Commit 4f8ee9e0 authored Sep 21, 2023 by Oleksandr Tymoshenko Committed by sanglipeng Mar 18, 2024

ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig

stable inclusion
from stable-v5.10.198
commit a9430129d8dbfce075b9392dd376ddfb3cc8a805
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I987V5

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a9430129d8dbfce075b9392dd376ddfb3cc8a805



--------------------------------

[ Upstream commit be210c6d ]

The removal of IMA_TRUSTED_KEYRING made IMA_LOAD_X509
and IMA_BLACKLIST_KEYRING unavailable because the latter
two depend on the former. Since IMA_TRUSTED_KEYRING was
deprecated in favor of INTEGRITY_TRUSTED_KEYRING use it
as a dependency for the two Kconfigs affected by the
deprecation.

Fixes: 5087fd9e ("ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig")
Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>

parent b2c79c38

security/integrity/ima/Kconfig

+2 −2

Original line number	Diff line number	Diff line
		@@ -268,7 +268,7 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
		config IMA_BLACKLIST_KEYRING
		bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
		depends on SYSTEM_TRUSTED_KEYRING
		depends on IMA_TRUSTED_KEYRING
		depends on INTEGRITY_TRUSTED_KEYRING
		default n
		help
		This option creates an IMA blacklist keyring, which contains all
		@@ -278,7 +278,7 @@ config IMA_BLACKLIST_KEYRING

		config IMA_LOAD_X509
		bool "Load X509 certificate onto the '.ima' trusted keyring"
		depends on IMA_TRUSTED_KEYRING
		depends on INTEGRITY_TRUSTED_KEYRING
		default n
		help
		File signature verification is based on the public keys