Commit 781a5739 authored Apr 22, 2021 by Nayna Jain Committed by Mimi Zohar Apr 26, 2021

ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies



IMA_APPRAISE_MODSIG is used for verifying the integrity of both kernel
and modules. Enabling IMA_APPRAISE_MODSIG without MODULES causes a build
break.

Ensure the build time kernel signing key is only generated if both
IMA_APPRAISE_MODSIG and MODULES are enabled.

Fixes: 0165f4ca ("ima: enable signing of modules with build time generated key")
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

parent 28073eb0

certs/Kconfig

+1 −1

Original line number	Diff line number	Diff line
		@@ -4,7 +4,7 @@ menu "Certificates for signature checking"
		config MODULE_SIG_KEY
		string "File name or PKCS#11 URI of module signing key"
		default "certs/signing_key.pem"
		depends on MODULE_SIG \|\| IMA_APPRAISE_MODSIG
		depends on MODULE_SIG \|\| (IMA_APPRAISE_MODSIG && MODULES)
		help
		Provide the file name of a private key/certificate in PEM format,
		or a PKCS#11 URI according to RFC7512. The file should contain, or

certs/Makefile

+2 −0

Original line number	Diff line number	Diff line
		@@ -36,8 +36,10 @@ ifeq ($(CONFIG_MODULE_SIG),y)
		endif

		ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
		ifeq ($(CONFIG_MODULES),y)
		SIGN_KEY = y
		endif
		endif

		ifdef SIGN_KEY
		###############################################################################

certs/system_certificates.S

+2 −1

Original line number	Diff line number	Diff line
		@@ -9,7 +9,8 @@
		system_certificate_list:
		__cert_list_start:
		__module_cert_start:
		#if defined(CONFIG_MODULE_SIG) \|\| defined(CONFIG_IMA_APPRAISE_MODSIG)
		#if defined(CONFIG_MODULE_SIG) \|\| (defined(CONFIG_IMA_APPRAISE_MODSIG) \
		&& defined(CONFIG_MODULES))
		.incbin "certs/signing_key.x509"
		#endif
		__module_cert_end: