From c39afe624853e39af243dd9832640bf9c80b6554 Mon Sep 17 00:00:00 2001 From: Josh Triplett Date: Sun, 17 Oct 2021 19:43:13 +0200 Subject: [PATCH 01/34] kconfig: Add `make mod2noconfig` to disable module options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When converting a modular kernel to a monolithic kernel, once the kernel works without loading any modules, this helps to quickly disable all the modules before turning off module support entirely. Refactor conf_rewrite_mod_or_yes to a more general conf_rewrite_tristates that accepts an old and new state. Signed-off-by: Josh Triplett Tested-by: Björn Töpel Signed-off-by: Masahiro Yamada --- scripts/kconfig/Makefile | 3 ++- scripts/kconfig/conf.c | 17 ++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/scripts/kconfig/Makefile b/scripts/kconfig/Makefile index 5a215880b268..b8ef0fb4bbef 100644 --- a/scripts/kconfig/Makefile +++ b/scripts/kconfig/Makefile @@ -69,7 +69,7 @@ localyesconfig localmodconfig: $(obj)/conf # deprecated for external use simple-targets := oldconfig allnoconfig allyesconfig allmodconfig \ alldefconfig randconfig listnewconfig olddefconfig syncconfig \ - helpnewconfig yes2modconfig mod2yesconfig + helpnewconfig yes2modconfig mod2yesconfig mod2noconfig PHONY += $(simple-targets) @@ -134,6 +134,7 @@ help: @echo ' randconfig - New config with random answer to all options' @echo ' yes2modconfig - Change answers from yes to mod if possible' @echo ' mod2yesconfig - Change answers from mod to yes if possible' + @echo ' mod2noconfig - Change answers from mod to no if possible' @echo ' listnewconfig - List new options' @echo ' helpnewconfig - List new options and help text' @echo ' olddefconfig - Same as oldconfig but sets new symbols to their' diff --git a/scripts/kconfig/conf.c b/scripts/kconfig/conf.c index 971da3598fe4..4178065ca27f 100644 --- a/scripts/kconfig/conf.c +++ b/scripts/kconfig/conf.c @@ -35,6 +35,7 @@ enum input_mode { olddefconfig, yes2modconfig, mod2yesconfig, + mod2noconfig, }; static enum input_mode input_mode = oldaskconfig; static int input_mode_opt; @@ -163,8 +164,6 @@ enum conf_def_mode { def_default, def_yes, def_mod, - def_y2m, - def_m2y, def_no, def_random }; @@ -302,12 +301,10 @@ static bool conf_set_all_new_symbols(enum conf_def_mode mode) return has_changed; } -static void conf_rewrite_mod_or_yes(enum conf_def_mode mode) +static void conf_rewrite_tristates(tristate old_val, tristate new_val) { struct symbol *sym; int i; - tristate old_val = (mode == def_y2m) ? yes : mod; - tristate new_val = (mode == def_y2m) ? mod : yes; for_all_symbols(i, sym) { if (sym_get_type(sym) == S_TRISTATE && @@ -685,6 +682,7 @@ static const struct option long_opts[] = { {"olddefconfig", no_argument, &input_mode_opt, olddefconfig}, {"yes2modconfig", no_argument, &input_mode_opt, yes2modconfig}, {"mod2yesconfig", no_argument, &input_mode_opt, mod2yesconfig}, + {"mod2noconfig", no_argument, &input_mode_opt, mod2noconfig}, {NULL, 0, NULL, 0} }; @@ -713,6 +711,7 @@ static void conf_usage(const char *progname) printf(" --randconfig New config with random answer to all options\n"); printf(" --yes2modconfig Change answers from yes to mod if possible\n"); printf(" --mod2yesconfig Change answers from mod to yes if possible\n"); + printf(" --mod2noconfig Change answers from mod to no if possible\n"); printf(" (If none of the above is given, --oldaskconfig is the default)\n"); } @@ -788,6 +787,7 @@ int main(int ac, char **av) case olddefconfig: case yes2modconfig: case mod2yesconfig: + case mod2noconfig: conf_read(NULL); break; case allnoconfig: @@ -862,10 +862,13 @@ int main(int ac, char **av) case savedefconfig: break; case yes2modconfig: - conf_rewrite_mod_or_yes(def_y2m); + conf_rewrite_tristates(yes, mod); break; case mod2yesconfig: - conf_rewrite_mod_or_yes(def_m2y); + conf_rewrite_tristates(mod, yes); + break; + case mod2noconfig: + conf_rewrite_tristates(mod, no); break; case oldaskconfig: rootEntry = &rootmenu; From 0431acd87a6c1785e47eb9762904d964f7a031e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Stelmach?= Date: Thu, 25 Nov 2021 17:20:54 +0100 Subject: [PATCH 02/34] streamline_config.pl: show the full Kconfig name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Show the very same file name that was passed to open() in case the operation failed. Signed-off-by: Łukasz Stelmach --- scripts/kconfig/streamline_config.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl index 1a5fea0519eb..3387ad7508f7 100755 --- a/scripts/kconfig/streamline_config.pl +++ b/scripts/kconfig/streamline_config.pl @@ -170,7 +170,7 @@ sub read_kconfig { $source =~ s/\$\($env\)/$ENV{$env}/; } - open(my $kinfile, '<', $source) || die "Can't open $kconfig"; + open(my $kinfile, '<', $source) || die "Can't open $source"; while (<$kinfile>) { chomp; From df05c0e9496ce1e28b51f79f9fae94479a37fa60 Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Mon, 29 Nov 2021 09:57:58 -0700 Subject: [PATCH 03/34] Documentation: Raise the minimum supported version of LLVM to 11.0.0 LLVM versions prior to 11.0.0 have a harder time with dead code elimination, which can cause issues with commonly used expressions such as BUILD_BUG_ON and the bitmask functions/macros in bitfield.h (see the first two issues links below). Whenever there is an issue within LLVM that has been resolved in a later release, the only course of action is to gate the problematic configuration or source code on the toolchain verson or raise the minimum supported version of LLVM for building the kernel, as LLVM has a limited support lifetime compared to GCC. GCC major releases will typically see a few point releases across a two year period on average whereas LLVM major releases are only supported until the next major release and will only see one or two point releases within that timeframe. For example, GCC 8.1 was released in May 2018 and GCC 8.5 was released in May 2021, whereas LLVM 12.0.0 was released in April 2021 and its only point release, 12.0.1, was released in July 2021, giving a minimal window for fixes to be backported. To resolve these build errors around improper dead code elimination, raise the minimum supported version of LLVM for building the kernel to 11.0.0. Doing so is a more proper solution than mucking around with core kernel macros that have always worked with GCC or disabling drivers for using these macros in a proper manner. This type of issue may continue to crop up and require patching, which creates more debt for bumping the minimum supported version in the future. This should have a minimal impact to distributions. Using a script to pull several different Docker images and check the output of 'clang --version': archlinux:latest: clang version 13.0.0 debian:oldoldstable-slim: clang version 3.8.1-24 (tags/RELEASE_381/final) debian:oldstable-slim: clang version 7.0.1-8+deb10u2 (tags/RELEASE_701/final) debian:stable-slim: Debian clang version 11.0.1-2 debian:testing-slim: Debian clang version 11.1.0-4 debian:unstable-slim: Debian clang version 11.1.0-4 fedora:34: clang version 12.0.1 (Fedora 12.0.1-1.fc34) fedora:latest: clang version 13.0.0 (Fedora 13.0.0-3.fc35) fedora:rawhide: clang version 13.0.0 (Fedora 13.0.0-5.fc36) opensuse/leap:15.2: clang version 9.0.1 opensuse/leap:latest: clang version 11.0.1 opensuse/tumbleweed:latest: clang version 13.0.0 ubuntu:bionic: clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) ubuntu:latest: clang version 10.0.0-4ubuntu1 ubuntu:hirsute: Ubuntu clang version 12.0.0-3ubuntu1~21.04.2 ubuntu:rolling: Ubuntu clang version 13.0.0-2 ubuntu:devel: Ubuntu clang version 13.0.0-9 In every case, the distribution's version of clang is either older than the current minimum supported version of LLVM 10.0.1 or equal to or greater than the proposed 11.0.0 so nothing should change. Another benefit of this change is LLVM=1 works better with arm64 and x86_64 since commit f12b034afeb3 ("scripts/Makefile.clang: default to LLVM_IAS=1") enabled the integrated assembler by default, which only works well with clang 11+ (clang-10 required it to be disabled to successfully build a kernel). Link: https://github.com/ClangBuiltLinux/linux/issues/1293 Link: https://github.com/ClangBuiltLinux/linux/issues/1506 Link: https://github.com/ClangBuiltLinux/linux/issues/1511 Link: https://github.com/llvm/llvm-project/commit/fa496ce3c6774097080c8a9cb808da56f383b938 Link: https://groups.google.com/g/clang-built-linux/c/mPQb9_ZWW0s/m/W7o6S-QTBAAJ Link: https://github.com/ClangBuiltLinux/misc-scripts Signed-off-by: Nathan Chancellor Reviewed-by: Miguel Ojeda Reviewed-by: Mark Brown Reviewed-by: Nick Desaulniers Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada --- Documentation/process/changes.rst | 2 +- scripts/min-tool-version.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/process/changes.rst b/Documentation/process/changes.rst index b398b8576417..17182b537141 100644 --- a/Documentation/process/changes.rst +++ b/Documentation/process/changes.rst @@ -30,7 +30,7 @@ you probably needn't concern yourself with pcmciautils. Program Minimal version Command to check the version ====================== =============== ======================================== GNU C 5.1 gcc --version -Clang/LLVM (optional) 10.0.1 clang --version +Clang/LLVM (optional) 11.0.0 clang --version GNU make 3.81 make --version binutils 2.23 ld -v flex 2.5.35 flex --version diff --git a/scripts/min-tool-version.sh b/scripts/min-tool-version.sh index 4edc708baa63..7c20252a90c6 100755 --- a/scripts/min-tool-version.sh +++ b/scripts/min-tool-version.sh @@ -28,7 +28,7 @@ llvm) if [ "$SRCARCH" = s390 ]; then echo 13.0.0 else - echo 10.0.1 + echo 11.0.0 fi ;; *) From 57b2b72ac1fc5d55cf3b13207942c109f1a65cb5 Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Mon, 29 Nov 2021 09:57:59 -0700 Subject: [PATCH 04/34] mm, slab: Remove compiler check in __kmalloc_index The minimum supported version of LLVM has been raised to 11.0.0, meaning this check is always true, so it can be dropped. Signed-off-by: Nathan Chancellor Reviewed-by: Miguel Ojeda Reviewed-by: Mark Brown Reviewed-by: Nick Desaulniers Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada --- include/linux/slab.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/linux/slab.h b/include/linux/slab.h index 181045148b06..d3fb5ac71c24 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -411,8 +411,7 @@ static __always_inline unsigned int __kmalloc_index(size_t size, if (size <= 16 * 1024 * 1024) return 24; if (size <= 32 * 1024 * 1024) return 25; - if ((IS_ENABLED(CONFIG_CC_IS_GCC) || CONFIG_CLANG_VERSION >= 110000) - && !IS_ENABLED(CONFIG_PROFILE_ALL_BRANCHES) && size_is_constant) + if (!IS_ENABLED(CONFIG_PROFILE_ALL_BRANCHES) && size_is_constant) BUILD_BUG_ON_MSG(1, "unexpected size in kmalloc_index()"); else BUG(); From 1e68a8af9a395dba40d65a67364f287b637691ee Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Mon, 29 Nov 2021 09:58:00 -0700 Subject: [PATCH 05/34] arch/Kconfig: Remove CLANG_VERSION check in HAS_LTO_CLANG The minimum supported version of LLVM has been raised to 11.0.0, meaning this check is always true, so it can be dropped. Signed-off-by: Nathan Chancellor Reviewed-by: Miguel Ojeda Reviewed-by: Mark Brown Reviewed-by: Nick Desaulniers Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada --- arch/Kconfig | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/Kconfig b/arch/Kconfig index d3c4ab249e9c..86e071f693ce 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -648,8 +648,7 @@ config ARCH_SUPPORTS_LTO_CLANG_THIN config HAS_LTO_CLANG def_bool y - # Clang >= 11: https://github.com/ClangBuiltLinux/linux/issues/510 - depends on CC_IS_CLANG && CLANG_VERSION >= 110000 && LD_IS_LLD && AS_IS_LLVM + depends on CC_IS_CLANG && LD_IS_LLD && AS_IS_LLVM depends on $(success,$(NM) --help | head -n 1 | grep -qi llvm) depends on $(success,$(AR) --help | head -n 1 | grep -qi llvm) depends on ARCH_SUPPORTS_LTO_CLANG From e1ab4182ca113f9a14e3aefc15cf7652b8446991 Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Mon, 29 Nov 2021 09:58:01 -0700 Subject: [PATCH 06/34] Revert "ARM: 9070/1: Make UNWINDER_ARM depend on ld.bfd or ld.lld 11.0.0+" This reverts commit 7411cfc3c91a08a884463bbc7623087ecc2efdd8. The minimum supported version of LLVM has been raised to 11.0.0, meaning this check is always true, so it can be dropped. Signed-off-by: Nathan Chancellor Reviewed-by: Miguel Ojeda Reviewed-by: Mark Brown Reviewed-by: Nick Desaulniers Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada --- arch/arm/Kconfig.debug | 2 -- 1 file changed, 2 deletions(-) diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug index 98436702e0c7..cd2d74b625c1 100644 --- a/arch/arm/Kconfig.debug +++ b/arch/arm/Kconfig.debug @@ -66,8 +66,6 @@ config UNWINDER_FRAME_POINTER config UNWINDER_ARM bool "ARM EABI stack unwinder" depends on AEABI && !FUNCTION_GRAPH_TRACER - # https://github.com/ClangBuiltLinux/linux/issues/732 - depends on !LD_IS_LLD || LLD_VERSION >= 110000 select ARM_UNWIND help This option enables stack unwinding support in the kernel From 0766bffcae0706baddea6aa3f85b43031ede0e0d Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Mon, 29 Nov 2021 09:58:02 -0700 Subject: [PATCH 07/34] gcov: Remove compiler version check The minimum supported version of LLVM has been raised to 11.0.0, meaning this check is always true, so it can be dropped. Signed-off-by: Nathan Chancellor Reviewed-by: Miguel Ojeda Reviewed-by: Mark Brown Reviewed-by: Nick Desaulniers Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada --- kernel/gcov/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/kernel/gcov/Kconfig b/kernel/gcov/Kconfig index 053447183ac5..04f4ebdc3cf5 100644 --- a/kernel/gcov/Kconfig +++ b/kernel/gcov/Kconfig @@ -4,7 +4,6 @@ menu "GCOV-based kernel profiling" config GCOV_KERNEL bool "Enable gcov-based kernel profiling" depends on DEBUG_FS - depends on !CC_IS_CLANG || CLANG_VERSION >= 110000 depends on !ARCH_WANTS_NO_INSTR || CC_HAS_NO_PROFILE_FN_ATTR select CONSTRUCTORS default n From 4dc0759c563a9aa3aa09c316a066d265f3930887 Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Mon, 29 Nov 2021 09:58:03 -0700 Subject: [PATCH 08/34] init/Kconfig: Drop linker version check for LD_ORPHAN_WARN The minimum supported version of LLVM has been raised to 11.0.0, meaning this check is always true, so it can be dropped. Signed-off-by: Nathan Chancellor Reviewed-by: Miguel Ojeda Reviewed-by: Mark Brown Reviewed-by: Nick Desaulniers Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada --- init/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/init/Kconfig b/init/Kconfig index 4b7bac10c72d..e40f967dee3f 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1414,7 +1414,6 @@ config LD_DEAD_CODE_DATA_ELIMINATION config LD_ORPHAN_WARN def_bool y depends on ARCH_WANT_LD_ORPHAN_WARN - depends on !LD_IS_LLD || LLD_VERSION >= 110000 depends on $(ld-option,--orphan-handling=warn) config SYSCTL From be0d5fa7f0373197a44ebeb3f9e833ee50376225 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Fri, 1 Oct 2021 13:01:26 +0900 Subject: [PATCH 09/34] certs: move the 'depends on' to the choice of module signing keys When the condition "MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)" is unmet, you cannot choose anything in the choice, but the choice menu is still displayed in the menuconfig etc. Move the 'depends on' to the choice to hide the meaningless menu. Also delete the redundant 'default'. In a choice, the first entry is the default. Signed-off-by: Masahiro Yamada --- certs/Kconfig | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/certs/Kconfig b/certs/Kconfig index ae7f2e876a31..73d1350c223a 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -17,21 +17,19 @@ config MODULE_SIG_KEY choice prompt "Type of module signing key to be generated" - default MODULE_SIG_KEY_TYPE_RSA + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) help The type of module signing key type to generate. This option does not apply if a #PKCS11 URI is used. config MODULE_SIG_KEY_TYPE_RSA bool "RSA" - depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) help Use an RSA key for module signing. config MODULE_SIG_KEY_TYPE_ECDSA bool "ECDSA" select CRYPTO_ECDSA - depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) help Use an elliptic curve key (NIST P384) for module signing. Consider using a strong hash like sha256 or sha384 for hashing modules. From b06d9d3b6a0358d1b8cec5243c14fcc6a997529f Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Wed, 13 Oct 2021 02:10:11 +0000 Subject: [PATCH 10/34] nds32: remove unused BUILTIN_DTB from arch/nds32/Makefile This is not used or exported. BUILTIN_DTB is locally defined and used in arch/nds32/boot/dts/Makefile. Signed-off-by: Masahiro Yamada --- arch/nds32/Makefile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/arch/nds32/Makefile b/arch/nds32/Makefile index 797ad9b450af..b33d5d81b6ae 100644 --- a/arch/nds32/Makefile +++ b/arch/nds32/Makefile @@ -31,12 +31,6 @@ core-y += arch/nds32/kernel/ arch/nds32/mm/ core-$(CONFIG_FPU) += arch/nds32/math-emu/ libs-y += arch/nds32/lib/ -ifneq '$(CONFIG_NDS32_BUILTIN_DTB)' '""' -BUILTIN_DTB := y -else -BUILTIN_DTB := n -endif - ifdef CONFIG_CPU_LITTLE_ENDIAN KBUILD_CFLAGS += $(call cc-option, -EL) KBUILD_AFLAGS += $(call cc-option, -EL) From 54e2c77dd4cbf9bab5aa4ac8cf821005aaeb50fe Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Fri, 5 Nov 2021 12:59:54 +0900 Subject: [PATCH 11/34] certs: remove meaningless $(error ...) in certs/Makefile CONFIG_MODULE_SIG_HASH is defined by init/Kconfig. This $(error ...) is never reachable. (If it is, you need to fix the bug.) Signed-off-by: Masahiro Yamada --- certs/Makefile | 3 --- 1 file changed, 3 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index 279433783b10..db1fd2f4b950 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -50,9 +50,6 @@ ifdef SIGN_KEY # fail and that the kernel may be used afterwards. # ############################################################################### -ifndef CONFIG_MODULE_SIG_HASH -$(error Could not determine digest type to use from kernel config) -endif redirect_openssl = 2>&1 quiet_redirect_openssl = 2>&1 From f3a2ba44e93e2c192a872f2705fe66dbf39708d6 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Fri, 5 Nov 2021 12:59:55 +0900 Subject: [PATCH 12/34] certs: check-in the default x509 config file When x509.genkey is created, it prints a log: Generating X.509 key generation config ..., which is not the ordinary Kbuild log style. Check-in the default config as certs/default_x509.genkey to make it readable, and copy it to certs/x509.genkey if it is not present. The log is shown in the Kbuild style. COPY certs/x509.genkey Signed-off-by: Masahiro Yamada --- certs/Makefile | 24 ++++++------------------ certs/default_x509.genkey | 17 +++++++++++++++++ 2 files changed, 23 insertions(+), 18 deletions(-) create mode 100644 certs/default_x509.genkey diff --git a/certs/Makefile b/certs/Makefile index db1fd2f4b950..fc94a260e3f3 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -98,25 +98,13 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "### Key pair generated." @$(kecho) "###" +quiet_cmd_copy_x509_config = COPY $@ + cmd_copy_x509_config = cat $(srctree)/$(src)/default_x509.genkey > $@ + +# You can provide your own config file. If not present, copy the default one. $(obj)/x509.genkey: - @$(kecho) Generating X.509 key generation config - @echo >$@ "[ req ]" - @echo >>$@ "default_bits = 4096" - @echo >>$@ "distinguished_name = req_distinguished_name" - @echo >>$@ "prompt = no" - @echo >>$@ "string_mask = utf8only" - @echo >>$@ "x509_extensions = myexts" - @echo >>$@ - @echo >>$@ "[ req_distinguished_name ]" - @echo >>$@ "#O = Unspecified company" - @echo >>$@ "CN = Build time autogenerated kernel key" - @echo >>$@ "#emailAddress = unspecified.user@unspecified.company" - @echo >>$@ - @echo >>$@ "[ myexts ]" - @echo >>$@ "basicConstraints=critical,CA:FALSE" - @echo >>$@ "keyUsage=digitalSignature" - @echo >>$@ "subjectKeyIdentifier=hash" - @echo >>$@ "authorityKeyIdentifier=keyid" + $(call cmd,copy_x509_config) + endif # CONFIG_MODULE_SIG_KEY $(eval $(call config_filename,MODULE_SIG_KEY)) diff --git a/certs/default_x509.genkey b/certs/default_x509.genkey new file mode 100644 index 000000000000..d4c6628cb8e5 --- /dev/null +++ b/certs/default_x509.genkey @@ -0,0 +1,17 @@ +[ req ] +default_bits = 4096 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +#O = Unspecified company +CN = Build time autogenerated kernel key +#emailAddress = unspecified.user@unspecified.company + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid From f8487d28df281102a1b47d614ddebbaaeecefdeb Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Fri, 5 Nov 2021 12:59:56 +0900 Subject: [PATCH 13/34] certs: remove noisy messages while generating the signing key When you run Kbuild with the parallel option -j, the messages from this rule and others are interleaved, like follows: ### CC arch/x86/mm/pat/set_memory.o ### Now generating an X.509 key pair to be used for signing modules. ### ### If this takes a long time, you might wish to run rngd in the ### background to keep the supply of entropy topped up. It CC arch/x86/events/intel/bts.o HDRTEST usr/include/linux/qnx4_fs.h CC arch/x86/events/zhaoxin/core.o ### needs to be run as root, and uses a hardware random ### number generator if one is available. AR init/built-in.a ### On modern machines, it does not take a long time to generate the key. Remove the ugly log messages. Signed-off-by: Masahiro Yamada --- certs/Makefile | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index fc94a260e3f3..a8c9abceef00 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -80,23 +80,12 @@ endif endif # CONFIG_MODULE_SIG_KEY_TYPE_RSA $(obj)/signing_key.pem: $(obj)/x509.genkey - @$(kecho) "###" - @$(kecho) "### Now generating an X.509 key pair to be used for signing modules." - @$(kecho) "###" - @$(kecho) "### If this takes a long time, you might wish to run rngd in the" - @$(kecho) "### background to keep the supply of entropy topped up. It" - @$(kecho) "### needs to be run as root, and uses a hardware random" - @$(kecho) "### number generator if one is available." - @$(kecho) "###" $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ -batch -x509 -config $(obj)/x509.genkey \ -outform PEM -out $(obj)/signing_key.pem \ -keyout $(obj)/signing_key.pem \ $(keytype_openssl) \ $($(quiet)redirect_openssl) - @$(kecho) "###" - @$(kecho) "### Key pair generated." - @$(kecho) "###" quiet_cmd_copy_x509_config = COPY $@ cmd_copy_x509_config = cat $(srctree)/$(src)/default_x509.genkey > $@ From 54c8b517d2955ada78ba553f4b6682483895f32a Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Fri, 5 Nov 2021 12:59:57 +0900 Subject: [PATCH 14/34] certs: use 'cmd' to hide openssl output in silent builds more simply Commit 5d06ee20b662 ("modsign: hide openssl output in silent builds") silenced the key generation log from openssl in silent builds. Since commit 174a1dcc9642 ("kbuild: sink stdout from cmd for silent build"), the 'cmd' macro can handle it in a cleaner way. Signed-off-by: Masahiro Yamada --- certs/Makefile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index a8c9abceef00..fdf206022113 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -51,9 +51,6 @@ ifdef SIGN_KEY # ############################################################################### -redirect_openssl = 2>&1 -quiet_redirect_openssl = 2>&1 -silent_redirect_openssl = 2>/dev/null openssl_available = $(shell openssl help 2>/dev/null && echo yes) # We do it this way rather than having a boolean option for enabling an @@ -79,13 +76,16 @@ $(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.p endif endif # CONFIG_MODULE_SIG_KEY_TYPE_RSA -$(obj)/signing_key.pem: $(obj)/x509.genkey - $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ +quiet_cmd_gen_key = GENKEY $@ + cmd_gen_key = openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ -batch -x509 -config $(obj)/x509.genkey \ -outform PEM -out $(obj)/signing_key.pem \ -keyout $(obj)/signing_key.pem \ $(keytype_openssl) \ - $($(quiet)redirect_openssl) + 2>&1 + +$(obj)/signing_key.pem: $(obj)/x509.genkey + $(call cmd,gen_key) quiet_cmd_copy_x509_config = COPY $@ cmd_copy_x509_config = cat $(srctree)/$(src)/default_x509.genkey > $@ From e06a61a89ccd3edda046c78f9d08aa045b8c4d32 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Fri, 5 Nov 2021 12:59:58 +0900 Subject: [PATCH 15/34] certs: use if_changed to re-generate the key when the key type is changed If the key type of the existing signing key does not match to CONFIG_MODULE_SIG_KEY_TYPE_*, the Makefile removes it so that it is re-generated. Use if_changed so that the key is re-generated when the key type is changed (that is, the openssl command line is changed). Signed-off-by: Masahiro Yamada --- certs/Makefile | 30 ++++++------------------------ 1 file changed, 6 insertions(+), 24 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index fdf206022113..a702b70f3cb9 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -51,41 +51,23 @@ ifdef SIGN_KEY # ############################################################################### -openssl_available = $(shell openssl help 2>/dev/null && echo yes) - # We do it this way rather than having a boolean option for enabling an # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") -ifeq ($(openssl_available),yes) -X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null) -endif - -# Support user changing key type -ifdef CONFIG_MODULE_SIG_KEY_TYPE_ECDSA -keytype_openssl = -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -ifeq ($(openssl_available),yes) -$(if $(findstring id-ecPublicKey,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem")) -endif -endif # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA - -ifdef CONFIG_MODULE_SIG_KEY_TYPE_RSA -ifeq ($(openssl_available),yes) -$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem")) -endif -endif # CONFIG_MODULE_SIG_KEY_TYPE_RSA +keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) := -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 quiet_cmd_gen_key = GENKEY $@ cmd_gen_key = openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ -batch -x509 -config $(obj)/x509.genkey \ -outform PEM -out $(obj)/signing_key.pem \ - -keyout $(obj)/signing_key.pem \ - $(keytype_openssl) \ - 2>&1 + -keyout $(obj)/signing_key.pem $(keytype-y) 2>&1 -$(obj)/signing_key.pem: $(obj)/x509.genkey - $(call cmd,gen_key) +$(obj)/signing_key.pem: $(obj)/x509.genkey FORCE + $(call if_changed,gen_key) + +targets += signing_key.pem quiet_cmd_copy_x509_config = COPY $@ cmd_copy_x509_config = cat $(srctree)/$(src)/default_x509.genkey > $@ From 50a483405c420f5f35b8dbb71425459835ae44eb Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Mon, 6 Dec 2021 11:35:06 +0900 Subject: [PATCH 16/34] kbuild: move headers_check.pl to usr/include/ This script is only used by usr/include/Makefile. Make it local to the directory. Update the comment in include/uapi/linux/soundcard.h because 'make headers_check' is no longer functional. Signed-off-by: Masahiro Yamada --- include/uapi/linux/soundcard.h | 2 +- usr/include/Makefile | 6 ++++-- {scripts => usr/include}/headers_check.pl | 0 3 files changed, 5 insertions(+), 3 deletions(-) rename {scripts => usr/include}/headers_check.pl (100%) diff --git a/include/uapi/linux/soundcard.h b/include/uapi/linux/soundcard.h index f3b21f989872..ac1318793a86 100644 --- a/include/uapi/linux/soundcard.h +++ b/include/uapi/linux/soundcard.h @@ -1051,7 +1051,7 @@ typedef struct mixer_vol_table { * the GPL version of OSS-4.x and build against that version * of the header. * - * We redefine the extern keyword so that make headers_check + * We redefine the extern keyword so that usr/include/headers_check.pl * does not complain about SEQ_USE_EXTBUF. */ #define SEQ_DECLAREBUF() SEQ_USE_EXTBUF() diff --git a/usr/include/Makefile b/usr/include/Makefile index 1c2ae1368079..94403806ea56 100644 --- a/usr/include/Makefile +++ b/usr/include/Makefile @@ -99,10 +99,12 @@ quiet_cmd_hdrtest = HDRTEST $< cmd_hdrtest = \ $(CC) $(c_flags) -S -o /dev/null -x c /dev/null \ $(if $(filter-out $(no-header-test), $*.h), -include $< -include $<); \ - $(PERL) $(srctree)/scripts/headers_check.pl $(obj) $(SRCARCH) $<; \ + $(PERL) $(srctree)/$(src)/headers_check.pl $(obj) $(SRCARCH) $<; \ touch $@ $(obj)/%.hdrtest: $(obj)/%.h FORCE $(call if_changed_dep,hdrtest) -clean-files += $(filter-out Makefile, $(notdir $(wildcard $(obj)/*))) +# Since GNU Make 4.3, $(patsubst $(obj)/%/,%,$(wildcard $(obj)/*/)) works. +# To support older Make versions, use a somewhat tedious way. +clean-files += $(filter-out Makefile headers_check.pl, $(notdir $(wildcard $(obj)/*))) diff --git a/scripts/headers_check.pl b/usr/include/headers_check.pl similarity index 100% rename from scripts/headers_check.pl rename to usr/include/headers_check.pl From 4fbce819337a6705559788ff7e9583a4703edcb7 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Mon, 6 Dec 2021 11:35:07 +0900 Subject: [PATCH 17/34] kbuild: remove headers_check stub Linux 5.15 is out. Remove this stub now. Signed-off-by: Masahiro Yamada Reviewed-by: Nick Desaulniers --- Makefile | 9 --------- 1 file changed, 9 deletions(-) diff --git a/Makefile b/Makefile index 0a6ecc8bb2d2..8d58f65e226b 100644 --- a/Makefile +++ b/Makefile @@ -1284,15 +1284,6 @@ headers: $(version_h) scripts_unifdef uapi-asm-generic archheaders archscripts $(Q)$(MAKE) $(hdr-inst)=include/uapi $(Q)$(MAKE) $(hdr-inst)=arch/$(SRCARCH)/include/uapi -# Deprecated. It is no-op now. -PHONY += headers_check -headers_check: - @echo >&2 "=================== WARNING ===================" - @echo >&2 "Since Linux 5.5, 'make headers_check' is no-op," - @echo >&2 "and will be removed after Linux 5.15 release." - @echo >&2 "Please remove headers_check from your scripts." - @echo >&2 "===============================================" - ifdef CONFIG_HEADERS_INSTALL prepare: headers endif From c537e4d04eb75274bf03e6a2a8d6ece25d9d16f6 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:45 +0900 Subject: [PATCH 18/34] certs: use $< and $@ to simplify the key generation rule Do not repeat $(obj)/x509.genkey or $(obj)/signing_key.pem Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- certs/Makefile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index a702b70f3cb9..aba9e782f940 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -60,9 +60,8 @@ keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) := -newkey ec -pkeyopt ec_paramgen_c quiet_cmd_gen_key = GENKEY $@ cmd_gen_key = openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ - -batch -x509 -config $(obj)/x509.genkey \ - -outform PEM -out $(obj)/signing_key.pem \ - -keyout $(obj)/signing_key.pem $(keytype-y) 2>&1 + -batch -x509 -config $< \ + -outform PEM -out $@ -keyout $@ $(keytype-y) 2>&1 $(obj)/signing_key.pem: $(obj)/x509.genkey FORCE $(call if_changed,gen_key) From 1c4bd9f77a1c1b8502ca929fdbe2ef45bfebd09a Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:46 +0900 Subject: [PATCH 19/34] certs: unify duplicated cmd_extract_certs and improve the log cmd_extract_certs is defined twice. Unify them. The current log shows the input file $(2), which might be empty. You cannot know what is being created from the log, "EXTRACT_CERTS". Change the log to show the output file with better alignment. [Before] EXTRACT_CERTS certs/signing_key.pem CC certs/system_keyring.o EXTRACT_CERTS AS certs/system_certificates.o CC certs/common.o CC certs/blacklist.o EXTRACT_CERTS AS certs/revocation_certificates.o [After] CERT certs/signing_key.x509 CC certs/system_keyring.o CERT certs/x509_certificate_list AS certs/system_certificates.o CC certs/common.o CC certs/blacklist.o CERT certs/x509_revocation_list AS certs/revocation_certificates.o Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- certs/Makefile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index aba9e782f940..bdddcd21cbb3 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -12,6 +12,9 @@ else obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o endif +quiet_cmd_extract_certs = CERT $@ + cmd_extract_certs = scripts/extract-cert $(2) $@ + ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) @@ -22,9 +25,6 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list # Cope with signing_key.x509 existing in $(srctree) not $(objtree) AFLAGS_system_certificates.o := -I$(srctree) -quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) - cmd_extract_certs = scripts/extract-cert $(2) $@ - targets += x509_certificate_list $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) @@ -98,9 +98,6 @@ $(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list -quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) - cmd_extract_certs = scripts/extract-cert $(2) $@ - targets += x509_revocation_list $(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) From 3958f2156b418c9dce0a4402a59d95b122a92a04 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:47 +0900 Subject: [PATCH 20/34] certs: remove unneeded -I$(srctree) option for system_certificates.o The .incbin directive in certs/system_certificates.S includes certs/signing_key.x509 and certs/x509_certificate_list, both of which are generated by extract_certs, i.e. exist in $(objtree). This option -I$(srctree) is unneeded. Signed-off-by: Masahiro Yamada --- certs/Makefile | 3 --- 1 file changed, 3 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index bdddcd21cbb3..d1e0dad038ca 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -22,9 +22,6 @@ $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) # GCC doesn't include .incbin files in -MD generated dependencies (PR#66871) $(obj)/system_certificates.o: $(obj)/x509_certificate_list -# Cope with signing_key.x509 existing in $(srctree) not $(objtree) -AFLAGS_system_certificates.o := -I$(srctree) - targets += x509_certificate_list $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) From 5cca36069d4c2942a46f98f47b9e7160fd547e03 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:48 +0900 Subject: [PATCH 21/34] certs: refactor file cleaning 'make clean' removes files listed in 'targets'. It is redundant to specify both 'targets' and 'clean-files'. Move 'targets' assignments out of the ifeq-conditionals so scripts/Makefile.clean can see them. One effective change is that certs/certs/signing_key.x509 is now deleted by 'make clean' instead of 'make mrproper. This certificate is embedded in the kernel. It is not used in any way by external module builds. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- Makefile | 2 +- certs/Makefile | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 8d58f65e226b..f1e3bb73bb74 100644 --- a/Makefile +++ b/Makefile @@ -1494,7 +1494,7 @@ MRPROPER_FILES += include/config include/generated \ debian snap tar-install \ .config .config.old .version \ Module.symvers \ - certs/signing_key.pem certs/signing_key.x509 \ + certs/signing_key.pem \ certs/x509.genkey \ vmlinux-gdb.py \ *.spec diff --git a/certs/Makefile b/certs/Makefile index d1e0dad038ca..bb1763150547 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -22,12 +22,11 @@ $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) # GCC doesn't include .incbin files in -MD generated dependencies (PR#66871) $(obj)/system_certificates.o: $(obj)/x509_certificate_list -targets += x509_certificate_list $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) endif # CONFIG_SYSTEM_TRUSTED_KEYRING -clean-files := x509_certificate_list .x509.list x509_revocation_list +targets += x509_certificate_list ifeq ($(CONFIG_MODULE_SIG),y) SIGN_KEY = y @@ -84,18 +83,20 @@ endif # GCC PR#66871 again. $(obj)/system_certificates.o: $(obj)/signing_key.x509 -targets += signing_key.x509 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) endif # CONFIG_MODULE_SIG +targets += signing_key.x509 + ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) $(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list -targets += x509_revocation_list $(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) endif + +targets += x509_revocation_list From 5410f3e810f64366ada353efa5e7559be040fb71 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:49 +0900 Subject: [PATCH 22/34] certs: remove misleading comments about GCC PR This dependency is necessary irrespective of the mentioned GCC PR because the embedded certificates are build artifacts and must be generated by extract_certs before *.S files are compiled. The comment sounds like we are hoping to remove these dependencies someday. No, we cannot remove them. Signed-off-by: Masahiro Yamada --- certs/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index bb1763150547..c3c8da03b04b 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -19,7 +19,6 @@ ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) -# GCC doesn't include .incbin files in -MD generated dependencies (PR#66871) $(obj)/system_certificates.o: $(obj)/x509_certificate_list $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE @@ -80,7 +79,6 @@ ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME) endif -# GCC PR#66871 again. $(obj)/system_certificates.o: $(obj)/signing_key.x509 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE From 4db9c2e3d055cc11e64b5c9bbaa70b5a552adf0f Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:50 +0900 Subject: [PATCH 23/34] kbuild: stop using config_filename in scripts/Makefile.modsign Toward the goal of removing the config_filename macro, drop the double-quotes and add $(srctree)/ prefix in an ad hoc way. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- scripts/Makefile.modinst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index ff9b09e4cfca..df7e3d578ef5 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -66,9 +66,10 @@ endif # Don't stop modules_install even if we can't sign external modules. # ifeq ($(CONFIG_MODULE_SIG_ALL),y) +CONFIG_MODULE_SIG_KEY := $(CONFIG_MODULE_SIG_KEY:"%"=%) +sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY) quiet_cmd_sign = SIGN $@ -$(eval $(call config_filename,MODULE_SIG_KEY)) - cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY) certs/signing_key.x509 $@ \ + cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) certs/signing_key.x509 $@ \ $(if $(KBUILD_EXTMOD),|| true) else quiet_cmd_sign := From b8c96a6b466ca3b91530a4ec7f7404f40f8f4d0b Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:51 +0900 Subject: [PATCH 24/34] certs: simplify $(srctree)/ handling and remove config_filename macro The complex macro, config_filename, was introduced to do: [1] drop double-quotes from the string value [2] add $(srctree)/ prefix in case the file is not found in $(objtree) [3] escape spaces and more [1] will be more generally handled by Kconfig later. As for [2], Kbuild uses VPATH to search for files in $(objtree), $(srctree) in this order. GNU Make can natively handle it. As for [3], converting $(space) to $(space_escape) back and forth looks questionable to me. It is well-known that GNU Make cannot handle file paths with spaces in the first place. Instead of using the complex macro, use $< so it will be expanded to the file path of the key. Remove config_filename, finally. Signed-off-by: Masahiro Yamada --- certs/Makefile | 32 ++++++++++++---------------- scripts/Kbuild.include | 47 ------------------------------------------ 2 files changed, 13 insertions(+), 66 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index c3c8da03b04b..69c1404152ef 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -15,15 +15,12 @@ endif quiet_cmd_extract_certs = CERT $@ cmd_extract_certs = scripts/extract-cert $(2) $@ -ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) - -$(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) - $(obj)/system_certificates.o: $(obj)/x509_certificate_list -$(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE - $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) -endif # CONFIG_SYSTEM_TRUSTED_KEYRING +CONFIG_SYSTEM_TRUSTED_KEYS := $(CONFIG_SYSTEM_TRUSTED_KEYS:"%"=%) + +$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) targets += x509_certificate_list @@ -72,29 +69,26 @@ $(obj)/x509.genkey: endif # CONFIG_MODULE_SIG_KEY -$(eval $(call config_filename,MODULE_SIG_KEY)) +CONFIG_MODULE_SIG_KEY := $(CONFIG_MODULE_SIG_KEY:"%"=%) # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it -ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME))) -X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME) +ifneq ($(filter-out pkcs11:%, %(CONFIG_MODULE_SIG_KEY)),) +X509_DEP := $(CONFIG_MODULE_SIG_KEY) endif $(obj)/system_certificates.o: $(obj)/signing_key.x509 -$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE - $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) +$(obj)/signing_key.x509: $(X509_DEP) scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY))) endif # CONFIG_MODULE_SIG targets += signing_key.x509 -ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) - -$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) - $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list -$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE - $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) -endif +CONFIG_SYSTEM_REVOCATION_KEYS := $(CONFIG_SYSTEM_REVOCATION_KEYS:"%"=%) + +$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) targets += x509_revocation_list diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include index cdec22088423..3514c2149e9d 100644 --- a/scripts/Kbuild.include +++ b/scripts/Kbuild.include @@ -195,53 +195,6 @@ why = \ echo-why = $(call escsq, $(strip $(why))) endif -############################################################################### -# -# When a Kconfig string contains a filename, it is suitable for -# passing to shell commands. It is surrounded by double-quotes, and -# any double-quotes or backslashes within it are escaped by -# backslashes. -# -# This is no use for dependencies or $(wildcard). We need to strip the -# surrounding quotes and the escaping from quotes and backslashes, and -# we *do* need to escape any spaces in the string. So, for example: -# -# Usage: $(eval $(call config_filename,FOO)) -# -# Defines FOO_FILENAME based on the contents of the CONFIG_FOO option, -# transformed as described above to be suitable for use within the -# makefile. -# -# Also, if the filename is a relative filename and exists in the source -# tree but not the build tree, define FOO_SRCPREFIX as $(srctree)/ to -# be prefixed to *both* command invocation and dependencies. -# -# Note: We also print the filenames in the quiet_cmd_foo text, and -# perhaps ought to have a version specially escaped for that purpose. -# But it's only cosmetic, and $(patsubst "%",%,$(CONFIG_FOO)) is good -# enough. It'll strip the quotes in the common case where there's no -# space and it's a simple filename, and it'll retain the quotes when -# there's a space. There are some esoteric cases in which it'll print -# the wrong thing, but we don't really care. The actual dependencies -# and commands *do* get it right, with various combinations of single -# and double quotes, backslashes and spaces in the filenames. -# -############################################################################### -# -define config_filename -ifneq ($$(CONFIG_$(1)),"") -$(1)_FILENAME := $$(subst \\,\,$$(subst \$$(quote),$$(quote),$$(subst $$(space_escape),\$$(space),$$(patsubst "%",%,$$(subst $$(space),$$(space_escape),$$(CONFIG_$(1))))))) -ifneq ($$(patsubst /%,%,$$(firstword $$($(1)_FILENAME))),$$(firstword $$($(1)_FILENAME))) -else -ifeq ($$(wildcard $$($(1)_FILENAME)),) -ifneq ($$(wildcard $$(srctree)/$$($(1)_FILENAME)),) -$(1)_SRCPREFIX := $(srctree)/ -endif -endif -endif -endif -endef -# ############################################################################### # delete partially updated (i.e. corrupted) files on error From 7d153696e5db1e37387c2f7ec06ffc8d4aac70a4 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:52 +0900 Subject: [PATCH 25/34] kbuild: do not include include/config/auto.conf from shell scripts Richard Weinberger pointed out the risk of sourcing the kernel config from shell scripts [1], and proposed some patches [2], [3]. It is a good point, but it took a long time because I was wondering how to fix this. This commit goes with simple grep approach because there are only a few scripts including the kernel configuration. scripts/link_vmlinux.sh has references to a bunch of CONFIG options, all of which are boolean. I added is_enabled() helper as scripts/package/{mkdebian,builddeb} do. scripts/gen_autoksyms.sh uses 'eval', stating "to expand the whitelist path". I removed it since it is the issue we are trying to fix. I was a bit worried about the cost of invoking the grep command over again. I extracted the grep parts from it, and measured the cost. It was approximately 0.03 sec, which I hope is acceptable. [test code] $ cat test-grep.sh #!/bin/sh is_enabled() { grep -q "^$1=y" include/config/auto.conf } is_enabled CONFIG_LTO_CLANG is_enabled CONFIG_LTO_CLANG is_enabled CONFIG_STACK_VALIDATION is_enabled CONFIG_UNWINDER_ORC is_enabled CONFIG_FTRACE_MCOUNT_USE_OBJTOOL is_enabled CONFIG_VMLINUX_VALIDATION is_enabled CONFIG_FRAME_POINTER is_enabled CONFIG_GCOV_KERNEL is_enabled CONFIG_LTO_CLANG is_enabled CONFIG_RETPOLINE is_enabled CONFIG_X86_SMAP is_enabled CONFIG_LTO_CLANG is_enabled CONFIG_VMLINUX_MAP is_enabled CONFIG_KALLSYMS_ALL is_enabled CONFIG_KALLSYMS_ABSOLUTE_PERCPU is_enabled CONFIG_KALLSYMS_BASE_RELATIVE is_enabled CONFIG_DEBUG_INFO_BTF is_enabled CONFIG_KALLSYMS is_enabled CONFIG_DEBUG_INFO_BTF is_enabled CONFIG_BPF is_enabled CONFIG_BUILDTIME_TABLE_SORT is_enabled CONFIG_KALLSYMS $ time ./test-grep.sh real 0m0.036s user 0m0.027s sys m0.009s [1]: https://lore.kernel.org/all/1919455.eZKeABUfgV@blindfold/ [2]: https://lore.kernel.org/all/20180219092245.26404-1-richard@nod.at/ [3]: https://lore.kernel.org/all/20210920213957.1064-2-richard@nod.at/ Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- scripts/gen_autoksyms.sh | 11 +++------- scripts/link-vmlinux.sh | 47 ++++++++++++++++++++-------------------- scripts/setlocalversion | 9 ++++---- 3 files changed, 31 insertions(+), 36 deletions(-) diff --git a/scripts/gen_autoksyms.sh b/scripts/gen_autoksyms.sh index 6ed0d225c8b1..949d6a054034 100755 --- a/scripts/gen_autoksyms.sh +++ b/scripts/gen_autoksyms.sh @@ -16,20 +16,15 @@ case "$KBUILD_VERBOSE" in ;; esac -# We need access to CONFIG_ symbols -. include/config/auto.conf - needed_symbols= # Special case for modversions (see modpost.c) -if [ -n "$CONFIG_MODVERSIONS" ]; then +if grep -q "^CONFIG_MODVERSIONS=y$" include/config/auto.conf; then needed_symbols="$needed_symbols module_layout" fi -ksym_wl= -if [ -n "$CONFIG_UNUSED_KSYMS_WHITELIST" ]; then - # Use 'eval' to expand the whitelist path and check if it is relative - eval ksym_wl="$CONFIG_UNUSED_KSYMS_WHITELIST" +ksym_wl=$(sed -n 's/^CONFIG_UNUSED_KSYMS_WHITELIST="\(.*\)"$/\1/p' include/config/auto.conf) +if [ -n "$ksym_wl" ]; then [ "${ksym_wl}" != "${ksym_wl#/}" ] || ksym_wl="$abs_srctree/$ksym_wl" if [ ! -f "$ksym_wl" ] || [ ! -r "$ksym_wl" ]; then echo "ERROR: '$ksym_wl' whitelist file not found" >&2 diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh index 5cdd9bc5c385..a4b61a2f65db 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -34,6 +34,10 @@ LD="$1" KBUILD_LDFLAGS="$2" LDFLAGS_vmlinux="$3" +is_enabled() { + grep -q "^$1=y" include/config/auto.conf +} + # Nice output in kbuild format # Will be supressed by "make -s" info() @@ -80,11 +84,11 @@ modpost_link() ${KBUILD_VMLINUX_LIBS} \ --end-group" - if [ -n "${CONFIG_LTO_CLANG}" ]; then + if is_enabled CONFIG_LTO_CLANG; then gen_initcalls lds="-T .tmp_initcalls.lds" - if [ -n "${CONFIG_MODVERSIONS}" ]; then + if is_enabled CONFIG_MODVERSIONS; then gen_symversions lds="${lds} -T .tmp_symversions.lds" fi @@ -104,21 +108,21 @@ objtool_link() local objtoolcmd; local objtoolopt; - if [ "${CONFIG_LTO_CLANG} ${CONFIG_STACK_VALIDATION}" = "y y" ]; then + if is_enabled CONFIG_LTO_CLANG && is_enabled CONFIG_STACK_VALIDATION; then # Don't perform vmlinux validation unless explicitly requested, # but run objtool on vmlinux.o now that we have an object file. - if [ -n "${CONFIG_UNWINDER_ORC}" ]; then + if is_enabled CONFIG_UNWINDER_ORC; then objtoolcmd="orc generate" fi objtoolopt="${objtoolopt} --duplicate" - if [ -n "${CONFIG_FTRACE_MCOUNT_USE_OBJTOOL}" ]; then + if is_enabled CONFIG_FTRACE_MCOUNT_USE_OBJTOOL; then objtoolopt="${objtoolopt} --mcount" fi fi - if [ -n "${CONFIG_VMLINUX_VALIDATION}" ]; then + if is_enabled CONFIG_VMLINUX_VALIDATION; then objtoolopt="${objtoolopt} --noinstr" fi @@ -127,16 +131,16 @@ objtool_link() objtoolcmd="check" fi objtoolopt="${objtoolopt} --vmlinux" - if [ -z "${CONFIG_FRAME_POINTER}" ]; then + if ! is_enabled CONFIG_FRAME_POINTER; then objtoolopt="${objtoolopt} --no-fp" fi - if [ -n "${CONFIG_GCOV_KERNEL}" ] || [ -n "${CONFIG_LTO_CLANG}" ]; then + if is_enabled CONFIG_GCOV_KERNEL || is_enabled CONFIG_LTO_CLANG; then objtoolopt="${objtoolopt} --no-unreachable" fi - if [ -n "${CONFIG_RETPOLINE}" ]; then + if is_enabled CONFIG_RETPOLINE; then objtoolopt="${objtoolopt} --retpoline" fi - if [ -n "${CONFIG_X86_SMAP}" ]; then + if is_enabled CONFIG_X86_SMAP; then objtoolopt="${objtoolopt} --uaccess" fi info OBJTOOL ${1} @@ -161,7 +165,7 @@ vmlinux_link() # skip output file argument shift - if [ -n "${CONFIG_LTO_CLANG}" ]; then + if is_enabled CONFIG_LTO_CLANG; then # Use vmlinux.o instead of performing the slow LTO link again. objs=vmlinux.o libs= @@ -189,7 +193,7 @@ vmlinux_link() ldflags="${ldflags} ${wl}--strip-debug" fi - if [ -n "${CONFIG_VMLINUX_MAP}" ]; then + if is_enabled CONFIG_VMLINUX_MAP; then ldflags="${ldflags} ${wl}-Map=${output}.map" fi @@ -239,15 +243,15 @@ kallsyms() { local kallsymopt; - if [ -n "${CONFIG_KALLSYMS_ALL}" ]; then + if is_enabled CONFIG_KALLSYMS_ALL; then kallsymopt="${kallsymopt} --all-symbols" fi - if [ -n "${CONFIG_KALLSYMS_ABSOLUTE_PERCPU}" ]; then + if is_enabled CONFIG_KALLSYMS_ABSOLUTE_PERCPU; then kallsymopt="${kallsymopt} --absolute-percpu" fi - if [ -n "${CONFIG_KALLSYMS_BASE_RELATIVE}" ]; then + if is_enabled CONFIG_KALLSYMS_BASE_RELATIVE; then kallsymopt="${kallsymopt} --base-relative" fi @@ -312,9 +316,6 @@ if [ "$1" = "clean" ]; then exit 0 fi -# We need access to CONFIG_ symbols -. include/config/auto.conf - # Update version info GEN .version if [ -r .version ]; then @@ -343,7 +344,7 @@ tr '\0' '\n' < modules.builtin.modinfo | sed -n 's/^[[:alnum:]:_]*\.file=//p' | tr ' ' '\n' | uniq | sed -e 's:^:kernel/:' -e 's/$/.ko/' > modules.builtin btf_vmlinux_bin_o="" -if [ -n "${CONFIG_DEBUG_INFO_BTF}" ]; then +if is_enabled CONFIG_DEBUG_INFO_BTF; then btf_vmlinux_bin_o=.btf.vmlinux.bin.o if ! gen_btf .tmp_vmlinux.btf $btf_vmlinux_bin_o ; then echo >&2 "Failed to generate BTF for vmlinux" @@ -355,7 +356,7 @@ fi kallsymso="" kallsymso_prev="" kallsyms_vmlinux="" -if [ -n "${CONFIG_KALLSYMS}" ]; then +if is_enabled CONFIG_KALLSYMS; then # kallsyms support # Generate section listing all symbols and add it into vmlinux @@ -395,12 +396,12 @@ fi vmlinux_link vmlinux "${kallsymso}" ${btf_vmlinux_bin_o} # fill in BTF IDs -if [ -n "${CONFIG_DEBUG_INFO_BTF}" -a -n "${CONFIG_BPF}" ]; then +if is_enabled CONFIG_DEBUG_INFO_BTF && is_enabled CONFIG_BPF; then info BTFIDS vmlinux ${RESOLVE_BTFIDS} vmlinux fi -if [ -n "${CONFIG_BUILDTIME_TABLE_SORT}" ]; then +if is_enabled CONFIG_BUILDTIME_TABLE_SORT; then info SORTTAB vmlinux if ! sorttable vmlinux; then echo >&2 Failed to sort kernel tables @@ -412,7 +413,7 @@ info SYSMAP System.map mksysmap vmlinux System.map # step a (see comment above) -if [ -n "${CONFIG_KALLSYMS}" ]; then +if is_enabled CONFIG_KALLSYMS; then mksysmap ${kallsyms_vmlinux} .tmp_System.map if ! cmp -s System.map .tmp_System.map; then diff --git a/scripts/setlocalversion b/scripts/setlocalversion index 6b54e46a0f12..d06137405190 100755 --- a/scripts/setlocalversion +++ b/scripts/setlocalversion @@ -111,9 +111,7 @@ if $scm_only; then exit fi -if test -e include/config/auto.conf; then - . include/config/auto.conf -else +if ! test -e include/config/auto.conf; then echo "Error: kernelrelease not valid - run 'make prepare' to update it" >&2 exit 1 fi @@ -125,10 +123,11 @@ if test ! "$srctree" -ef .; then fi # CONFIG_LOCALVERSION and LOCALVERSION (if set) -res="${res}${CONFIG_LOCALVERSION}${LOCALVERSION}" +config_localversion=$(sed -n 's/^CONFIG_LOCALVERSION="\(.*\)"$/\1/p' include/config/auto.conf) +res="${res}${config_localversion}${LOCALVERSION}" # scm version string if not at a tagged commit -if test "$CONFIG_LOCALVERSION_AUTO" = "y"; then +if grep -q "^CONFIG_LOCALVERSION_AUTO=y$" include/config/auto.conf; then # full scm version string res="$res$(scm_version)" elif [ "${LOCALVERSION+set}" != "set" ]; then From 129ab0d2d9f38b9d43df35235fc66c6740d6928b Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:53 +0900 Subject: [PATCH 26/34] kbuild: do not quote string values in include/config/auto.conf The previous commit fixed up all shell scripts to not include include/config/auto.conf. Now that include/config/auto.conf is only included by Makefiles, we can change it into a more Make-friendly form. Previously, Kconfig output string values enclosed with double-quotes (both in the .config and include/config/auto.conf): CONFIG_X="foo bar" Unlike shell, Make handles double-quotes (and single-quotes as well) verbatim. We must rip them off when used. There are some patterns: [1] $(patsubst "%",%,$(CONFIG_X)) [2] $(CONFIG_X:"%"=%) [3] $(subst ",,$(CONFIG_X)) [4] $(shell echo $(CONFIG_X)) These are not only ugly, but also fragile. [1] and [2] do not work if the value contains spaces, like CONFIG_X=" foo bar " [3] does not work correctly if the value contains double-quotes like CONFIG_X="foo\"bar" [4] seems to work better, but has a cost of forking a process. Anyway, quoted strings were always PITA for our Makefiles. This commit changes Kconfig to stop quoting in include/config/auto.conf. These are the string type symbols referenced in Makefiles or scripts: ACPI_CUSTOM_DSDT_FILE ARC_BUILTIN_DTB_NAME ARC_TUNE_MCPU BUILTIN_DTB_SOURCE CC_IMPLICIT_FALLTHROUGH CC_VERSION_TEXT CFG80211_EXTRA_REGDB_KEYDIR EXTRA_FIRMWARE EXTRA_FIRMWARE_DIR EXTRA_TARGETS H8300_BUILTIN_DTB INITRAMFS_SOURCE LOCALVERSION MODULE_SIG_HASH MODULE_SIG_KEY NDS32_BUILTIN_DTB NIOS2_DTB_SOURCE OPENRISC_BUILTIN_DTB SOC_CANAAN_K210_DTB_SOURCE SYSTEM_BLACKLIST_HASH_LIST SYSTEM_REVOCATION_KEYS SYSTEM_TRUSTED_KEYS TARGET_CPU UNUSED_KSYMS_WHITELIST XILINX_MICROBLAZE0_FAMILY XILINX_MICROBLAZE0_HW_VER XTENSA_VARIANT_NAME I checked them one by one, and fixed up the code where necessary. Signed-off-by: Masahiro Yamada --- Makefile | 4 ++-- arch/arc/Makefile | 4 ++-- arch/arc/boot/dts/Makefile | 4 ++-- arch/h8300/boot/dts/Makefile | 6 +---- arch/microblaze/Makefile | 2 +- arch/nds32/boot/dts/Makefile | 7 +----- arch/nios2/boot/dts/Makefile | 2 +- arch/openrisc/boot/dts/Makefile | 7 +----- arch/powerpc/boot/Makefile | 2 +- arch/riscv/boot/dts/canaan/Makefile | 4 +--- arch/sh/boot/dts/Makefile | 4 +--- arch/xtensa/Makefile | 2 +- arch/xtensa/boot/dts/Makefile | 5 +--- certs/Makefile | 10 ++------ drivers/acpi/Makefile | 2 +- drivers/base/firmware_loader/builtin/Makefile | 4 ++-- init/Makefile | 2 +- net/wireless/Makefile | 4 ++-- scripts/Makefile.modinst | 1 - scripts/gen_autoksyms.sh | 2 +- scripts/kconfig/confdata.c | 24 ++++++++++--------- scripts/setlocalversion | 2 +- usr/Makefile | 2 +- 23 files changed, 40 insertions(+), 66 deletions(-) diff --git a/Makefile b/Makefile index f1e3bb73bb74..3c44b08220bf 100644 --- a/Makefile +++ b/Makefile @@ -1720,9 +1720,9 @@ PHONY += prepare # now expand this into a simple variable to reduce the cost of shell evaluations prepare: CC_VERSION_TEXT := $(CC_VERSION_TEXT) prepare: - @if [ "$(CC_VERSION_TEXT)" != $(CONFIG_CC_VERSION_TEXT) ]; then \ + @if [ "$(CC_VERSION_TEXT)" != "$(CONFIG_CC_VERSION_TEXT)" ]; then \ echo >&2 "warning: the compiler differs from the one used to build the kernel"; \ - echo >&2 " The kernel was built by: "$(CONFIG_CC_VERSION_TEXT); \ + echo >&2 " The kernel was built by: $(CONFIG_CC_VERSION_TEXT)"; \ echo >&2 " You are using: $(CC_VERSION_TEXT)"; \ fi diff --git a/arch/arc/Makefile b/arch/arc/Makefile index f252e7b924e9..efc54f3e35e0 100644 --- a/arch/arc/Makefile +++ b/arch/arc/Makefile @@ -14,10 +14,10 @@ cflags-y += -fno-common -pipe -fno-builtin -mmedium-calls -D__linux__ tune-mcpu-def-$(CONFIG_ISA_ARCOMPACT) := -mcpu=arc700 tune-mcpu-def-$(CONFIG_ISA_ARCV2) := -mcpu=hs38 -ifeq ($(CONFIG_ARC_TUNE_MCPU),"") +ifeq ($(CONFIG_ARC_TUNE_MCPU),) cflags-y += $(tune-mcpu-def-y) else -tune-mcpu := $(shell echo $(CONFIG_ARC_TUNE_MCPU)) +tune-mcpu := $(CONFIG_ARC_TUNE_MCPU) ifneq ($(call cc-option,$(tune-mcpu)),) cflags-y += $(tune-mcpu) else diff --git a/arch/arc/boot/dts/Makefile b/arch/arc/boot/dts/Makefile index 8483a86c743d..4237aa5de3a3 100644 --- a/arch/arc/boot/dts/Makefile +++ b/arch/arc/boot/dts/Makefile @@ -2,8 +2,8 @@ # Built-in dtb builtindtb-y := nsim_700 -ifneq ($(CONFIG_ARC_BUILTIN_DTB_NAME),"") - builtindtb-y := $(patsubst "%",%,$(CONFIG_ARC_BUILTIN_DTB_NAME)) +ifneq ($(CONFIG_ARC_BUILTIN_DTB_NAME),) + builtindtb-y := $(CONFIG_ARC_BUILTIN_DTB_NAME) endif obj-y += $(builtindtb-y).dtb.o diff --git a/arch/h8300/boot/dts/Makefile b/arch/h8300/boot/dts/Makefile index 69fcd817892c..c36bbd1f2592 100644 --- a/arch/h8300/boot/dts/Makefile +++ b/arch/h8300/boot/dts/Makefile @@ -1,9 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 -ifneq '$(CONFIG_H8300_BUILTIN_DTB)' '""' -BUILTIN_DTB := $(patsubst "%",%,$(CONFIG_H8300_BUILTIN_DTB)).dtb.o -endif - -obj-y += $(BUILTIN_DTB) +obj-y += $(addsuffix .dtb.o, $(CONFIG_H8300_BUILTIN_DTB)) dtb-$(CONFIG_H8300H_SIM) := h8300h_sim.dtb dtb-$(CONFIG_H8S_SIM) := h8s_sim.dtb diff --git a/arch/microblaze/Makefile b/arch/microblaze/Makefile index e775a696aa6f..a25e76d89e86 100644 --- a/arch/microblaze/Makefile +++ b/arch/microblaze/Makefile @@ -5,7 +5,7 @@ UTS_SYSNAME = -DUTS_SYSNAME=\"Linux\" # What CPU version are we building for, and crack it open # as major.minor.rev -CPU_VER := $(shell echo $(CONFIG_XILINX_MICROBLAZE0_HW_VER)) +CPU_VER := $(CONFIG_XILINX_MICROBLAZE0_HW_VER) CPU_MAJOR := $(shell echo $(CPU_VER) | cut -d '.' -f 1) CPU_MINOR := $(shell echo $(CPU_VER) | cut -d '.' -f 2) CPU_REV := $(shell echo $(CPU_VER) | cut -d '.' -f 3) diff --git a/arch/nds32/boot/dts/Makefile b/arch/nds32/boot/dts/Makefile index f84bd529b6fd..4fc69562eae8 100644 --- a/arch/nds32/boot/dts/Makefile +++ b/arch/nds32/boot/dts/Makefile @@ -1,7 +1,2 @@ # SPDX-License-Identifier: GPL-2.0-only -ifneq '$(CONFIG_NDS32_BUILTIN_DTB)' '""' -BUILTIN_DTB := $(patsubst "%",%,$(CONFIG_NDS32_BUILTIN_DTB)).dtb.o -else -BUILTIN_DTB := -endif -obj-$(CONFIG_OF) += $(BUILTIN_DTB) +obj-$(CONFIG_OF) += $(addsuffix .dtb.o, $(CONFIG_NDS32_BUILTIN_DTB)) diff --git a/arch/nios2/boot/dts/Makefile b/arch/nios2/boot/dts/Makefile index a91a0b09be63..e9e31bb40df8 100644 --- a/arch/nios2/boot/dts/Makefile +++ b/arch/nios2/boot/dts/Makefile @@ -1,6 +1,6 @@ # SPDX-License-Identifier: GPL-2.0 -obj-y := $(patsubst "%.dts",%.dtb.o,$(CONFIG_NIOS2_DTB_SOURCE)) +obj-y := $(patsubst %.dts,%.dtb.o,$(CONFIG_NIOS2_DTB_SOURCE)) dtstree := $(srctree)/$(src) dtb-$(CONFIG_OF_ALL_DTBS) := $(patsubst $(dtstree)/%.dts,%.dtb, $(wildcard $(dtstree)/*.dts)) diff --git a/arch/openrisc/boot/dts/Makefile b/arch/openrisc/boot/dts/Makefile index 17dd791a833f..13db5a2aab52 100644 --- a/arch/openrisc/boot/dts/Makefile +++ b/arch/openrisc/boot/dts/Makefile @@ -1,9 +1,4 @@ # SPDX-License-Identifier: GPL-2.0 -ifneq '$(CONFIG_OPENRISC_BUILTIN_DTB)' '""' -BUILTIN_DTB := $(patsubst "%",%,$(CONFIG_OPENRISC_BUILTIN_DTB)).dtb.o -else -BUILTIN_DTB := -endif -obj-y += $(BUILTIN_DTB) +obj-y += $(addsuffix .dtb.o, $(CONFIG_OPENRISC_BUILTIN_DTB)) #DTC_FLAGS ?= -p 1024 diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile index 9993c6256ad2..4b4827c475c6 100644 --- a/arch/powerpc/boot/Makefile +++ b/arch/powerpc/boot/Makefile @@ -365,7 +365,7 @@ image-$(CONFIG_PPC_PMAC) += zImage.coff zImage.miboot endif # Allow extra targets to be added to the defconfig -image-y += $(subst ",,$(CONFIG_EXTRA_TARGETS)) +image-y += $(CONFIG_EXTRA_TARGETS) initrd- := $(patsubst zImage%, zImage.initrd%, $(image-)) initrd-y := $(patsubst zImage%, zImage.initrd%, \ diff --git a/arch/riscv/boot/dts/canaan/Makefile b/arch/riscv/boot/dts/canaan/Makefile index 9ee7156c0c31..c61b08ac8554 100644 --- a/arch/riscv/boot/dts/canaan/Makefile +++ b/arch/riscv/boot/dts/canaan/Makefile @@ -1,5 +1,3 @@ # SPDX-License-Identifier: GPL-2.0 -ifneq ($(CONFIG_SOC_CANAAN_K210_DTB_SOURCE),"") -dtb-y += $(strip $(shell echo $(CONFIG_SOC_CANAAN_K210_DTB_SOURCE))).dtb +dtb-$(CONFIG_SOC_CANAAN_K210_DTB_BUILTIN) += $(addsuffix .dtb, $(CONFIG_SOC_CANAAN_K210_DTB_SOURCE)) obj-$(CONFIG_SOC_CANAAN_K210_DTB_BUILTIN) += $(addsuffix .o, $(dtb-y)) -endif diff --git a/arch/sh/boot/dts/Makefile b/arch/sh/boot/dts/Makefile index c17d65b82abe..4a6dec9714a9 100644 --- a/arch/sh/boot/dts/Makefile +++ b/arch/sh/boot/dts/Makefile @@ -1,4 +1,2 @@ # SPDX-License-Identifier: GPL-2.0-only -ifneq ($(CONFIG_BUILTIN_DTB_SOURCE),"") -obj-$(CONFIG_USE_BUILTIN_DTB) += $(patsubst "%",%,$(CONFIG_BUILTIN_DTB_SOURCE)).dtb.o -endif +obj-$(CONFIG_USE_BUILTIN_DTB) += $(addsuffix .dtb.o, $(CONFIG_BUILTIN_DTB_SOURCE)) diff --git a/arch/xtensa/Makefile b/arch/xtensa/Makefile index 9778216d6e09..ee2769519eaf 100644 --- a/arch/xtensa/Makefile +++ b/arch/xtensa/Makefile @@ -12,7 +12,7 @@ # Core configuration. # (Use VAR= to use another default compiler.) -variant-y := $(patsubst "%",%,$(CONFIG_XTENSA_VARIANT_NAME)) +variant-y := $(CONFIG_XTENSA_VARIANT_NAME) VARIANT = $(variant-y) diff --git a/arch/xtensa/boot/dts/Makefile b/arch/xtensa/boot/dts/Makefile index 0b8d00cdae7c..720628c0d8b9 100644 --- a/arch/xtensa/boot/dts/Makefile +++ b/arch/xtensa/boot/dts/Makefile @@ -7,10 +7,7 @@ # # -BUILTIN_DTB_SOURCE := $(patsubst "%",%,$(CONFIG_BUILTIN_DTB_SOURCE)).dtb.o -ifneq ($(CONFIG_BUILTIN_DTB_SOURCE),"") -obj-$(CONFIG_OF) += $(BUILTIN_DTB_SOURCE) -endif +obj-$(CONFIG_OF) += $(addsuffix .dtb.o, $(CONFIG_BUILTIN_DTB_SOURCE)) # for CONFIG_OF_ALL_DTBS test dtstree := $(srctree)/$(src) diff --git a/certs/Makefile b/certs/Makefile index 69c1404152ef..7b48445d71f6 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -6,7 +6,7 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o -ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") +ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o else obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o @@ -17,8 +17,6 @@ quiet_cmd_extract_certs = CERT $@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list -CONFIG_SYSTEM_TRUSTED_KEYS := $(CONFIG_SYSTEM_TRUSTED_KEYS:"%"=%) - $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) scripts/extract-cert FORCE $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) @@ -46,7 +44,7 @@ ifdef SIGN_KEY # We do it this way rather than having a boolean option for enabling an # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. -ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") +ifeq ($(CONFIG_MODULE_SIG_KEY),certs/signing_key.pem) keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) := -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 @@ -69,8 +67,6 @@ $(obj)/x509.genkey: endif # CONFIG_MODULE_SIG_KEY -CONFIG_MODULE_SIG_KEY := $(CONFIG_MODULE_SIG_KEY:"%"=%) - # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it ifneq ($(filter-out pkcs11:%, %(CONFIG_MODULE_SIG_KEY)),) X509_DEP := $(CONFIG_MODULE_SIG_KEY) @@ -86,8 +82,6 @@ targets += signing_key.x509 $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list -CONFIG_SYSTEM_REVOCATION_KEYS := $(CONFIG_SYSTEM_REVOCATION_KEYS:"%"=%) - $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) scripts/extract-cert FORCE $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile index 3018714e87d9..da0cdd1e9380 100644 --- a/drivers/acpi/Makefile +++ b/drivers/acpi/Makefile @@ -9,7 +9,7 @@ ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT # ACPI Boot-Time Table Parsing # ifeq ($(CONFIG_ACPI_CUSTOM_DSDT),y) -tables.o: $(src)/../../include/$(subst $\",,$(CONFIG_ACPI_CUSTOM_DSDT_FILE)) ; +tables.o: $(src)/../../include/$(CONFIG_ACPI_CUSTOM_DSDT_FILE) ; endif diff --git a/drivers/base/firmware_loader/builtin/Makefile b/drivers/base/firmware_loader/builtin/Makefile index eb4be452062a..6c067dedc01e 100644 --- a/drivers/base/firmware_loader/builtin/Makefile +++ b/drivers/base/firmware_loader/builtin/Makefile @@ -3,10 +3,10 @@ obj-y += main.o # Create $(fwdir) from $(CONFIG_EXTRA_FIRMWARE_DIR) -- if it doesn't have a # leading /, it's relative to $(srctree). -fwdir := $(subst $(quote),,$(CONFIG_EXTRA_FIRMWARE_DIR)) +fwdir := $(CONFIG_EXTRA_FIRMWARE_DIR) fwdir := $(addprefix $(srctree)/,$(filter-out /%,$(fwdir)))$(filter /%,$(fwdir)) -firmware := $(addsuffix .gen.o, $(subst $(quote),,$(CONFIG_EXTRA_FIRMWARE))) +firmware := $(addsuffix .gen.o, $(CONFIG_EXTRA_FIRMWARE)) obj-y += $(firmware) FWNAME = $(patsubst $(obj)/%.gen.S,%,$@) diff --git a/init/Makefile b/init/Makefile index 04eeee12c076..06326e304384 100644 --- a/init/Makefile +++ b/init/Makefile @@ -31,7 +31,7 @@ quiet_cmd_compile.h = CHK $@ cmd_compile.h = \ $(CONFIG_SHELL) $(srctree)/scripts/mkcompile_h $@ \ "$(UTS_MACHINE)" "$(CONFIG_SMP)" "$(CONFIG_PREEMPT_BUILD)" \ - "$(CONFIG_PREEMPT_RT)" $(CONFIG_CC_VERSION_TEXT) "$(LD)" + "$(CONFIG_PREEMPT_RT)" "$(CONFIG_CC_VERSION_TEXT)" "$(LD)" include/generated/compile.h: FORCE $(call cmd,compile.h) diff --git a/net/wireless/Makefile b/net/wireless/Makefile index 756e7de7e33f..1e9be50469ce 100644 --- a/net/wireless/Makefile +++ b/net/wireless/Makefile @@ -33,8 +33,8 @@ $(obj)/shipped-certs.c: $(wildcard $(srctree)/$(src)/certs/*.hex) echo 'unsigned int shipped_regdb_certs_len = sizeof(shipped_regdb_certs);'; \ ) > $@ -$(obj)/extra-certs.c: $(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR:"%"=%) \ - $(wildcard $(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR:"%"=%)/*.x509) +$(obj)/extra-certs.c: $(CONFIG_CFG80211_EXTRA_REGDB_KEYDI) \ + $(wildcard $(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR)/*.x509) @$(kecho) " GEN $@" $(Q)(set -e; \ allf=""; \ diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index df7e3d578ef5..c2c43a0ecfe0 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -66,7 +66,6 @@ endif # Don't stop modules_install even if we can't sign external modules. # ifeq ($(CONFIG_MODULE_SIG_ALL),y) -CONFIG_MODULE_SIG_KEY := $(CONFIG_MODULE_SIG_KEY:"%"=%) sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY) quiet_cmd_sign = SIGN $@ cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) certs/signing_key.x509 $@ \ diff --git a/scripts/gen_autoksyms.sh b/scripts/gen_autoksyms.sh index 949d6a054034..120225c541c5 100755 --- a/scripts/gen_autoksyms.sh +++ b/scripts/gen_autoksyms.sh @@ -23,7 +23,7 @@ if grep -q "^CONFIG_MODVERSIONS=y$" include/config/auto.conf; then needed_symbols="$needed_symbols module_layout" fi -ksym_wl=$(sed -n 's/^CONFIG_UNUSED_KSYMS_WHITELIST="\(.*\)"$/\1/p' include/config/auto.conf) +ksym_wl=$(sed -n 's/^CONFIG_UNUSED_KSYMS_WHITELIST=\(.*\)$/\1/p' include/config/auto.conf) if [ -n "$ksym_wl" ]; then [ "${ksym_wl}" != "${ksym_wl#/}" ] || ksym_wl="$abs_srctree/$ksym_wl" if [ ! -f "$ksym_wl" ] || [ ! -r "$ksym_wl" ]; then diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c index 42bc56ee238c..59717be31210 100644 --- a/scripts/kconfig/confdata.c +++ b/scripts/kconfig/confdata.c @@ -244,19 +244,21 @@ static int conf_set_sym_val(struct symbol *sym, int def, int def_flags, char *p) p, sym->name); return 1; case S_STRING: - if (*p++ != '"') - break; - for (p2 = p; (p2 = strpbrk(p2, "\"\\")); p2++) { - if (*p2 == '"') { - *p2 = 0; + /* No escaping for S_DEF_AUTO (include/config/auto.conf) */ + if (def != S_DEF_AUTO) { + if (*p++ != '"') break; + for (p2 = p; (p2 = strpbrk(p2, "\"\\")); p2++) { + if (*p2 == '"') { + *p2 = 0; + break; + } + memmove(p2, p2 + 1, strlen(p2)); } - memmove(p2, p2 + 1, strlen(p2)); - } - if (!p2) { - if (def != S_DEF_AUTO) + if (!p2) { conf_warning("invalid string found"); - return 1; + return 1; + } } /* fall through */ case S_INT: @@ -700,7 +702,7 @@ static void print_symbol_for_dotconfig(FILE *fp, struct symbol *sym) static void print_symbol_for_autoconf(FILE *fp, struct symbol *sym) { - __print_symbol(fp, sym, OUTPUT_N_NONE, true); + __print_symbol(fp, sym, OUTPUT_N_NONE, false); } void print_symbol_for_listconfig(struct symbol *sym) diff --git a/scripts/setlocalversion b/scripts/setlocalversion index d06137405190..af4754a35e66 100755 --- a/scripts/setlocalversion +++ b/scripts/setlocalversion @@ -123,7 +123,7 @@ if test ! "$srctree" -ef .; then fi # CONFIG_LOCALVERSION and LOCALVERSION (if set) -config_localversion=$(sed -n 's/^CONFIG_LOCALVERSION="\(.*\)"$/\1/p' include/config/auto.conf) +config_localversion=$(sed -n 's/^CONFIG_LOCALVERSION=\(.*\)$/\1/p' include/config/auto.conf) res="${res}${config_localversion}${LOCALVERSION}" # scm version string if not at a tagged commit diff --git a/usr/Makefile b/usr/Makefile index b1a81a40eab1..7374873a539f 100644 --- a/usr/Makefile +++ b/usr/Makefile @@ -21,7 +21,7 @@ obj-$(CONFIG_BLK_DEV_INITRD) := initramfs_data.o $(obj)/initramfs_data.o: $(obj)/initramfs_inc_data -ramfs-input := $(strip $(shell echo $(CONFIG_INITRAMFS_SOURCE))) +ramfs-input := $(CONFIG_INITRAMFS_SOURCE) cpio-data := # If CONFIG_INITRAMFS_SOURCE is empty, generate a small initramfs with the From 340a02535ee785c64c62a9c45706597a0139e972 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:54 +0900 Subject: [PATCH 27/34] certs: move scripts/extract-cert to certs/ extract-cert is only used in certs/Makefile. Move it there and build extract-cert on demand. Signed-off-by: Masahiro Yamada --- MAINTAINERS | 1 - certs/.gitignore | 1 + certs/Makefile | 13 +++++++++---- {scripts => certs}/extract-cert.c | 2 +- scripts/.gitignore | 1 - scripts/Makefile | 11 ++--------- scripts/remove-stale-files | 2 ++ 7 files changed, 15 insertions(+), 16 deletions(-) rename {scripts => certs}/extract-cert.c (98%) diff --git a/MAINTAINERS b/MAINTAINERS index 360e9aa0205d..f321ddbb1ab0 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4410,7 +4410,6 @@ L: keyrings@vger.kernel.org S: Maintained F: Documentation/admin-guide/module-signing.rst F: certs/ -F: scripts/extract-cert.c F: scripts/sign-file.c CFAG12864B LCD DRIVER diff --git a/certs/.gitignore b/certs/.gitignore index 8c3763f80be3..9e42fe3e02f5 100644 --- a/certs/.gitignore +++ b/certs/.gitignore @@ -1,3 +1,4 @@ # SPDX-License-Identifier: GPL-2.0-only +/extract-cert /x509_certificate_list /x509_revocation_list diff --git a/certs/Makefile b/certs/Makefile index 7b48445d71f6..f7041c29a2e0 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -13,11 +13,11 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o endif quiet_cmd_extract_certs = CERT $@ - cmd_extract_certs = scripts/extract-cert $(2) $@ + cmd_extract_certs = $(obj)/extract-cert $(2) $@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list -$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) scripts/extract-cert FORCE +$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_TRUSTED_KEYS),$<,"")) targets += x509_certificate_list @@ -74,7 +74,7 @@ endif $(obj)/system_certificates.o: $(obj)/signing_key.x509 -$(obj)/signing_key.x509: $(X509_DEP) scripts/extract-cert FORCE +$(obj)/signing_key.x509: $(X509_DEP) $(obj)/extract-cert FORCE $(call if_changed,extract_certs,$(if $(X509_DEP),$<,$(CONFIG_MODULE_SIG_KEY))) endif # CONFIG_MODULE_SIG @@ -82,7 +82,12 @@ targets += signing_key.x509 $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list -$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) scripts/extract-cert FORCE +$(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE $(call if_changed,extract_certs,$(if $(CONFIG_SYSTEM_REVOCATION_KEYS),$<,"")) targets += x509_revocation_list + +hostprogs := extract-cert + +HOSTCFLAGS_extract-cert.o = $(shell pkg-config --cflags libcrypto 2> /dev/null) +HOSTLDLIBS_extract-cert = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) diff --git a/scripts/extract-cert.c b/certs/extract-cert.c similarity index 98% rename from scripts/extract-cert.c rename to certs/extract-cert.c index 3bc48c726c41..f7ef7862f207 100644 --- a/scripts/extract-cert.c +++ b/certs/extract-cert.c @@ -29,7 +29,7 @@ static __attribute__((noreturn)) void format(void) { fprintf(stderr, - "Usage: scripts/extract-cert \n"); + "Usage: extract-cert \n"); exit(2); } diff --git a/scripts/.gitignore b/scripts/.gitignore index e83c620ef52c..eed308bef604 100644 --- a/scripts/.gitignore +++ b/scripts/.gitignore @@ -1,7 +1,6 @@ # SPDX-License-Identifier: GPL-2.0-only /asn1_compiler /bin2c -/extract-cert /insert-sys-cert /kallsyms /module.lds diff --git a/scripts/Makefile b/scripts/Makefile index 9adb6d247818..e198b22dc476 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -3,25 +3,18 @@ # scripts contains sources for various helper programs used throughout # the kernel for the build process. -CRYPTO_LIBS = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) -CRYPTO_CFLAGS = $(shell pkg-config --cflags libcrypto 2> /dev/null) - hostprogs-always-$(CONFIG_BUILD_BIN2C) += bin2c hostprogs-always-$(CONFIG_KALLSYMS) += kallsyms hostprogs-always-$(BUILD_C_RECORDMCOUNT) += recordmcount hostprogs-always-$(CONFIG_BUILDTIME_TABLE_SORT) += sorttable hostprogs-always-$(CONFIG_ASN1) += asn1_compiler hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file -hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert -hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include -HOSTCFLAGS_sign-file.o = $(CRYPTO_CFLAGS) -HOSTLDLIBS_sign-file = $(CRYPTO_LIBS) -HOSTCFLAGS_extract-cert.o = $(CRYPTO_CFLAGS) -HOSTLDLIBS_extract-cert = $(CRYPTO_LIBS) +HOSTCFLAGS_sign-file.o = $(shell pkg-config --cflags libcrypto 2> /dev/null) +HOSTLDLIBS_sign-file = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) ifdef CONFIG_UNWINDER_ORC ifeq ($(ARCH),x86_64) diff --git a/scripts/remove-stale-files b/scripts/remove-stale-files index 0114c41e6938..dd230792056a 100755 --- a/scripts/remove-stale-files +++ b/scripts/remove-stale-files @@ -34,3 +34,5 @@ if [ -n "${building_out_of_srctree}" ]; then rm -f arch/mips/boot/compressed/${f} done fi + +rm -f scripts/extract-cert From c0ee9bba55e1fda8ca22a2ac714d54737def50d4 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 14 Dec 2021 11:53:55 +0900 Subject: [PATCH 28/34] microblaze: use built-in function to get CPU_{MAJOR,MINOR,REV} Use built-in functions instead of shell commands to avoid forking processes. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- arch/microblaze/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/microblaze/Makefile b/arch/microblaze/Makefile index a25e76d89e86..1826d9ce4459 100644 --- a/arch/microblaze/Makefile +++ b/arch/microblaze/Makefile @@ -6,9 +6,9 @@ UTS_SYSNAME = -DUTS_SYSNAME=\"Linux\" # What CPU version are we building for, and crack it open # as major.minor.rev CPU_VER := $(CONFIG_XILINX_MICROBLAZE0_HW_VER) -CPU_MAJOR := $(shell echo $(CPU_VER) | cut -d '.' -f 1) -CPU_MINOR := $(shell echo $(CPU_VER) | cut -d '.' -f 2) -CPU_REV := $(shell echo $(CPU_VER) | cut -d '.' -f 3) +CPU_MAJOR := $(word 1, $(subst ., , $(CPU_VER))) +CPU_MINOR := $(word 2, $(subst ., , $(CPU_VER))) +CPU_REV := $(word 3, $(subst ., , $(CPU_VER))) export CPU_VER CPU_MAJOR CPU_MINOR CPU_REV From c199d5d0a79d4eb11623e0eb645b27d271f8d713 Mon Sep 17 00:00:00 2001 From: Miguel Ojeda Date: Fri, 31 Dec 2021 20:59:25 +0100 Subject: [PATCH 29/34] doc: kbuild: fix default in `imply` table `BAZ` takes `FOO`'s value as default (as far as `BAR` allows it). Signed-off-by: Miguel Ojeda Signed-off-by: Masahiro Yamada --- Documentation/kbuild/kconfig-language.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/kbuild/kconfig-language.rst b/Documentation/kbuild/kconfig-language.rst index 98c24183d8c3..93a5b6e1fabd 100644 --- a/Documentation/kbuild/kconfig-language.rst +++ b/Documentation/kbuild/kconfig-language.rst @@ -176,7 +176,7 @@ applicable everywhere (see syntax). y y y Y/m/n n m n N/m m m m M/n - y m n M/n + y m m M/n y n * N === === ============= ============== From 82977af93a0dc4e70f60ca2137b67f65ebe47fc7 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Mon, 10 Jan 2022 03:15:25 +0900 Subject: [PATCH 30/34] sh: rename suffix-y to suffix_y 'export suffix-y' does not work reliably because hyphens are disallowed in shell variables. A similar issue was fixed by commit 2bfbe7881ee0 ("kbuild: Do not use hyphen in exported variable name"). If I do similar in dash, ARCH=sh fails to build. $ mv linux linux~ $ cd linux~ $ dash $ make O=foo/bar ARCH=sh CROSS_COMPILE=sh4-linux-gnu- defconfig all make[1]: Entering directory '/home/masahiro/linux~/foo/bar' [ snip ] make[4]: *** No rule to make target 'arch/sh/boot/compressed/vmlinux.bin.', needed by 'arch/sh/boot/compressed/piggy.o'. Stop. make[3]: *** [/home/masahiro/linux~/arch/sh/boot/Makefile:40: arch/sh/boot/compressed/vmlinux] Error 2 make[2]: *** [/home/masahiro/linux~/arch/sh/Makefile:194: zImage] Error 2 make[1]: *** [/home/masahiro/linux~/Makefile:350: __build_one_by_one] Error 2 make[1]: Leaving directory '/home/masahiro/linux~/foo/bar' make: *** [Makefile:219: __sub-make] Error 2 The maintainer of GNU Make stated that there is no consistent way to export variables that do not meet the shell's naming criteria. (https://savannah.gnu.org/bugs/?55719) Consequently, you cannot use hyphens in exported variables. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- arch/sh/boot/Makefile | 16 ++++++++-------- arch/sh/boot/compressed/Makefile | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/arch/sh/boot/Makefile b/arch/sh/boot/Makefile index 5c123f5b2797..1f5d2df3c7e0 100644 --- a/arch/sh/boot/Makefile +++ b/arch/sh/boot/Makefile @@ -19,12 +19,12 @@ CONFIG_ZERO_PAGE_OFFSET ?= 0x00001000 CONFIG_ENTRY_OFFSET ?= 0x00001000 CONFIG_PHYSICAL_START ?= $(CONFIG_MEMORY_START) -suffix-y := bin -suffix-$(CONFIG_KERNEL_GZIP) := gz -suffix-$(CONFIG_KERNEL_BZIP2) := bz2 -suffix-$(CONFIG_KERNEL_LZMA) := lzma -suffix-$(CONFIG_KERNEL_XZ) := xz -suffix-$(CONFIG_KERNEL_LZO) := lzo +suffix_y := bin +suffix_$(CONFIG_KERNEL_GZIP) := gz +suffix_$(CONFIG_KERNEL_BZIP2) := bz2 +suffix_$(CONFIG_KERNEL_LZMA) := lzma +suffix_$(CONFIG_KERNEL_XZ) := xz +suffix_$(CONFIG_KERNEL_LZO) := lzo targets := zImage vmlinux.srec romImage uImage uImage.srec uImage.gz \ uImage.bz2 uImage.lzma uImage.xz uImage.lzo uImage.bin \ @@ -106,10 +106,10 @@ OBJCOPYFLAGS_uImage.srec := -I binary -O srec $(obj)/uImage.srec: $(obj)/uImage FORCE $(call if_changed,objcopy) -$(obj)/uImage: $(obj)/uImage.$(suffix-y) +$(obj)/uImage: $(obj)/uImage.$(suffix_y) @ln -sf $(notdir $<) $@ @echo ' Image $@ is ready' export CONFIG_PAGE_OFFSET CONFIG_MEMORY_START CONFIG_BOOT_LINK_OFFSET \ CONFIG_PHYSICAL_START CONFIG_ZERO_PAGE_OFFSET CONFIG_ENTRY_OFFSET \ - KERNEL_MEMORY suffix-y + KERNEL_MEMORY suffix_y diff --git a/arch/sh/boot/compressed/Makefile b/arch/sh/boot/compressed/Makefile index cf3174df7859..c1eb9a62de55 100644 --- a/arch/sh/boot/compressed/Makefile +++ b/arch/sh/boot/compressed/Makefile @@ -64,5 +64,5 @@ OBJCOPYFLAGS += -R .empty_zero_page LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T -$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix-y) FORCE +$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix_y) FORCE $(call if_changed,ld) From 64d8aaa4ef388b22372de4dc9ce3b9b3e5f45b6c Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Mon, 10 Jan 2022 03:15:26 +0900 Subject: [PATCH 31/34] kbuild: drop $(size_append) from cmd_zstd The appended file size is only used by the decompressors, which some architectures support. As the comment "zstd22 is used for kernel compression" says, cmd_zstd22 is used in arch/{mips,s390,x86}/boot/compressed/Makefile. On the other hand, there is no good reason to append the file size to cmd_zstd since it is used for other purposes. Actually cmd_zstd is only used in usr/Makefile, where the appended file size is rather harmful. The initramfs with its file size appended is considered as corrupted data, so commit 65e00e04e5ae ("initramfs: refactor the initramfs build rules") added 'override size_append := :' to make it no-op. As a conclusion, this $(size_append) should not exist here. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- scripts/Makefile.lib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index d1f865b8c0cb..5366466ea0e4 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -473,7 +473,7 @@ quiet_cmd_xzmisc = XZMISC $@ # be used because it would require zstd to allocate a 128 MB buffer. quiet_cmd_zstd = ZSTD $@ - cmd_zstd = { cat $(real-prereqs) | $(ZSTD) -19; $(size_append); } > $@ + cmd_zstd = cat $(real-prereqs) | $(ZSTD) -19 > $@ quiet_cmd_zstd22 = ZSTD22 $@ cmd_zstd22 = { cat $(real-prereqs) | $(ZSTD) -22 --ultra; $(size_append); } > $@ From 7ce7e984ab2b218d6e92d5165629022fe2daf9ee Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Mon, 10 Jan 2022 03:15:27 +0900 Subject: [PATCH 32/34] kbuild: rename cmd_{bzip2,lzma,lzo,lz4,xzkern,zstd22} GZIP-compressed files end with 4 byte data that represents the size of the original input. The decompressors (the self-extracting kernel) exploit it to know the vmlinux size beforehand. To mimic the GZIP's trailer, Kbuild provides cmd_{bzip2,lzma,lzo,lz4,xzkern,zstd22}. Unfortunately these macros are used everywhere despite the appended size data is only useful for the decompressors. There is no guarantee that such hand-crafted trailers are safely ignored. In fact, the kernel refuses compressed initramdfs with the garbage data. That is why usr/Makefile overrides size_append to make it no-op. To limit the use of such broken compressed files, this commit renames the existing macros as follows: cmd_bzip2 --> cmd_bzip2_with_size cmd_lzma --> cmd_lzma_with_size cmd_lzo --> cmd_lzo_with_size cmd_lz4 --> cmd_lz4_with_size cmd_xzkern --> cmd_xzkern_with_size cmd_zstd22 --> cmd_zstd22_with_size To keep the decompressors working, I updated the following Makefiles accordingly: arch/arm/boot/compressed/Makefile arch/h8300/boot/compressed/Makefile arch/mips/boot/compressed/Makefile arch/parisc/boot/compressed/Makefile arch/s390/boot/compressed/Makefile arch/sh/boot/compressed/Makefile arch/x86/boot/compressed/Makefile I reused the current macro names for the normal usecases; they produce the compressed data in the proper format. I did not touch the following: arch/arc/boot/Makefile arch/arm64/boot/Makefile arch/csky/boot/Makefile arch/mips/boot/Makefile arch/riscv/boot/Makefile arch/sh/boot/Makefile kernel/Makefile This means those Makefiles will stop appending the size data. I dropped the 'override size_append' hack from usr/Makefile. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- arch/arm/boot/compressed/Makefile | 8 ++++---- arch/h8300/boot/compressed/Makefile | 4 +++- arch/mips/boot/compressed/Makefile | 12 +++++------ arch/parisc/boot/compressed/Makefile | 10 +++++----- arch/s390/boot/compressed/Makefile | 12 +++++------ arch/sh/boot/compressed/Makefile | 8 ++++---- arch/x86/boot/compressed/Makefile | 12 +++++------ scripts/Makefile.lib | 30 ++++++++++++++++++++++------ usr/Makefile | 5 ----- 9 files changed, 58 insertions(+), 43 deletions(-) diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile index 91265e7ff672..adc0e318a1ea 100644 --- a/arch/arm/boot/compressed/Makefile +++ b/arch/arm/boot/compressed/Makefile @@ -77,10 +77,10 @@ CPPFLAGS_vmlinux.lds += -DTEXT_OFFSET="$(TEXT_OFFSET)" CPPFLAGS_vmlinux.lds += -DMALLOC_SIZE="$(MALLOC_SIZE)" compress-$(CONFIG_KERNEL_GZIP) = gzip -compress-$(CONFIG_KERNEL_LZO) = lzo -compress-$(CONFIG_KERNEL_LZMA) = lzma -compress-$(CONFIG_KERNEL_XZ) = xzkern -compress-$(CONFIG_KERNEL_LZ4) = lz4 +compress-$(CONFIG_KERNEL_LZO) = lzo_with_size +compress-$(CONFIG_KERNEL_LZMA) = lzma_with_size +compress-$(CONFIG_KERNEL_XZ) = xzkern_with_size +compress-$(CONFIG_KERNEL_LZ4) = lz4_with_size libfdt_objs := fdt_rw.o fdt_ro.o fdt_wip.o fdt.o diff --git a/arch/h8300/boot/compressed/Makefile b/arch/h8300/boot/compressed/Makefile index 5942793f77a0..6ab2fa5ba105 100644 --- a/arch/h8300/boot/compressed/Makefile +++ b/arch/h8300/boot/compressed/Makefile @@ -30,9 +30,11 @@ $(obj)/vmlinux.bin: vmlinux FORCE suffix-$(CONFIG_KERNEL_GZIP) := gzip suffix-$(CONFIG_KERNEL_LZO) := lzo +compress-$(CONFIG_KERNEL_GZIP) := gzip +compress-$(CONFIG_KERNEL_LZO) := lzo_with_size $(obj)/vmlinux.bin.$(suffix-y): $(obj)/vmlinux.bin FORCE - $(call if_changed,$(suffix-y)) + $(call if_changed,$(compress-y)) LDFLAGS_piggy.o := -r --format binary --oformat elf32-h8300-linux -T OBJCOPYFLAGS := -O binary diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile index f27cf31b4140..832f8001d7d9 100644 --- a/arch/mips/boot/compressed/Makefile +++ b/arch/mips/boot/compressed/Makefile @@ -64,12 +64,12 @@ $(obj)/vmlinux.bin: $(KBUILD_IMAGE) FORCE $(call if_changed,objcopy) tool_$(CONFIG_KERNEL_GZIP) = gzip -tool_$(CONFIG_KERNEL_BZIP2) = bzip2 -tool_$(CONFIG_KERNEL_LZ4) = lz4 -tool_$(CONFIG_KERNEL_LZMA) = lzma -tool_$(CONFIG_KERNEL_LZO) = lzo -tool_$(CONFIG_KERNEL_XZ) = xzkern -tool_$(CONFIG_KERNEL_ZSTD) = zstd22 +tool_$(CONFIG_KERNEL_BZIP2) = bzip2_with_size +tool_$(CONFIG_KERNEL_LZ4) = lz4_with_size +tool_$(CONFIG_KERNEL_LZMA) = lzma_with_size +tool_$(CONFIG_KERNEL_LZO) = lzo_with_size +tool_$(CONFIG_KERNEL_XZ) = xzkern_with_size +tool_$(CONFIG_KERNEL_ZSTD) = zstd22_with_size targets += vmlinux.bin.z diff --git a/arch/parisc/boot/compressed/Makefile b/arch/parisc/boot/compressed/Makefile index bf4f2891d0b7..2640f72d69ce 100644 --- a/arch/parisc/boot/compressed/Makefile +++ b/arch/parisc/boot/compressed/Makefile @@ -70,15 +70,15 @@ suffix-$(CONFIG_KERNEL_XZ) := xz $(obj)/vmlinux.bin.gz: $(vmlinux.bin.all-y) FORCE $(call if_changed,gzip) $(obj)/vmlinux.bin.bz2: $(vmlinux.bin.all-y) FORCE - $(call if_changed,bzip2) + $(call if_changed,bzip2_with_size) $(obj)/vmlinux.bin.lz4: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lz4) + $(call if_changed,lz4_with_size) $(obj)/vmlinux.bin.lzma: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lzma) + $(call if_changed,lzma_with_size) $(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lzo) + $(call if_changed,lzo_with_size) $(obj)/vmlinux.bin.xz: $(vmlinux.bin.all-y) FORCE - $(call if_changed,xzkern) + $(call if_changed,xzkern_with_size) LDFLAGS_piggy.o := -r --format binary --oformat $(LD_BFD) -T $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix-y) FORCE diff --git a/arch/s390/boot/compressed/Makefile b/arch/s390/boot/compressed/Makefile index 3b860061e84d..8ea880b7c3ec 100644 --- a/arch/s390/boot/compressed/Makefile +++ b/arch/s390/boot/compressed/Makefile @@ -71,17 +71,17 @@ suffix-$(CONFIG_KERNEL_ZSTD) := .zst $(obj)/vmlinux.bin.gz: $(vmlinux.bin.all-y) FORCE $(call if_changed,gzip) $(obj)/vmlinux.bin.bz2: $(vmlinux.bin.all-y) FORCE - $(call if_changed,bzip2) + $(call if_changed,bzip2_with_size) $(obj)/vmlinux.bin.lz4: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lz4) + $(call if_changed,lz4_with_size) $(obj)/vmlinux.bin.lzma: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lzma) + $(call if_changed,lzma_with_size) $(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lzo) + $(call if_changed,lzo_with_size) $(obj)/vmlinux.bin.xz: $(vmlinux.bin.all-y) FORCE - $(call if_changed,xzkern) + $(call if_changed,xzkern_with_size) $(obj)/vmlinux.bin.zst: $(vmlinux.bin.all-y) FORCE - $(call if_changed,zstd22) + $(call if_changed,zstd22_with_size) OBJCOPYFLAGS_piggy.o := -I binary -O elf64-s390 -B s390:64-bit --rename-section .data=.vmlinux.bin.compressed $(obj)/piggy.o: $(obj)/vmlinux.bin$(suffix-y) FORCE diff --git a/arch/sh/boot/compressed/Makefile b/arch/sh/boot/compressed/Makefile index c1eb9a62de55..a6808a403f4b 100644 --- a/arch/sh/boot/compressed/Makefile +++ b/arch/sh/boot/compressed/Makefile @@ -52,13 +52,13 @@ vmlinux.bin.all-y := $(obj)/vmlinux.bin $(obj)/vmlinux.bin.gz: $(vmlinux.bin.all-y) FORCE $(call if_changed,gzip) $(obj)/vmlinux.bin.bz2: $(vmlinux.bin.all-y) FORCE - $(call if_changed,bzip2) + $(call if_changed,bzip2_with_size) $(obj)/vmlinux.bin.lzma: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lzma) + $(call if_changed,lzma_with_size) $(obj)/vmlinux.bin.xz: $(vmlinux.bin.all-y) FORCE - $(call if_changed,xzkern) + $(call if_changed,xzkern_with_size) $(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lzo) + $(call if_changed,lzo_with_size) OBJCOPYFLAGS += -R .empty_zero_page diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile index 431bf7f846c3..2825c74bcae3 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -123,17 +123,17 @@ vmlinux.bin.all-$(CONFIG_X86_NEED_RELOCS) += $(obj)/vmlinux.relocs $(obj)/vmlinux.bin.gz: $(vmlinux.bin.all-y) FORCE $(call if_changed,gzip) $(obj)/vmlinux.bin.bz2: $(vmlinux.bin.all-y) FORCE - $(call if_changed,bzip2) + $(call if_changed,bzip2_with_size) $(obj)/vmlinux.bin.lzma: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lzma) + $(call if_changed,lzma_with_size) $(obj)/vmlinux.bin.xz: $(vmlinux.bin.all-y) FORCE - $(call if_changed,xzkern) + $(call if_changed,xzkern_with_size) $(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lzo) + $(call if_changed,lzo_with_size) $(obj)/vmlinux.bin.lz4: $(vmlinux.bin.all-y) FORCE - $(call if_changed,lz4) + $(call if_changed,lz4_with_size) $(obj)/vmlinux.bin.zst: $(vmlinux.bin.all-y) FORCE - $(call if_changed,zstd22) + $(call if_changed,zstd22_with_size) suffix-$(CONFIG_KERNEL_GZIP) := gz suffix-$(CONFIG_KERNEL_BZIP2) := bz2 diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 5366466ea0e4..4207a72d429f 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -395,19 +395,31 @@ printf "%08x\n" $$dec_size | \ ) quiet_cmd_bzip2 = BZIP2 $@ - cmd_bzip2 = { cat $(real-prereqs) | $(KBZIP2) -9; $(size_append); } > $@ + cmd_bzip2 = cat $(real-prereqs) | $(KBZIP2) -9 > $@ + +quiet_cmd_bzip2_with_size = BZIP2 $@ + cmd_bzip2_with_size = { cat $(real-prereqs) | $(KBZIP2) -9; $(size_append); } > $@ # Lzma # --------------------------------------------------------------------------- quiet_cmd_lzma = LZMA $@ - cmd_lzma = { cat $(real-prereqs) | $(LZMA) -9; $(size_append); } > $@ + cmd_lzma = cat $(real-prereqs) | $(LZMA) -9 > $@ + +quiet_cmd_lzma_with_size = LZMA $@ + cmd_lzma_with_size = { cat $(real-prereqs) | $(LZMA) -9; $(size_append); } > $@ quiet_cmd_lzo = LZO $@ - cmd_lzo = { cat $(real-prereqs) | $(KLZOP) -9; $(size_append); } > $@ + cmd_lzo = cat $(real-prereqs) | $(KLZOP) -9 > $@ + +quiet_cmd_lzo_with_size = LZO $@ + cmd_lzo_with_size = { cat $(real-prereqs) | $(KLZOP) -9; $(size_append); } > $@ quiet_cmd_lz4 = LZ4 $@ - cmd_lz4 = { cat $(real-prereqs) | $(LZ4) -l -c1 stdin stdout; \ + cmd_lz4 = cat $(real-prereqs) | $(LZ4) -l -c1 stdin stdout > $@ + +quiet_cmd_lz4_with_size = LZ4 $@ + cmd_lz4_with_size = { cat $(real-prereqs) | $(LZ4) -l -c1 stdin stdout; \ $(size_append); } > $@ # U-Boot mkimage @@ -450,7 +462,10 @@ quiet_cmd_uimage = UIMAGE $@ # big dictionary would increase the memory usage too much in the multi-call # decompression mode. A BCJ filter isn't used either. quiet_cmd_xzkern = XZKERN $@ - cmd_xzkern = { cat $(real-prereqs) | sh $(srctree)/scripts/xz_wrap.sh; \ + cmd_xzkern = cat $(real-prereqs) | sh $(srctree)/scripts/xz_wrap.sh > $@ + +quiet_cmd_xzkern_with_size = XZKERN $@ + cmd_xzkern_with_size = { cat $(real-prereqs) | sh $(srctree)/scripts/xz_wrap.sh; \ $(size_append); } > $@ quiet_cmd_xzmisc = XZMISC $@ @@ -476,7 +491,10 @@ quiet_cmd_zstd = ZSTD $@ cmd_zstd = cat $(real-prereqs) | $(ZSTD) -19 > $@ quiet_cmd_zstd22 = ZSTD22 $@ - cmd_zstd22 = { cat $(real-prereqs) | $(ZSTD) -22 --ultra; $(size_append); } > $@ + cmd_zstd22 = cat $(real-prereqs) | $(ZSTD) -22 --ultra > $@ + +quiet_cmd_zstd22_with_size = ZSTD22 $@ + cmd_zstd22_with_size = { cat $(real-prereqs) | $(ZSTD) -22 --ultra; $(size_append); } > $@ # ASM offsets # --------------------------------------------------------------------------- diff --git a/usr/Makefile b/usr/Makefile index 7374873a539f..cc0d2824e100 100644 --- a/usr/Makefile +++ b/usr/Makefile @@ -3,11 +3,6 @@ # kbuild file for usr/ - including initramfs image # -# cmd_bzip2, cmd_lzma, cmd_lzo, cmd_lz4 from scripts/Makefile.lib appends the -# size at the end of the compressed file, which unfortunately does not work -# with unpack_to_rootfs(). Make size_append no-op. -override size_append := : - compress-y := shipped compress-$(CONFIG_INITRAMFS_COMPRESSION_GZIP) := gzip compress-$(CONFIG_INITRAMFS_COMPRESSION_BZIP2) := bzip2 From 53e7b5dfb752399cd903ecb6e921dcaef57c8ea5 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Mon, 10 Jan 2022 03:15:28 +0900 Subject: [PATCH 33/34] arch: decompressor: remove useless vmlinux.bin.all-y Presumably, arch/{parisc,s390,sh}/boot/compressed/Makefile copied arch/x86/boot/compressed/Makefile, but vmlinux.bin.all-y is useless here because it is the same as $(obj)/vmlinux.bin. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- arch/parisc/boot/compressed/Makefile | 14 ++++++-------- arch/s390/boot/compressed/Makefile | 16 +++++++--------- arch/sh/boot/compressed/Makefile | 12 +++++------- 3 files changed, 18 insertions(+), 24 deletions(-) diff --git a/arch/parisc/boot/compressed/Makefile b/arch/parisc/boot/compressed/Makefile index 2640f72d69ce..877a7099b5e1 100644 --- a/arch/parisc/boot/compressed/Makefile +++ b/arch/parisc/boot/compressed/Makefile @@ -58,8 +58,6 @@ OBJCOPYFLAGS_vmlinux.bin := -R .comment -R .note -S $(obj)/vmlinux.bin: vmlinux FORCE $(call if_changed,objcopy) -vmlinux.bin.all-y := $(obj)/vmlinux.bin - suffix-$(CONFIG_KERNEL_GZIP) := gz suffix-$(CONFIG_KERNEL_BZIP2) := bz2 suffix-$(CONFIG_KERNEL_LZ4) := lz4 @@ -67,17 +65,17 @@ suffix-$(CONFIG_KERNEL_LZMA) := lzma suffix-$(CONFIG_KERNEL_LZO) := lzo suffix-$(CONFIG_KERNEL_XZ) := xz -$(obj)/vmlinux.bin.gz: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.gz: $(obj)/vmlinux.bin FORCE $(call if_changed,gzip) -$(obj)/vmlinux.bin.bz2: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.bz2: $(obj)/vmlinux.bin FORCE $(call if_changed,bzip2_with_size) -$(obj)/vmlinux.bin.lz4: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.lz4: $(obj)/vmlinux.bin FORCE $(call if_changed,lz4_with_size) -$(obj)/vmlinux.bin.lzma: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.lzma: $(obj)/vmlinux.bin FORCE $(call if_changed,lzma_with_size) -$(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.lzo: $(obj)/vmlinux.bin FORCE $(call if_changed,lzo_with_size) -$(obj)/vmlinux.bin.xz: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.xz: $(obj)/vmlinux.bin FORCE $(call if_changed,xzkern_with_size) LDFLAGS_piggy.o := -r --format binary --oformat $(LD_BFD) -T diff --git a/arch/s390/boot/compressed/Makefile b/arch/s390/boot/compressed/Makefile index 8ea880b7c3ec..d04e0e7de0b3 100644 --- a/arch/s390/boot/compressed/Makefile +++ b/arch/s390/boot/compressed/Makefile @@ -58,8 +58,6 @@ OBJCOPYFLAGS_vmlinux.bin := -O binary --remove-section=.comment --remove-section $(obj)/vmlinux.bin: vmlinux FORCE $(call if_changed,objcopy) -vmlinux.bin.all-y := $(obj)/vmlinux.bin - suffix-$(CONFIG_KERNEL_GZIP) := .gz suffix-$(CONFIG_KERNEL_BZIP2) := .bz2 suffix-$(CONFIG_KERNEL_LZ4) := .lz4 @@ -68,19 +66,19 @@ suffix-$(CONFIG_KERNEL_LZO) := .lzo suffix-$(CONFIG_KERNEL_XZ) := .xz suffix-$(CONFIG_KERNEL_ZSTD) := .zst -$(obj)/vmlinux.bin.gz: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.gz: $(obj)/vmlinux.bin FORCE $(call if_changed,gzip) -$(obj)/vmlinux.bin.bz2: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.bz2: $(obj)/vmlinux.bin FORCE $(call if_changed,bzip2_with_size) -$(obj)/vmlinux.bin.lz4: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.lz4: $(obj)/vmlinux.bin FORCE $(call if_changed,lz4_with_size) -$(obj)/vmlinux.bin.lzma: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.lzma: $(obj)/vmlinux.bin FORCE $(call if_changed,lzma_with_size) -$(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.lzo: $(obj)/vmlinux.bin FORCE $(call if_changed,lzo_with_size) -$(obj)/vmlinux.bin.xz: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.xz: $(obj)/vmlinux.bin FORCE $(call if_changed,xzkern_with_size) -$(obj)/vmlinux.bin.zst: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.zst: $(obj)/vmlinux.bin FORCE $(call if_changed,zstd22_with_size) OBJCOPYFLAGS_piggy.o := -I binary -O elf64-s390 -B s390:64-bit --rename-section .data=.vmlinux.bin.compressed diff --git a/arch/sh/boot/compressed/Makefile b/arch/sh/boot/compressed/Makefile index a6808a403f4b..591125c42d49 100644 --- a/arch/sh/boot/compressed/Makefile +++ b/arch/sh/boot/compressed/Makefile @@ -47,17 +47,15 @@ $(obj)/vmlinux: $(addprefix $(obj)/, $(OBJECTS)) FORCE $(obj)/vmlinux.bin: vmlinux FORCE $(call if_changed,objcopy) -vmlinux.bin.all-y := $(obj)/vmlinux.bin - -$(obj)/vmlinux.bin.gz: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.gz: $(obj)/vmlinux.bin FORCE $(call if_changed,gzip) -$(obj)/vmlinux.bin.bz2: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.bz2: $(obj)/vmlinux.bin FORCE $(call if_changed,bzip2_with_size) -$(obj)/vmlinux.bin.lzma: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.lzma: $(obj)/vmlinux.bin FORCE $(call if_changed,lzma_with_size) -$(obj)/vmlinux.bin.xz: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.xz: $(obj)/vmlinux.bin FORCE $(call if_changed,xzkern_with_size) -$(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE +$(obj)/vmlinux.bin.lzo: $(obj)/vmlinux.bin FORCE $(call if_changed,lzo_with_size) OBJCOPYFLAGS += -R .empty_zero_page From c4d7f40b250c1a4d74ed259e84807f58032507b6 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Mon, 10 Jan 2022 03:15:29 +0900 Subject: [PATCH 34/34] kbuild: add cmd_file_size Some architectures support self-extracting kernel, which embeds the compressed vmlinux. It has 4 byte data at the end so the decompressor can know the vmlinux size beforehand. GZIP natively has it in the trailer, but for the other compression algorithms, the hand-crafted trailer is added. It is unneeded to generate such _corrupted_ compressed files because it is possible to pass the size data as a separate file. For example, the assembly code: .incbin "compressed-vmlinux-with-size-data" can be transformed to: .incbin "compressed-vmlinux" .incbin "size-data" My hope is, after some reworks of the decompressors, the macros cmd_{bzip2,lzma,lzo,lz4,xzkern,zstd22}_with_size will go away. This new macro, cmd_file_size, will be useful to generate a separate size-data file. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier --- scripts/Makefile.lib | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 4207a72d429f..05ca77706f6b 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -394,6 +394,9 @@ printf "%08x\n" $$dec_size | \ } \ ) +quiet_cmd_file_size = GEN $@ + cmd_file_size = $(size_append) > $@ + quiet_cmd_bzip2 = BZIP2 $@ cmd_bzip2 = cat $(real-prereqs) | $(KBZIP2) -9 > $@