certs: simplify empty certs creation in certs/Makefile

To create an empty cert file, we need to pass "" to the extract-cert
tool, which is common for all the three call-sites of cmd_extract_certs.

Factor out the logic into extract-cert-in.

One exceptional case is PKCS#11 case, where we override extract-cert-in
with the URI.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>
This commit is contained in:
Masahiro Yamada 2022-02-18 13:46:34 +09:00
parent 6ce019f73d
commit f44b645fe0
1 changed files with 11 additions and 10 deletions

View File

@ -13,12 +13,13 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
endif endif
quiet_cmd_extract_certs = CERT $@ quiet_cmd_extract_certs = CERT $@
cmd_extract_certs = $(obj)/extract-cert $(2) $@ cmd_extract_certs = $(obj)/extract-cert $(extract-cert-in) $@
extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
$(obj)/system_certificates.o: $(obj)/x509_certificate_list $(obj)/system_certificates.o: $(obj)/x509_certificate_list
$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
$(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) $(call if_changed,extract_certs)
targets += x509_certificate_list targets += x509_certificate_list
@ -52,22 +53,22 @@ $(obj)/x509.genkey:
endif # CONFIG_MODULE_SIG_KEY endif # CONFIG_MODULE_SIG_KEY
# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
ifneq ($(filter-out pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
X509_DEP := $(CONFIG_MODULE_SIG_KEY)
endif
$(obj)/system_certificates.o: $(obj)/signing_key.x509 $(obj)/system_certificates.o: $(obj)/signing_key.x509
$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
$(call if_changed,extract_certs,$(if $(CONFIG_MODULE_SIG_KEY),$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY)),"")) ifdef PKCS11_URI
$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
endif
$(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
$(call if_changed,extract_certs)
targets += signing_key.x509 targets += signing_key.x509
$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE
$(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) $(call if_changed,extract_certs)
targets += x509_revocation_list targets += x509_revocation_list