[PATCH] ima: require CONFIG_MODULES for IMA_APPRAISE_MODSIG

Arnd Bergmann arnd at kernel.org
Thu Apr 22 13:29:48 UTC 2021


From: Arnd Bergmann <arnd at arndb.de>

When module support is disabled, CONFIG_MODULE_SIG_HASH cannot
be set either, so the build process fails with an error

certs/Makefile:52: *** Could not determine digest type to use from kernel config.  Stop.

when IMA_APPRAISE_MODSIG is set but modules are not.

Add a Kconfig dependency to prevent this configuration.

Fixes: 0165f4ca223b ("ima: enable signing of modules with build time generated key")
Signed-off-by: Arnd Bergmann <arnd at arndb.de>
---
 security/integrity/ima/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 12e9250c1bec..2c36144cdd24 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -242,6 +242,7 @@ config IMA_APPRAISE_MODSIG
 	bool "Support module-style signatures for appraisal"
 	depends on IMA_APPRAISE
 	depends on INTEGRITY_ASYMMETRIC_KEYS
+	depends on MODULES
 	select PKCS7_MESSAGE_PARSER
 	select MODULE_SIG_FORMAT
 	default n
-- 
2.29.2



More information about the Linux-security-module-archive mailing list