[mirror_ubuntu-jammy-kernel.git] / kernel / Makefile

#
# Makefile for the linux kernel.
#

obj-y     = fork.o exec_domain.o panic.o \
	    cpu.o exit.o softirq.o resource.o \
	    sysctl.o sysctl_binary.o capability.o ptrace.o user.o \
	    signal.o sys.o kmod.o workqueue.o pid.o task_work.o \
	    extable.o params.o \
	    kthread.o sys_ni.o nsproxy.o \
	    notifier.o ksysfs.o cred.o reboot.o \
	    async.o range.o smpboot.o

obj-$(CONFIG_MULTIUSER) += groups.o

ifdef CONFIG_FUNCTION_TRACER
# Do not trace debug files and internal ftrace files
CFLAGS_REMOVE_cgroup-debug.o = $(CC_FLAGS_FTRACE)
CFLAGS_REMOVE_irq_work.o = $(CC_FLAGS_FTRACE)
endif

# cond_syscall is currently not LTO compatible
CFLAGS_sys_ni.o = $(DISABLE_LTO)

obj-y += sched/
obj-y += locking/
obj-y += power/
obj-y += printk/
obj-y += irq/
obj-y += rcu/
obj-y += livepatch/

obj-$(CONFIG_CHECKPOINT_RESTORE) += kcmp.o
obj-$(CONFIG_FREEZER) += freezer.o
obj-$(CONFIG_PROFILING) += profile.o
obj-$(CONFIG_STACKTRACE) += stacktrace.o
obj-y += time/
obj-$(CONFIG_FUTEX) += futex.o
ifeq ($(CONFIG_COMPAT),y)
obj-$(CONFIG_FUTEX) += futex_compat.o
endif
obj-$(CONFIG_GENERIC_ISA_DMA) += dma.o
obj-$(CONFIG_SMP) += smp.o
ifneq ($(CONFIG_SMP),y)
obj-y += up.o
endif
obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_KEXEC) += kexec.o
obj-$(CONFIG_BACKTRACE_SELF_TEST) += backtracetest.o
obj-$(CONFIG_COMPAT) += compat.o
obj-$(CONFIG_CGROUPS) += cgroup.o
obj-$(CONFIG_CGROUP_FREEZER) += cgroup_freezer.o
obj-$(CONFIG_CPUSETS) += cpuset.o
obj-$(CONFIG_UTS_NS) += utsname.o
obj-$(CONFIG_USER_NS) += user_namespace.o
obj-$(CONFIG_PID_NS) += pid_namespace.o
obj-$(CONFIG_IKCONFIG) += configs.o
obj-$(CONFIG_SMP) += stop_machine.o
obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o
obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o
obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
obj-$(CONFIG_GCOV_KERNEL) += gcov/
obj-$(CONFIG_KPROBES) += kprobes.o
obj-$(CONFIG_KGDB) += debug/
obj-$(CONFIG_DETECT_HUNG_TASK) += hung_task.o
obj-$(CONFIG_LOCKUP_DETECTOR) += watchdog.o
obj-$(CONFIG_SECCOMP) += seccomp.o
obj-$(CONFIG_RELAY) += relay.o
obj-$(CONFIG_SYSCTL) += utsname_sysctl.o
obj-$(CONFIG_TASK_DELAY_ACCT) += delayacct.o
obj-$(CONFIG_TASKSTATS) += taskstats.o tsacct.o
obj-$(CONFIG_TRACEPOINTS) += tracepoint.o
obj-$(CONFIG_LATENCYTOP) += latencytop.o
obj-$(CONFIG_BINFMT_ELF) += elfcore.o
obj-$(CONFIG_COMPAT_BINFMT_ELF) += elfcore.o
obj-$(CONFIG_BINFMT_ELF_FDPIC) += elfcore.o
obj-$(CONFIG_FUNCTION_TRACER) += trace/
obj-$(CONFIG_TRACING) += trace/
obj-$(CONFIG_TRACE_CLOCK) += trace/
obj-$(CONFIG_RING_BUFFER) += trace/
obj-$(CONFIG_TRACEPOINTS) += trace/
obj-$(CONFIG_IRQ_WORK) += irq_work.o
obj-$(CONFIG_CPU_PM) += cpu_pm.o
obj-$(CONFIG_BPF) += bpf/

obj-$(CONFIG_PERF_EVENTS) += events/

obj-$(CONFIG_USER_RETURN_NOTIFIER) += user-return-notifier.o
obj-$(CONFIG_PADATA) += padata.o
obj-$(CONFIG_CRASH_DUMP) += crash_dump.o
obj-$(CONFIG_JUMP_LABEL) += jump_label.o
obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o
obj-$(CONFIG_TORTURE_TEST) += torture.o

$(obj)/configs.o: $(obj)/config_data.h

# config_data.h contains the same information as ikconfig.h but gzipped.
# Info from config_data can be extracted from /proc/config*
targets += config_data.gz
$(obj)/config_data.gz: $(KCONFIG_CONFIG) FORCE
	$(call if_changed,gzip)

      filechk_ikconfiggz = (echo "static const char kernel_config_data[] __used = MAGIC_START"; cat $< | scripts/basic/bin2c; echo "MAGIC_END;")
targets += config_data.h
$(obj)/config_data.h: $(obj)/config_data.gz FORCE
	$(call filechk,ikconfiggz)

###############################################################################
#
# Roll all the X.509 certificates that we can find together and pull them into
# the kernel so that they get loaded into the system trusted keyring during
# boot.
#
# We look in the source root and the build root for all files whose name ends
# in ".x509".  Unfortunately, this will generate duplicate filenames, so we
# have make canonicalise the pathnames and then sort them to discard the
# duplicates.
#
###############################################################################
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
				$(or $(realpath $(CERT)),$(CERT))))
X509_CERTIFICATES := $(subst $(realpath $(objtree))/,,$(X509_CERTIFICATES-raw))

ifeq ($(X509_CERTIFICATES),)
$(warning *** No X.509 certificates found ***)
endif

ifneq ($(wildcard $(obj)/.x509.list),)
ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES))
$(warning X.509 certificate list changed to "$(X509_CERTIFICATES)" from "$(shell cat $(obj)/.x509.list)")
$(shell rm $(obj)/.x509.list)
endif
endif

kernel/system_certificates.o: $(obj)/x509_certificate_list

quiet_cmd_x509certs  = CERTS   $@
      cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; $(kecho) "  - Including cert $(X509)")

targets += $(obj)/x509_certificate_list
$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
	$(call if_changed,x509certs)

targets += $(obj)/.x509.list
$(obj)/.x509.list:
	@echo $(X509_CERTIFICATES) >$@
endif

clean-files := x509_certificate_list .x509.list

ifeq ($(CONFIG_MODULE_SIG),y)
###############################################################################
#
# If module signing is requested, say by allyesconfig, but a key has not been
# supplied, then one will need to be generated to make sure the build does not
# fail and that the kernel may be used afterwards.
#
###############################################################################
ifndef CONFIG_MODULE_SIG_HASH
$(error Could not determine digest type to use from kernel config)
endif

# We do it this way rather than having a boolean option for enabling an
# external private key, because 'make randconfig' might enable such a
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.pem")
signing_key.pem: x509.genkey
	@echo "###"
	@echo "### Now generating an X.509 key pair to be used for signing modules."
	@echo "###"
	@echo "### If this takes a long time, you might wish to run rngd in the"
	@echo "### background to keep the supply of entropy topped up.  It"
	@echo "### needs to be run as root, and uses a hardware random"
	@echo "### number generator if one is available."
	@echo "###"
	openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
		-batch -x509 -config x509.genkey \
		-outform PEM -out signing_key.pem \
		-keyout signing_key.pem 2>&1
	@echo "###"
	@echo "### Key pair generated."
	@echo "###"

x509.genkey:
	@echo Generating X.509 key generation config
	@echo  >x509.genkey "[ req ]"
	@echo >>x509.genkey "default_bits = 4096"
	@echo >>x509.genkey "distinguished_name = req_distinguished_name"
	@echo >>x509.genkey "prompt = no"
	@echo >>x509.genkey "string_mask = utf8only"
	@echo >>x509.genkey "x509_extensions = myexts"
	@echo >>x509.genkey
	@echo >>x509.genkey "[ req_distinguished_name ]"
	@echo >>x509.genkey "#O = Unspecified company"
	@echo >>x509.genkey "CN = Build time autogenerated kernel key"
	@echo >>x509.genkey "#emailAddress = unspecified.user@unspecified.company"
	@echo >>x509.genkey
	@echo >>x509.genkey "[ myexts ]"
	@echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
	@echo >>x509.genkey "keyUsage=digitalSignature"
	@echo >>x509.genkey "subjectKeyIdentifier=hash"
	@echo >>x509.genkey "authorityKeyIdentifier=keyid"
endif

# We need to obtain the certificate from CONFIG_MODULE_SIG_KEY.
quiet_cmd_extract_der = CERT_DER $(2)
      cmd_extract_der = scripts/extract-cert "$(2)" signing_key.x509

# CONFIG_MODULE_SIG_KEY is either a PKCS#11 URI or a filename. It is
# surrounded by quotes, and may contain spaces. To strip the quotes
# with $(patsubst) we need to turn the spaces into something else.
# And if it's a filename, those spaces need to be escaped as '\ ' in
# order to use it in dependencies or $(wildcard).
space :=
space +=
space_escape := %%%SPACE%%%
X509_SOURCE_temp := $(subst $(space),$(space_escape),$(CONFIG_MODULE_SIG_KEY))
# We need this to check for absolute paths or PKCS#11 URIs.
X509_SOURCE_ONEWORD := $(patsubst "%",%,$(X509_SOURCE_temp))
# This is the actual source filename/URI without the quotes
X509_SOURCE := $(subst $(space_escape),$(space),$(X509_SOURCE_ONEWORD))
# This\ version\ with\ spaces\ escaped\ for\ $(wildcard)\ and\ dependencies
X509_SOURCE_ESCAPED := $(subst $(space_escape),\$(space),$(X509_SOURCE_ONEWORD))

ifeq ($(patsubst pkcs11:%,%,$(X509_SOURCE_ONEWORD)),$(X509_SOURCE_ONEWORD))
# If it's a filename, depend on it.
X509_DEP := $(X509_SOURCE_ESCAPED)
ifeq ($(patsubst /%,%,$(X509_SOURCE_ONEWORD)),$(X509_SOURCE_ONEWORD))
ifeq ($(wildcard $(X509_SOURCE_ESCAPED)),)
ifneq ($(wildcard $(srctree)/$(X509_SOURCE_ESCAPED)),)
# Non-absolute filename, found in source tree and not build tree
X509_SOURCE := $(srctree)/$(X509_SOURCE)
X509_DEP := $(srctree)/$(X509_SOURCE_ESCAPED)
endif
endif
endif
endif

signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP)
	$(call cmd,extract_der,$(X509_SOURCE))
endif
Commit	Line	Data
1da177e4 LT	1	#
	2	# Makefile for the linux kernel.
	3	#
	4
b9ee979e	5	obj-y = fork.o exec_domain.o panic.o \
5cee9645 TG	6	cpu.o exit.o softirq.o resource.o \
5cee9645 TG	7	sysctl.o sysctl_binary.o capability.o ptrace.o user.o \
e73f8959	8	signal.o sys.o kmod.o workqueue.o pid.o task_work.o \
5cee9645 TG	9	extable.o params.o \
5cee9645 TG	10	kthread.o sys_ni.o nsproxy.o \
15d94b82	11	notifier.o ksysfs.o cred.o reboot.o \
2813893f IM	12	async.o range.o smpboot.o
	13
	14	obj-$(CONFIG_MULTIUSER) += groups.o
029632fb	15
606576ce	16	ifdef CONFIG_FUNCTION_TRACER
6ec56232	17	# Do not trace debug files and internal ftrace files
c0a80c0c HC	18	CFLAGS_REMOVE_cgroup-debug.o = $(CC_FLAGS_FTRACE)
c0a80c0c HC	19	CFLAGS_REMOVE_irq_work.o = $(CC_FLAGS_FTRACE)
1d09daa5 SR	20	endif
1d09daa5 SR	21
58edae3a AK	22	# cond_syscall is currently not LTO compatible
	23	CFLAGS_sys_ni.o = $(DISABLE_LTO)
	24
391e43da	25	obj-y += sched/
01768b42	26	obj-y += locking/
dae5cbc2	27	obj-y += power/
b9ee979e	28	obj-y += printk/
0244ad00	29	obj-y += irq/
4102adab	30	obj-y += rcu/
b700e7f0	31	obj-y += livepatch/
391e43da	32
1e142b29	33	obj-$(CONFIG_CHECKPOINT_RESTORE) += kcmp.o
8174f150	34	obj-$(CONFIG_FREEZER) += freezer.o
b03f6489	35	obj-$(CONFIG_PROFILING) += profile.o
8637c099	36	obj-$(CONFIG_STACKTRACE) += stacktrace.o
ad596171	37	obj-y += time/
1da177e4	38	obj-$(CONFIG_FUTEX) += futex.o
34f192c6 IM	39	ifeq ($(CONFIG_COMPAT),y)
	40	obj-$(CONFIG_FUTEX) += futex_compat.o
	41	endif
1da177e4	42	obj-$(CONFIG_GENERIC_ISA_DMA) += dma.o
351f8f8e	43	obj-$(CONFIG_SMP) += smp.o
9316fcac	44	ifneq ($(CONFIG_SMP),y)
53ce3d95 AM	45	obj-y += up.o
53ce3d95 AM	46	endif
1da177e4	47	obj-$(CONFIG_UID16) += uid16.o
b56e5a17	48	obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
1da177e4	49	obj-$(CONFIG_MODULES) += module.o
b56e5a17	50	obj-$(CONFIG_MODULE_SIG) += module_signing.o
1da177e4	51	obj-$(CONFIG_KALLSYMS) += kallsyms.o
1da177e4	52	obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
dc009d92	53	obj-$(CONFIG_KEXEC) += kexec.o
6dab2778	54	obj-$(CONFIG_BACKTRACE_SELF_TEST) += backtracetest.o
1da177e4	55	obj-$(CONFIG_COMPAT) += compat.o
ddbcc7e8	56	obj-$(CONFIG_CGROUPS) += cgroup.o
dc52ddc0	57	obj-$(CONFIG_CGROUP_FREEZER) += cgroup_freezer.o
1da177e4	58	obj-$(CONFIG_CPUSETS) += cpuset.o
aee16ce7 PE	59	obj-$(CONFIG_UTS_NS) += utsname.o
aee16ce7 PE	60	obj-$(CONFIG_USER_NS) += user_namespace.o
74bd59bb	61	obj-$(CONFIG_PID_NS) += pid_namespace.o
1da177e4	62	obj-$(CONFIG_IKCONFIG) += configs.o
bbf1bb3e	63	obj-$(CONFIG_SMP) += stop_machine.o
8c1c9356	64	obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o
939a67fc	65	obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
1da177e4	66	obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
939a67fc	67	obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o
74c3cbe3	68	obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
939a67fc	69	obj-$(CONFIG_GCOV_KERNEL) += gcov/
1da177e4	70	obj-$(CONFIG_KPROBES) += kprobes.o
c4338209	71	obj-$(CONFIG_KGDB) += debug/
e162b39a	72	obj-$(CONFIG_DETECT_HUNG_TASK) += hung_task.o
58687acb	73	obj-$(CONFIG_LOCKUP_DETECTOR) += watchdog.o
1da177e4	74	obj-$(CONFIG_SECCOMP) += seccomp.o
b86ff981	75	obj-$(CONFIG_RELAY) += relay.o
39732acd	76	obj-$(CONFIG_SYSCTL) += utsname_sysctl.o
ca74e92b	77	obj-$(CONFIG_TASK_DELAY_ACCT) += delayacct.o
f3cef7a9	78	obj-$(CONFIG_TASKSTATS) += taskstats.o tsacct.o
97e1c18e	79	obj-$(CONFIG_TRACEPOINTS) += tracepoint.o
9745512c	80	obj-$(CONFIG_LATENCYTOP) += latencytop.o
1fcccbac DH	81	obj-$(CONFIG_BINFMT_ELF) += elfcore.o
	82	obj-$(CONFIG_COMPAT_BINFMT_ELF) += elfcore.o
	83	obj-$(CONFIG_BINFMT_ELF_FDPIC) += elfcore.o
606576ce	84	obj-$(CONFIG_FUNCTION_TRACER) += trace/
bc0c38d1	85	obj-$(CONFIG_TRACING) += trace/
ea632e9f	86	obj-$(CONFIG_TRACE_CLOCK) += trace/
1155de47	87	obj-$(CONFIG_RING_BUFFER) += trace/
870915e0	88	obj-$(CONFIG_TRACEPOINTS) += trace/
e360adbe	89	obj-$(CONFIG_IRQ_WORK) += irq_work.o
ab10023e	90	obj-$(CONFIG_CPU_PM) += cpu_pm.o
f89b7755	91	obj-$(CONFIG_BPF) += bpf/
fae85b7c BP	92
	93	obj-$(CONFIG_PERF_EVENTS) += events/
	94
7a041097	95	obj-$(CONFIG_USER_RETURN_NOTIFIER) += user-return-notifier.o
16295bec	96	obj-$(CONFIG_PADATA) += padata.o
93a72052	97	obj-$(CONFIG_CRASH_DUMP) += crash_dump.o
b77f0f3c	98	obj-$(CONFIG_JUMP_LABEL) += jump_label.o
91d1aa43	99	obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o
51b1130e	100	obj-$(CONFIG_TORTURE_TEST) += torture.o
1da177e4	101
1da177e4 LT	102	$(obj)/configs.o: $(obj)/config_data.h
	103
	104	# config_data.h contains the same information as ikconfig.h but gzipped.
	105	# Info from config_data can be extracted from /proc/config*
	106	targets += config_data.gz
41263fc6	107	$(obj)/config_data.gz: $(KCONFIG_CONFIG) FORCE
1da177e4 LT	108	$(call if_changed,gzip)
1da177e4 LT	109
8370edea	110	filechk_ikconfiggz = (echo "static const char kernel_config_data[] __used = MAGIC_START"; cat $< \| scripts/basic/bin2c; echo "MAGIC_END;")
1da177e4 LT	111	targets += config_data.h
1da177e4 LT	112	$(obj)/config_data.h: $(obj)/config_data.gz FORCE
e78e8f2d	113	$(call filechk,ikconfiggz)
bdc80787	114
f0e6d220	115	###############################################################################
631cc66e	116	#
0fbd39cf	117	# Roll all the X.509 certificates that we can find together and pull them into
b56e5a17 DH	118	# the kernel so that they get loaded into the system trusted keyring during
b56e5a17 DH	119	# boot.
631cc66e	120	#
0fbd39cf DH	121	# We look in the source root and the build root for all files whose name ends
	122	# in ".x509". Unfortunately, this will generate duplicate filenames, so we
	123	# have make canonicalise the pathnames and then sort them to discard the
	124	# duplicates.
631cc66e	125	#
f0e6d220	126	###############################################################################
b56e5a17	127	ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
f0e6d220	128	X509_CERTIFICATES-y := $(wildcard .x509) $(wildcard $(srctree)/.x509)
d7ec435f DH	129	X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
d7ec435f DH	130	X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
0fbd39cf	131	$(or $(realpath $(CERT)),$(CERT))))
d7ec435f	132	X509_CERTIFICATES := $(subst $(realpath $(objtree))/,,$(X509_CERTIFICATES-raw))
f0e6d220 DH	133
	134	ifeq ($(X509_CERTIFICATES),)
	135	$(warning * No X.509 certificates found *)
	136	endif
	137
	138	ifneq ($(wildcard $(obj)/.x509.list),)
	139	ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES))
7df9ab84	140	$(warning X.509 certificate list changed to "$(X509_CERTIFICATES)" from "$(shell cat $(obj)/.x509.list)")
f0e6d220 DH	141	$(shell rm $(obj)/.x509.list)
	142	endif
	143	endif
	144
b56e5a17	145	kernel/system_certificates.o: $(obj)/x509_certificate_list
e10e1774	146
f0e6d220	147	quiet_cmd_x509certs = CERTS $@
89f703f0	148	cmd_x509certs = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; $(kecho) " - Including cert $(X509)")
e10e1774	149
f0e6d220 DH	150	targets += $(obj)/x509_certificate_list
	151	$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
	152	$(call if_changed,x509certs)
631cc66e	153
f0e6d220 DH	154	targets += $(obj)/.x509.list
	155	$(obj)/.x509.list:
	156	@echo $(X509_CERTIFICATES) >$@
f46a3cbb	157	endif
d441108c	158
f0e6d220	159	clean-files := x509_certificate_list .x509.list
d441108c	160
b56e5a17	161	ifeq ($(CONFIG_MODULE_SIG),y)
d441108c DH	162	###############################################################################
	163	#
	164	# If module signing is requested, say by allyesconfig, but a key has not been
	165	# supplied, then one will need to be generated to make sure the build does not
	166	# fail and that the kernel may be used afterwards.
	167	#
	168	###############################################################################
22753674	169	ifndef CONFIG_MODULE_SIG_HASH
5e8cb1e4 DH	170	$(error Could not determine digest type to use from kernel config)
	171	endif
	172
19e91b69 DW	173	# We do it this way rather than having a boolean option for enabling an
	174	# external private key, because 'make randconfig' might enable such a
	175	# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
fb117949 DW	176	ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.pem")
fb117949 DW	177	signing_key.pem: x509.genkey
d441108c DH	178	@echo "###"
	179	@echo "### Now generating an X.509 key pair to be used for signing modules."
	180	@echo "###"
	181	@echo "### If this takes a long time, you might wish to run rngd in the"
	182	@echo "### background to keep the supply of entropy topped up. It"
2008713c PA	183	@echo "### needs to be run as root, and uses a hardware random"
2008713c PA	184	@echo "### number generator if one is available."
d441108c	185	@echo "###"
22753674 MM	186	openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
22753674 MM	187	-batch -x509 -config x509.genkey \
fb117949 DW	188	-outform PEM -out signing_key.pem \
fb117949 DW	189	-keyout signing_key.pem 2>&1
d441108c DH	190	@echo "###"
	191	@echo "### Key pair generated."
	192	@echo "###"
	193
	194	x509.genkey:
	195	@echo Generating X.509 key generation config
	196	@echo >x509.genkey "[ req ]"
	197	@echo >>x509.genkey "default_bits = 4096"
	198	@echo >>x509.genkey "distinguished_name = req_distinguished_name"
	199	@echo >>x509.genkey "prompt = no"
e7d113bc	200	@echo >>x509.genkey "string_mask = utf8only"
d441108c DH	201	@echo >>x509.genkey "x509_extensions = myexts"
	202	@echo >>x509.genkey
	203	@echo >>x509.genkey "[ req_distinguished_name ]"
9c4249c8 DH	204	@echo >>x509.genkey "#O = Unspecified company"
	205	@echo >>x509.genkey "CN = Build time autogenerated kernel key"
	206	@echo >>x509.genkey "#emailAddress = unspecified.user@unspecified.company"
d441108c DH	207	@echo >>x509.genkey
	208	@echo >>x509.genkey "[ myexts ]"
	209	@echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
	210	@echo >>x509.genkey "keyUsage=digitalSignature"
	211	@echo >>x509.genkey "subjectKeyIdentifier=hash"
	212	@echo >>x509.genkey "authorityKeyIdentifier=keyid"
fb117949 DW	213	endif
	214
	215	# We need to obtain the certificate from CONFIG_MODULE_SIG_KEY.
1329e8cc DW	216	quiet_cmd_extract_der = CERT_DER $(2)
	217	cmd_extract_der = scripts/extract-cert "$(2)" signing_key.x509
	218
	219	# CONFIG_MODULE_SIG_KEY is either a PKCS#11 URI or a filename. It is
	220	# surrounded by quotes, and may contain spaces. To strip the quotes
	221	# with $(patsubst) we need to turn the spaces into something else.
	222	# And if it's a filename, those spaces need to be escaped as '\ ' in
	223	# order to use it in dependencies or $(wildcard).
	224	space :=
	225	space +=
	226	space_escape := %%%SPACE%%%
	227	X509_SOURCE_temp := $(subst $(space),$(space_escape),$(CONFIG_MODULE_SIG_KEY))
	228	# We need this to check for absolute paths or PKCS#11 URIs.
	229	X509_SOURCE_ONEWORD := $(patsubst "%",%,$(X509_SOURCE_temp))
	230	# This is the actual source filename/URI without the quotes
	231	X509_SOURCE := $(subst $(space_escape),$(space),$(X509_SOURCE_ONEWORD))
	232	# This\ version\ with\ spaces\ escaped\ for\ $(wildcard)\ and\ dependencies
	233	X509_SOURCE_ESCAPED := $(subst $(space_escape),\$(space),$(X509_SOURCE_ONEWORD))
	234
	235	ifeq ($(patsubst pkcs11:%,%,$(X509_SOURCE_ONEWORD)),$(X509_SOURCE_ONEWORD))
	236	# If it's a filename, depend on it.
	237	X509_DEP := $(X509_SOURCE_ESCAPED)
	238	ifeq ($(patsubst /%,%,$(X509_SOURCE_ONEWORD)),$(X509_SOURCE_ONEWORD))
	239	ifeq ($(wildcard $(X509_SOURCE_ESCAPED)),)
	240	ifneq ($(wildcard $(srctree)/$(X509_SOURCE_ESCAPED)),)
	241	# Non-absolute filename, found in source tree and not build tree
	242	X509_SOURCE := $(srctree)/$(X509_SOURCE)
	243	X509_DEP := $(srctree)/$(X509_SOURCE_ESCAPED)
	244	endif
	245	endif
	246	endif
	247	endif
	248
	249	signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP)
	250	$(call cmd,extract_der,$(X509_SOURCE))
d441108c	251	endif