| Message ID | 20230927072223.2555698-1-arnd@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: rework CONFIG_IMA dependency block | expand |
On Wed, 2023-09-27 at 09:22 +0200, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > Changing the direct dependencies of IMA_BLACKLIST_KEYRING and > IMA_LOAD_X509 caused them to no longer depend on IMA, but a > a configuration without IMA results in link failures: > > arm-linux-gnueabi-ld: security/integrity/iint.o: in function `integrity_load_keys': > iint.c:(.init.text+0xd8): undefined reference to `ima_load_x509' > > aarch64-linux-ld: security/integrity/digsig_asymmetric.o: in function `asymmetric_verify': > digsig_asymmetric.c:(.text+0x104): undefined reference to `ima_blacklist_keyring' > > Adding explicit dependencies on IMA would fix this, but a more reliable > way to do this is to enclose the entire Kconfig file in an 'if IMA' block. > This also allows removing the existing direct dependencies. > > Fixes: be210c6d3597f ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig") > Signed-off-by: Arnd Bergmann <arnd@arndb.de> Oleksandr Tymoshenko's patch to address this, made it into linux-next today. Commit be210c6d3597 ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig") made it last night into linux-next.
On Wed, Sep 27, 2023, at 12:52, Mimi Zohar wrote: > On Wed, 2023-09-27 at 09:22 +0200, Arnd Bergmann wrote: >> From: Arnd Bergmann <arnd@arndb.de> >> >> Changing the direct dependencies of IMA_BLACKLIST_KEYRING and >> IMA_LOAD_X509 caused them to no longer depend on IMA, but a >> a configuration without IMA results in link failures: >> >> arm-linux-gnueabi-ld: security/integrity/iint.o: in function `integrity_load_keys': >> iint.c:(.init.text+0xd8): undefined reference to `ima_load_x509' >> >> aarch64-linux-ld: security/integrity/digsig_asymmetric.o: in function `asymmetric_verify': >> digsig_asymmetric.c:(.text+0x104): undefined reference to `ima_blacklist_keyring' >> >> Adding explicit dependencies on IMA would fix this, but a more reliable >> way to do this is to enclose the entire Kconfig file in an 'if IMA' block. >> This also allows removing the existing direct dependencies. >> >> Fixes: be210c6d3597f ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig") >> Signed-off-by: Arnd Bergmann <arnd@arndb.de> > > Oleksandr Tymoshenko's patch to address this, made it into linux-next > today. > > Commit be210c6d3597 ("ima: Finish deprecation of IMA_TRUSTED_KEYRING > Kconfig") made it last night into linux-next. No, that is the patch that caused the regression for me, since it is missing the IMA dependencies. Arnd
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 4e559bd1fd41c..a6bd817efc1a6 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -29,9 +29,11 @@ config IMA to learn more about IMA. If unsure, say N. +if IMA + config IMA_KEXEC bool "Enable carrying the IMA measurement list across a soft boot" - depends on IMA && TCG_TPM && HAVE_IMA_KEXEC + depends on TCG_TPM && HAVE_IMA_KEXEC default n help TPM PCRs are only reset on a hard reboot. In order to validate @@ -43,7 +45,6 @@ config IMA_KEXEC config IMA_MEASURE_PCR_IDX int - depends on IMA range 8 14 default 10 help @@ -53,7 +54,7 @@ config IMA_MEASURE_PCR_IDX config IMA_LSM_RULES bool - depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR) + depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR) default y help Disabling this option will disregard LSM based policy rules. @@ -61,7 +62,6 @@ config IMA_LSM_RULES choice prompt "Default template" default IMA_NG_TEMPLATE - depends on IMA help Select the default IMA measurement template. @@ -80,14 +80,12 @@ endchoice config IMA_DEFAULT_TEMPLATE string - depends on IMA default "ima-ng" if IMA_NG_TEMPLATE default "ima-sig" if IMA_SIG_TEMPLATE choice prompt "Default integrity hash algorithm" default IMA_DEFAULT_HASH_SHA1 - depends on IMA help Select the default hash algorithm used for the measurement list, integrity appraisal and audit log. The compiled default @@ -117,7 +115,6 @@ endchoice config IMA_DEFAULT_HASH string - depends on IMA default "sha1" if IMA_DEFAULT_HASH_SHA1 default "sha256" if IMA_DEFAULT_HASH_SHA256 default "sha512" if IMA_DEFAULT_HASH_SHA512 @@ -126,7 +123,6 @@ config IMA_DEFAULT_HASH config IMA_WRITE_POLICY bool "Enable multiple writes to the IMA policy" - depends on IMA default n help IMA policy can now be updated multiple times. The new rules get @@ -137,7 +133,6 @@ config IMA_WRITE_POLICY config IMA_READ_POLICY bool "Enable reading back the current IMA policy" - depends on IMA default y if IMA_WRITE_POLICY default n if !IMA_WRITE_POLICY help @@ -147,7 +142,6 @@ config IMA_READ_POLICY config IMA_APPRAISE bool "Appraise integrity measurements" - depends on IMA default n help This option enables local measurement integrity appraisal. @@ -304,7 +298,6 @@ config IMA_APPRAISE_SIGNED_INIT config IMA_MEASURE_ASYMMETRIC_KEYS bool - depends on IMA depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y default y @@ -323,7 +316,8 @@ config IMA_SECURE_AND_OR_TRUSTED_BOOT config IMA_DISABLE_HTABLE bool "Disable htable to allow measurement of duplicate records" - depends on IMA default n help This option disables htable to allow measurement of duplicate records. + +endif