|
|
||||||
|
$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
|
||||||
|
$(call if_changed,extract_certs)
|
||||||
|
|
||||||
targets += signing_key.x509
|
targets += signing_key.x509
|
||||||
|
|
||||||
$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
|
$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
|
||||||
|
|
||||||
$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE
|
$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE
|
||||||
$(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,""))
|
$(call if_changed,extract_certs)
|
||||||
|
|
||||||
targets += x509_revocation_list
|
targets += x509_revocation_list
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue