Merge remote-tracking branch 'pekey/devel-pekey'

diff --cc init/Kconfig
Simple merge

diff --cc kernel/Makefile
index 05949c0510c505581be79480f5ebe1fcbc409b3f,0ca8c0a3855631e7cc45cbcdd5510cb71ad2a6d7..f273c0e6f3c005a7c2fec76c0ed868299f07c363
--- 1/kernel/Makefile
--- 2/kernel/Makefile
+++ b/kernel/Makefile
@@@ -127,33 -128,52 +128,60 @@@ $(obj)/config_data.h: $(obj)/config_dat
  
  $(obj)/time.o: $(obj)/timeconst.h
  
 -quiet_cmd_timeconst  = TIMEC   $@
 -      cmd_timeconst  = $(PERL) $< $(CONFIG_HZ) > $@
 +quiet_cmd_hzfile = HZFILE  $@
 +      cmd_hzfile = echo "hz=$(CONFIG_HZ)" > $@
 +
 +targets += hz.bc
 +$(obj)/hz.bc: $(objtree)/include/config/hz.h FORCE
 +      $(call if_changed,hzfile)
 +
 +quiet_cmd_bc  = BC      $@
 +      cmd_bc  = bc -q $(filter-out FORCE,$^) > $@
 +
  targets += timeconst.h
 -$(obj)/timeconst.h: $(src)/timeconst.pl FORCE
 -      $(call if_changed,timeconst)
 +$(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
 +      $(call if_changed,bc)
  
- ifeq ($(CONFIG_MODULE_SIG),y)
+ ###############################################################################
  #
- # Pull the signing certificate and any extra certificates into the kernel
+ # Roll all the X.509 certificates that we can find together and pull them into
+ # the kernel so that they get loaded into the system trusted keyring during
+ # boot.
  #
+ ###############################################################################
+ ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
+ X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
+ X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
+ X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y))
+ 
+ ifeq ($(X509_CERTIFICATES),)
+ $(warning *** No X.509 certificates found ***)
+ endif
+ 
+ ifneq ($(wildcard $(obj)/.x509.list),)
+ ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES))
+ $(info X.509 certificate list changed)
+ $(shell rm $(obj)/.x509.list)
+ endif
+ endif
+ 
+ kernel/system_certificates.o: $(obj)/x509_certificate_list
  
- quiet_cmd_touch = TOUCH   $@
-       cmd_touch = touch   $@
+ quiet_cmd_x509certs  = CERTS   $@
+       cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; echo "  - Including cert $(X509)")
  
- extra_certificates:
-       $(call cmd,touch)
+ targets += $(obj)/x509_certificate_list
+ $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
+       $(call if_changed,x509certs)
  
- kernel/modsign_certificate.o: signing_key.x509 extra_certificates
+ targets += $(obj)/.x509.list
+ $(obj)/.x509.list:
+       @echo $(X509_CERTIFICATES) >$@
  
+ clean-files := x509_certificate_list .x509.list
+ endif
+ 
+ ifeq ($(CONFIG_MODULE_SIG),y)
  ###############################################################################
  #
  # If module signing is requested, say by allyesconfig, but a key has not been