[PATCH] ima: rework CONFIG_IMA dependency block

Arnd Bergmann arnd at arndb.de
Wed Sep 27 11:12:49 UTC 2023


On Wed, Sep 27, 2023, at 12:52, Mimi Zohar wrote:
> On Wed, 2023-09-27 at 09:22 +0200, Arnd Bergmann wrote:
>> From: Arnd Bergmann <arnd at arndb.de>
>> 
>> Changing the direct dependencies of IMA_BLACKLIST_KEYRING and
>> IMA_LOAD_X509 caused them to no longer depend on IMA, but a
>> a configuration without IMA results in link failures:
>> 
>> arm-linux-gnueabi-ld: security/integrity/iint.o: in function `integrity_load_keys':
>> iint.c:(.init.text+0xd8): undefined reference to `ima_load_x509'
>> 
>> aarch64-linux-ld: security/integrity/digsig_asymmetric.o: in function `asymmetric_verify':
>> digsig_asymmetric.c:(.text+0x104): undefined reference to `ima_blacklist_keyring'
>> 
>> Adding explicit dependencies on IMA would fix this, but a more reliable
>> way to do this is to enclose the entire Kconfig file in an 'if IMA' block.
>> This also allows removing the existing direct dependencies.
>> 
>> Fixes: be210c6d3597f ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig")
>> Signed-off-by: Arnd Bergmann <arnd at arndb.de>
>
> Oleksandr Tymoshenko's patch to address this, made it into linux-next
> today.
>
> Commit be210c6d3597 ("ima: Finish deprecation of IMA_TRUSTED_KEYRING
> Kconfig") made it last night into linux-next.

No, that is the patch that caused the regression for me, since it
is missing the IMA dependencies.

    Arnd



More information about the Linux-security-module-archive mailing list