Commit Graph

16 Commits

Author SHA1 Message Date
Mehmet Kayaalp c4c3610595 KEYS: Reserve an extra certificate symbol for inserting without recompiling
Place a system_extra_cert buffer of configurable size, right after the
system_certificate_list, so that inserted keys can be readily processed by
the existing mechanism. Added script takes a key file and a kernel image
and inserts its contents to the reserved area. The
system_certificate_list_size is also adjusted accordingly.

Call the script as:

    scripts/insert-sys-cert -b <vmlinux> -c <certfile>

If vmlinux has no symbol table, supply System.map file with -s flag.
Subsequent runs replace the previously inserted key, instead of appending
the new one.

Signed-off-by: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2016-02-26 15:30:20 +00:00
Ben Hutchings b479bfd00e DocBook: Use a fixed encoding for output
Currently the encoding of documents generated by DocBook depends on
the current locale.  Make the output reproducible independently of
the locale, by setting the encoding to UTF-8 (LC_CTYPE=C.UTF-8) by
preference, or ASCII (LC_CTYPE=C) as a fallback.

LC_CTYPE can normally be overridden by LC_ALL, but the top-level
Makefile unsets that.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[jc: added check-lc_ctype to .gitignore]
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2015-09-28 01:31:48 -06:00
Paul Gortmaker 30b139dfe0 scripts: add extract-cert and sign-file to .gitignore
...so "git status" doesn't nag us about them.

Cc: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2015-08-27 03:59:11 +10:00
Vivek Goyal 8370edea81 bin2c: move bin2c in scripts/basic
This patch series does not do kernel signature verification yet.  I plan
to post another patch series for that.  Now distributions are already
signing PE/COFF bzImage with PKCS7 signature I plan to parse and verify
those signatures.

Primary goal of this patchset is to prepare groundwork so that kernel
image can be signed and signatures be verified during kexec load.  This
should help with two things.

- It should allow kexec/kdump on secureboot enabled machines.

- In general it can help even without secureboot. By being able to verify
  kernel image signature in kexec, it should help with avoiding module
  signing restrictions. Matthew Garret showed how to boot into a custom
  kernel, modify first kernel's memory and then jump back to old kernel and
  bypass any policy one wants to.

This patch (of 15):

Kexec wants to use bin2c and it wants to use it really early in the build
process. See arch/x86/purgatory/ code in later patches.

So move bin2c in scripts/basic so that it can be built very early and
be usable by arch/x86/purgatory/

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Greg Kroah-Hartman <greg@kroah.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: WANG Chao <chaowang@redhat.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-08-08 15:57:32 -07:00
David Howells 4520c6a49a X.509: Add simple ASN.1 grammar compiler
Add a simple ASN.1 grammar compiler.  This produces a bytecode output that can
be fed to a decoder to inform the decoder how to interpret the ASN.1 stream it
is trying to parse.

Action functions can be specified in the grammar by interpolating:

	({ foo })

after a type, for example:

	SubjectPublicKeyInfo ::= SEQUENCE {
		algorithm		AlgorithmIdentifier,
		subjectPublicKey	BIT STRING ({ do_key_data })
		}

The decoder is expected to call these after matching this type and parsing the
contents if it is a constructed type.

The grammar compiler does not currently support the SET type (though it does
support SET OF) as I can't see a good way of tracking which members have been
encountered yet without using up extra stack space.

Currently, the grammar compiler will fail if more than 256 bytes of bytecode
would be produced or more than 256 actions have been specified as it uses
8-bit jump values and action indices to keep space usage down.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-10-08 13:50:19 +10:30
David Daney a79f248b9b scripts: Add sortextable to sort the kernel's exception table.
Using this build-time sort saves time booting as we don't have to burn
cycles sorting the exception table.

Signed-off-by: David Daney <david.daney@cavium.com>
Link: http://lkml.kernel.org/r/1334872799-14589-2-git-send-email-ddaney.cavm@gmail.com
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
2012-04-19 15:06:55 -07:00
Peter Foley bffd2020a9 kbuild: move scripts/basic/docproc.c to scripts/docproc.c
Move docproc from scripts/basic to scripts so it is only built for *doc
targets instead of every time the kernel is built.
2011-05-02 22:48:03 +02:00
Américo Wang 6e5b86924a gitignore: add scripts/recordmcount
This file is generated, should be ignored by git.

Signed-off-by: WANG Cong <xiyou.wangcong@gmail.com>
Signed-off-by: Michal Marek <mmarek@suse.cz>
2010-11-25 15:49:50 +01:00
Dick Streefland 7b76bfc867 kconfig: simplification of scripts/extract-ikconfig
I've rewritten the extract-ikconfig script to extract the kernel
configuration from a kernel compiled with CONFIG_IKCONFIG. The main
motivation for the rewrite was to remove the dependency on the
external C program binoffset.c, which is compiled on the initial run.

The binoffset executable is invoked with a relative path, which means
that the old script can only be run from the top of the kernel tree,
and only when you have write permission in the scripts directory.

The new script uses tr/grep/tail/zcat only, and can be invoked from
anywhere. The binoffset.c program has been removed. This script
requires GNU grep 2.5 (released 2002-03-13) or higher, because the -o
option was introduced in that version.

Signed-off-by: Dick Streefland <dick@streefland.net>
LKML-Reference: <20091006203540.GA14634@streefland.net>
Tested-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2009-10-07 11:44:18 -04:00
Jaswinder Singh Rajput c512d2544c gitignore: ignore scripts/ihex2fw
scripts/ihex2fw is a generated binary and should be ignored

Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
2009-06-27 00:17:48 +02:00
David Woodhouse 556b0f58bb Revert "fix modules_install via NFS"
This reverts commit 8b249b6856.

This 'fix' is not necessary; we just need to undo the damage caused
accidentally by Igor/Mauro in 4b29631db3
("V4L/DVB (9533): cx88: Add support for TurboSight TBS8910 DVB-S PCI card")

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2009-04-06 14:27:17 -07:00
Sam Ravnborg 8b249b6856 fix modules_install via NFS
Rafael reported:

I get the following error from 'make modules_install' on my test boxes:

  HOSTCC  firmware/ihex2fw
/home/rafael/src/linux-2.6/firmware/ihex2fw.c:268: fatal error: opening dependency file firmware/.ihex2fw.d: Read-only file system
compilation terminated.
make[3]: *** [firmware/ihex2fw] Error 1
make[2]: *** [_modinst_post] Error 2
make[1]: *** [sub-make] Error 2
make: *** [all] Error 2

where the configuration is that the kernel is compiled on a build box
with 'make O=<destdir> -j5' and then <destdir> is mounted over NFS read-only by
each test box (full path to this directory is the same on the build box and on
the test boxes).  Then, I cd into <destdir>, run 'make modules_install' and get
the error above.

The issue turns out to be that we when we install firmware pick
up the list of firmware blobs from firmware/Makefile.
And this triggers the Makefile rules to update ihex2fw.

There were two solutions for this issue:
1) Move the list of firmware blobs to a separate file
2) Avoid ihex2fw rebuild by moving it to scripts

As I seriously beleive that the list of firmware blobs should be
done in a fundamental different way solution 2) was selected.

Reported-and-tested-by: "Rafael J. Wysocki" <rjw@sisk.pl>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Cc: David Woodhouse <dwmw2@infradead.org>
2009-01-07 21:44:20 +01:00
Uwe Kleine-König ff739b611f Add binoffset to gitignore
Signed-off-by: Uwe Kleine-König <Uwe.Kleine-Koenig@digi.com>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
2008-02-09 10:43:58 +01:00
Paul Mundt ad7a3bf30c [PATCH] Add unifdef to gitignore
This seems to have been missed when unifdef went in
via Sam's tree..

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 19:46:55 -07:00
febf7ea4be gitignore: ignore more generated files
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
2006-01-03 11:35:26 +01:00
Linus Torvalds 1e65174a33 Add some basic .gitignore files
This still leaves driver and architecture-specific subdirectories alone,
but gets rid of the bulk of the "generic" generated files that we should
ignore.

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-10-18 08:26:15 -07:00