[RFC PATCH v2 31/34] ima,evm: move initcalls to the LSM framework

Roberto Sassu roberto.sassu at huaweicloud.com
Mon Jul 28 10:43:50 UTC 2025 

On Mon, 2025-07-28 at 11:46 +0200, Nicolas Bouchinet wrote:
> Hi Paul,
> 
> With `CONFIG_INTEGRITY=y` but not `CONFIG_IMA=y` or `CONFIG_EVM=y` it
> does not compile :

Hi Nicolas

thanks, I was about to answer too:

Same type of change as for Smack (I didn't check the other LSMs):

diff --git a/security/integrity/initcalls.h
b/security/integrity/initcalls.h
index 5511c62f8166..a0e27fab67db 100644
--- a/security/integrity/initcalls.h
+++ b/security/integrity/initcalls.h
@@ -5,8 +5,23 @@
 
 int integrity_fs_init(void);
 
+#ifdef CONFIG_IMA
 int init_ima(void);
+#else
+static inline int init_ima(void)
+{
+       return 0;
+}
+#endif
+
+#ifdef CONFIG_EVM
 int init_evm(void);
+#else
+static inline int init_evm(void)
+{
+       return 0;
+}
+#endif
 
 int integrity_late_init(void);


Plus:

diff --git a/security/integrity/initcalls.c
b/security/integrity/initcalls.c
index 92ec9f0aa2a7..6afa411068f2 100644
--- a/security/integrity/initcalls.c
+++ b/security/integrity/initcalls.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Platform certificate / keyring initcalls
+ * IMA/EVM initcalls
  *
  */

Thanks

Roberto

> ```
> ld: vmlinux.o: in function `integrity_late_init':
> security/integrity/initcalls.c:32:(.init.text+0x47f85): undefined reference to `init_ima'
> ld: security/integrity/initcalls.c:36:(.init.text+0x47f96): undefined reference to `init_evm'
> make[2]: *** [scripts/Makefile.vmlinux:91: vmlinux.unstripped] Error 1
> make[1]: *** [Makefile:1236: vmlinux] Error 2
> make: *** [Makefile:248: __sub-make] Error 2
> ```
> 
> >  security/integrity/Makefile       |  2 +-
> >  security/integrity/evm/evm_main.c |  6 ++---
> >  security/integrity/iint.c         |  4 +--
> >  security/integrity/ima/ima_main.c |  6 ++---
> >  security/integrity/initcalls.c    | 41 +++++++++++++++++++++++++++++++
> >  security/integrity/initcalls.h    | 13 ++++++++++
> >  6 files changed, 63 insertions(+), 9 deletions(-)
> >  create mode 100644 security/integrity/initcalls.c
> >  create mode 100644 security/integrity/initcalls.h
> > 
> > diff --git a/security/integrity/Makefile b/security/integrity/Makefile
> > index 92b63039c654..6ea330ea88b1 100644
> > --- a/security/integrity/Makefile
> > +++ b/security/integrity/Makefile
> > @@ -5,7 +5,7 @@
> >  
> >  obj-$(CONFIG_INTEGRITY) += integrity.o
> >  
> > -integrity-y := iint.o
> > +integrity-y := iint.o initcalls.o
> >  integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o
> >  integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
> >  integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
> 
> ---
> 
> > diff --git a/security/integrity/initcalls.h b/security/integrity/initcalls.h
> > new file mode 100644
> > index 000000000000..5511c62f8166
> > --- /dev/null
> > +++ b/security/integrity/initcalls.h
> > @@ -0,0 +1,13 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +
> > +#ifndef PLATFORM_CERTS_INITCALLS_H
> > +#define PLATFORM_CERTS_INITCALLS_H
> > +
> > +int integrity_fs_init(void);
> > +
> > +int init_ima(void);
> > +int init_evm(void);
> > +
> > +int integrity_late_init(void);
> > +
> > +#endif
> > -- 
> > 2.50.1
> > 
> 
> Nicolas

More information about the Linux-security-module-archive mailing list