diff options
author | Marc Kleine-Budde <mkl@pengutronix.de> | 2021-07-15 15:42:25 +0200 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2021-07-16 21:24:44 +0200 |
commit | 235332de090655007e6ca808e79c9206d1e075da (patch) | |
tree | 5d43e9d79fdfe033a4872e20e2c573c1a35c89a4 /doc | |
parent | 7b005f16abb8ad45830ae7fa0026712679ee3e6d (diff) | |
download | ptxdist-235332de090655007e6ca808e79c9206d1e075da.tar.gz ptxdist-235332de090655007e6ca808e79c9206d1e075da.tar.xz |
ptxd_lib_code_signing: cs_get_ca(): improve error handling
This patch changes cs_get_ca() to only output the CA if it actually
exists, so that this function can be used even if a signing provider
does not provide a CA for a role.
Additionally improve robustness against premature evaluation by printing
an error code if the signing provider was not set up yet. If the error
message is used as part of a URI, the user can at least get a hint about
the fact that an error happened.
Co-authored-by: Roland Hieber <rhi@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
Message-Id: <20210715134224.25700-1-rhi@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/ref_code_signing_helpers.rst | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst index 99a395b28..fd16ca763 100644 --- a/doc/ref_code_signing_helpers.rst +++ b/doc/ref_code_signing_helpers.rst @@ -330,8 +330,24 @@ Usage: Get path to the CA keyring in PEM format for role. +If the provider does not set a CA for this role (see :ref:`cs_append_ca_from_pem`, +:ref:`cs_append_ca_from_der`, :ref:`cs_append_ca_from_uri`), this function will print an empty +string. + Preconditions: -- a certificate must have been appended to the CA keyring - (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`, - :ref:`cs_append_ca_from_uri`) +- The role must have been defined by the provider (see :ref:`cs_define_role`). + Otherwise, this function will print ``ERROR_CA_NOT_YET_SET`` and return 1. + This can happen if the function is evaluated by a variable expansion in make + with ``:=`` instead of ``=`` before the code signing provider is set up. + +Example: + +.. code-block:: make + + # set up kernel module signing, and add a trusted CA if the provider set one + KERNEL_SIGN_OPT = + CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \ + CONFIG_MODULE_SIG_ALL=y \ + $(if $(shell cs_get_ca kernel-trusted), \ + CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted)) |