Message ID | 20210423011602.138946-1-nayna@linux.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies | expand |
On 4/22/21 6:16 PM, Nayna Jain wrote: > IMA_APPRAISE_MODSIG is used for verifying the integrity of both kernel > and modules. Enabling IMA_APPRAISE_MODSIG without MODULES causes a build > break. > > Ensure the build time kernel signing key is only generated if both > IMA_APPRAISE_MODSIG and MODULES are enabled. > > Fixes: 0165f4ca223b ("ima: enable signing of modules with build time generated key") > Reported-by: Randy Dunlap <rdunlap@infradead.org> > Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Works For Me. Thanks. Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested > --- > certs/Kconfig | 2 +- > certs/Makefile | 2 ++ > certs/system_certificates.S | 3 ++- > 3 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/certs/Kconfig b/certs/Kconfig > index 48675ad319db..e4d00348fd73 100644 > --- a/certs/Kconfig > +++ b/certs/Kconfig > @@ -4,7 +4,7 @@ menu "Certificates for signature checking" > config MODULE_SIG_KEY > string "File name or PKCS#11 URI of module signing key" > default "certs/signing_key.pem" > - depends on MODULE_SIG || IMA_APPRAISE_MODSIG > + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) > help > Provide the file name of a private key/certificate in PEM format, > or a PKCS#11 URI according to RFC7512. The file should contain, or > diff --git a/certs/Makefile b/certs/Makefile > index e3185c57fbd8..2f369d6aa494 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -36,8 +36,10 @@ ifeq ($(CONFIG_MODULE_SIG),y) > endif > > ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) > +ifeq ($(CONFIG_MODULES),y) > SIGN_KEY = y > endif > +endif > > ifdef SIGN_KEY > ############################################################################### > diff --git a/certs/system_certificates.S b/certs/system_certificates.S > index dcad27ea8527..e1645e6f4d97 100644 > --- a/certs/system_certificates.S > +++ b/certs/system_certificates.S > @@ -9,7 +9,8 @@ > system_certificate_list: > __cert_list_start: > __module_cert_start: > -#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG) > +#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \ > + && defined(CONFIG_MODULES)) > .incbin "certs/signing_key.x509" > #endif > __module_cert_end: >
diff --git a/certs/Kconfig b/certs/Kconfig index 48675ad319db..e4d00348fd73 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -4,7 +4,7 @@ menu "Certificates for signature checking" config MODULE_SIG_KEY string "File name or PKCS#11 URI of module signing key" default "certs/signing_key.pem" - depends on MODULE_SIG || IMA_APPRAISE_MODSIG + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) help Provide the file name of a private key/certificate in PEM format, or a PKCS#11 URI according to RFC7512. The file should contain, or diff --git a/certs/Makefile b/certs/Makefile index e3185c57fbd8..2f369d6aa494 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -36,8 +36,10 @@ ifeq ($(CONFIG_MODULE_SIG),y) endif ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +ifeq ($(CONFIG_MODULES),y) SIGN_KEY = y endif +endif ifdef SIGN_KEY ############################################################################### diff --git a/certs/system_certificates.S b/certs/system_certificates.S index dcad27ea8527..e1645e6f4d97 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -9,7 +9,8 @@ system_certificate_list: __cert_list_start: __module_cert_start: -#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG) +#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \ + && defined(CONFIG_MODULES)) .incbin "certs/signing_key.x509" #endif __module_cert_end:
IMA_APPRAISE_MODSIG is used for verifying the integrity of both kernel and modules. Enabling IMA_APPRAISE_MODSIG without MODULES causes a build break. Ensure the build time kernel signing key is only generated if both IMA_APPRAISE_MODSIG and MODULES are enabled. Fixes: 0165f4ca223b ("ima: enable signing of modules with build time generated key") Reported-by: Randy Dunlap <rdunlap@infradead.org> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- certs/Kconfig | 2 +- certs/Makefile | 2 ++ certs/system_certificates.S | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-)