On 09.07.2021 15:36:00, Michael Olbrich wrote: > So this is not what we want here. Sorry, I didn't notice this in the last > version. The idea is this: > > If the keydir does not exist, then cs_get_ca)() was evaluated too early. So > the check above should be added as it is here. > What's now missing is what Marc originally intended and was part of the > first version of the patch: > If the keydir exists but no CA, then there will never be a CA and we want > to match that. So this should be there as well: > > if [ -e "${ca}" ]; then > echo "${ca}" > fi > > instead of this: > > > + echo "${ca}" > > Now we can do $(if $(shell cs_get_ca ...), ...) to do something only if the > CA exists. > > Marc, that was the use-case, right? ACK, the use case is: | KERNEL_SIGN_OPT = \ | CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri evm)"' \ | CONFIG_MODULE_SIG_ALL=y \ | $(if $(shell cs_get_ca kernel-trusted), \ | CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted)) regards, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |