From nobody Sat Sep 13 20:27:37 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DB9D1C38142
	for <linux-kernel@archiver.kernel.org>; Tue, 31 Jan 2023 08:49:05 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231475AbjAaItB (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 31 Jan 2023 03:49:01 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35306 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230496AbjAaIsX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Jan 2023 03:48:23 -0500
Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de
 [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92E004E534
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 00:44:14 -0800 (PST)
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
        by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <jlu@pengutronix.de>)
        id 1pMmEm-0002o0-1B; Tue, 31 Jan 2023 09:43:32 +0100
Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de)
        by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2)
        (envelope-from <jlu@pengutronix.de>)
        id 1pMmEl-001eKt-Iq; Tue, 31 Jan 2023 09:43:30 +0100
Received: from jlu by dude03.red.stw.pengutronix.de with local (Exim 4.94.2)
        (envelope-from <jlu@pengutronix.de>)
        id 1pMmEj-005vrY-VE; Tue, 31 Jan 2023 09:43:29 +0100
From: Jan Luebbe <jlu@pengutronix.de>
To: Masahiro Yamada <masahiroy@kernel.org>
Cc: Jan Luebbe <jlu@pengutronix.de>,
        David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        keyrings@vger.kernel.org, linux-kbuild@vger.kernel.org,
        linux-kernel@vger.kernel.org, kernel@pengutronix.de
Subject: [PATCH v2 1/2] certs: Fix build error when PKCS#11 URI contains
 semicolon
Date: Tue, 31 Jan 2023 09:43:22 +0100
Message-Id: <20230131084323.1414010-2-jlu@pengutronix.de>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20230131084323.1414010-1-jlu@pengutronix.de>
References: <20230131084323.1414010-1-jlu@pengutronix.de>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2
X-SA-Exim-Mail-From: jlu@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de);
 SAEximRunCond expanded to false
X-PTX-Original-Recipient: linux-kernel@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
semicolon, signing_key.x509 fails to build:

  certs/extract-cert pkcs11:token=3Dfoo;object=3Dbar;pin-value=3D1111 certs=
/signing_key.x509
  Usage: extract-cert <source> <dest>

Add quotes to the extract-cert argument to avoid splitting by the shell.

This approach was suggested by Masahiro Yamada <masahiroy@kernel.org>.

Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/=
auto.conf")
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
---
 certs/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/certs/Makefile b/certs/Makefile
index 9486ed924731..799ad7b9e68a 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -23,8 +23,8 @@ $(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HAS=
H_LIST) FORCE
 targets +=3D blacklist_hash_list
=20
 quiet_cmd_extract_certs  =3D CERT    $@
-      cmd_extract_certs  =3D $(obj)/extract-cert $(extract-cert-in) $@
-extract-cert-in =3D $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)=
),"")
+      cmd_extract_certs  =3D $(obj)/extract-cert "$(extract-cert-in)" $@
+extract-cert-in =3D $(filter-out $(obj)/extract-cert, $(real-prereqs))
=20
 $(obj)/system_certificates.o: $(obj)/x509_certificate_list
=20
--=20
2.30.2
From nobody Sat Sep 13 20:27:37 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5277CC636CC
	for <linux-kernel@archiver.kernel.org>; Tue, 31 Jan 2023 08:48:41 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229903AbjAaIsg (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 31 Jan 2023 03:48:36 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32854 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230479AbjAaIsW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Jan 2023 03:48:22 -0500
Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de
 [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 920BA4DCF1
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 00:44:14 -0800 (PST)
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
        by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <jlu@pengutronix.de>)
        id 1pMmEm-0002nr-1H; Tue, 31 Jan 2023 09:43:32 +0100
Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de)
        by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2)
        (envelope-from <jlu@pengutronix.de>)
        id 1pMmEl-001eKp-HY; Tue, 31 Jan 2023 09:43:30 +0100
Received: from jlu by dude03.red.stw.pengutronix.de with local (Exim 4.94.2)
        (envelope-from <jlu@pengutronix.de>)
        id 1pMmEj-005vrb-WB; Tue, 31 Jan 2023 09:43:30 +0100
From: Jan Luebbe <jlu@pengutronix.de>
To: Masahiro Yamada <masahiroy@kernel.org>
Cc: Jan Luebbe <jlu@pengutronix.de>,
        David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        keyrings@vger.kernel.org, linux-kbuild@vger.kernel.org,
        linux-kernel@vger.kernel.org, kernel@pengutronix.de
Subject: [PATCH v2 2/2] kbuild: modinst: Fix build error when
 CONFIG_MODULE_SIG_KEY is a PKCS#11 URI
Date: Tue, 31 Jan 2023 09:43:23 +0100
Message-Id: <20230131084323.1414010-3-jlu@pengutronix.de>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20230131084323.1414010-1-jlu@pengutronix.de>
References: <20230131084323.1414010-1-jlu@pengutronix.de>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2
X-SA-Exim-Mail-From: jlu@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de);
 SAEximRunCond expanded to false
X-PTX-Original-Recipient: linux-kernel@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*), signing of modules
fails:

  scripts/sign-file sha256 /.../linux/pkcs11:token=3Dfoo;object=3Dbar;pin-v=
alue=3D1111 certs/signing_key.x509 /.../kernel/crypto/tcrypt.ko
  Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
         scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]

First, we need to avoid adding the $(srctree)/ prefix to the URL.

Second, since the kconfig string values no longer include quotes, we need t=
o add
them again when passing a PKCS#11 URI to sign-file. This avoids
splitting by the shell if the URI contains semicolons.

Fixes: 4db9c2e3d055 ("kbuild: stop using config_filename in scripts/Makefil=
e.modsign")
Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/=
auto.conf")
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
---
 scripts/Makefile.modinst | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index 836391e5d209..4815a8e32227 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -66,9 +66,13 @@ endif
 # Don't stop modules_install even if we can't sign external modules.
 #
 ifeq ($(CONFIG_MODULE_SIG_ALL),y)
+ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
 sig-key :=3D $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONF=
IG_MODULE_SIG_KEY)
+else
+sig-key :=3D $(CONFIG_MODULE_SIG_KEY)
+endif
 quiet_cmd_sign =3D SIGN    $@
-      cmd_sign =3D scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) =
certs/signing_key.x509 $@ \
+      cmd_sign =3D scripts/sign-file $(CONFIG_MODULE_SIG_HASH) "$(sig-key)=
" certs/signing_key.x509 $@ \
                  $(if $(KBUILD_EXTMOD),|| true)
 else
 quiet_cmd_sign :=3D
--=20
2.30.2