8370edea81
This patch series does not do kernel signature verification yet. I plan to post another patch series for that. Now distributions are already signing PE/COFF bzImage with PKCS7 signature I plan to parse and verify those signatures. Primary goal of this patchset is to prepare groundwork so that kernel image can be signed and signatures be verified during kexec load. This should help with two things. - It should allow kexec/kdump on secureboot enabled machines. - In general it can help even without secureboot. By being able to verify kernel image signature in kexec, it should help with avoiding module signing restrictions. Matthew Garret showed how to boot into a custom kernel, modify first kernel's memory and then jump back to old kernel and bypass any policy one wants to. This patch (of 15): Kexec wants to use bin2c and it wants to use it really early in the build process. See arch/x86/purgatory/ code in later patches. So move bin2c in scripts/basic so that it can be built very early and be usable by arch/x86/purgatory/ Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Cc: Borislav Petkov <bp@suse.de> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Yinghai Lu <yinghai@kernel.org> Cc: Eric Biederman <ebiederm@xmission.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Matthew Garrett <mjg59@srcf.ucam.org> Cc: Greg Kroah-Hartman <greg@kroah.com> Cc: Dave Young <dyoung@redhat.com> Cc: WANG Chao <chaowang@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
42 lines
1.4 KiB
Makefile
42 lines
1.4 KiB
Makefile
###
|
|
# scripts contains sources for various helper programs used throughout
|
|
# the kernel for the build process.
|
|
# ---------------------------------------------------------------------------
|
|
# kallsyms: Find all symbols in vmlinux
|
|
# pnmttologo: Convert pnm files to logo files
|
|
# conmakehash: Create chartable
|
|
# conmakehash: Create arrays for initializing the kernel console tables
|
|
# docproc: Used in Documentation/DocBook
|
|
|
|
HOST_EXTRACFLAGS += -I$(srctree)/tools/include
|
|
|
|
hostprogs-$(CONFIG_KALLSYMS) += kallsyms
|
|
hostprogs-$(CONFIG_LOGO) += pnmtologo
|
|
hostprogs-$(CONFIG_VT) += conmakehash
|
|
hostprogs-$(BUILD_C_RECORDMCOUNT) += recordmcount
|
|
hostprogs-$(CONFIG_BUILDTIME_EXTABLE_SORT) += sortextable
|
|
hostprogs-$(CONFIG_ASN1) += asn1_compiler
|
|
|
|
HOSTCFLAGS_sortextable.o = -I$(srctree)/tools/include
|
|
HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
|
|
|
|
always := $(hostprogs-y) $(hostprogs-m)
|
|
|
|
# The following hostprogs-y programs are only build on demand
|
|
hostprogs-y += unifdef docproc
|
|
|
|
# These targets are used internally to avoid "is up to date" messages
|
|
PHONY += build_unifdef build_docproc
|
|
build_unifdef: $(obj)/unifdef
|
|
@:
|
|
build_docproc: $(obj)/docproc
|
|
@:
|
|
|
|
subdir-$(CONFIG_MODVERSIONS) += genksyms
|
|
subdir-y += mod
|
|
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
|
|
subdir-$(CONFIG_DTC) += dtc
|
|
|
|
# Let clean descend into subdirs
|
|
subdir- += basic kconfig package
|