diff mbox series

ima: rework CONFIG_IMA dependency block

Message ID 20230927072223.2555698-1-arnd@kernel.org (mailing list archive)
State New, archived
Headers show
Series ima: rework CONFIG_IMA dependency block | expand

Commit Message

Arnd Bergmann Sept. 27, 2023, 7:22 a.m. UTC
From: Arnd Bergmann <arnd@arndb.de>

Changing the direct dependencies of IMA_BLACKLIST_KEYRING and
IMA_LOAD_X509 caused them to no longer depend on IMA, but a
a configuration without IMA results in link failures:

arm-linux-gnueabi-ld: security/integrity/iint.o: in function `integrity_load_keys':
iint.c:(.init.text+0xd8): undefined reference to `ima_load_x509'

aarch64-linux-ld: security/integrity/digsig_asymmetric.o: in function `asymmetric_verify':
digsig_asymmetric.c:(.text+0x104): undefined reference to `ima_blacklist_keyring'

Adding explicit dependencies on IMA would fix this, but a more reliable
way to do this is to enclose the entire Kconfig file in an 'if IMA' block.
This also allows removing the existing direct dependencies.

Fixes: be210c6d3597f ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 security/integrity/ima/Kconfig | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

Comments

Mimi Zohar Sept. 27, 2023, 10:52 a.m. UTC | #1
On Wed, 2023-09-27 at 09:22 +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> Changing the direct dependencies of IMA_BLACKLIST_KEYRING and
> IMA_LOAD_X509 caused them to no longer depend on IMA, but a
> a configuration without IMA results in link failures:
> 
> arm-linux-gnueabi-ld: security/integrity/iint.o: in function `integrity_load_keys':
> iint.c:(.init.text+0xd8): undefined reference to `ima_load_x509'
> 
> aarch64-linux-ld: security/integrity/digsig_asymmetric.o: in function `asymmetric_verify':
> digsig_asymmetric.c:(.text+0x104): undefined reference to `ima_blacklist_keyring'
> 
> Adding explicit dependencies on IMA would fix this, but a more reliable
> way to do this is to enclose the entire Kconfig file in an 'if IMA' block.
> This also allows removing the existing direct dependencies.
> 
> Fixes: be210c6d3597f ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

Oleksandr Tymoshenko's patch to address this, made it into linux-next
today.

Commit be210c6d3597 ("ima: Finish deprecation of IMA_TRUSTED_KEYRING
Kconfig") made it last night into linux-next.
Arnd Bergmann Sept. 27, 2023, 11:12 a.m. UTC | #2
On Wed, Sep 27, 2023, at 12:52, Mimi Zohar wrote:
> On Wed, 2023-09-27 at 09:22 +0200, Arnd Bergmann wrote:
>> From: Arnd Bergmann <arnd@arndb.de>
>> 
>> Changing the direct dependencies of IMA_BLACKLIST_KEYRING and
>> IMA_LOAD_X509 caused them to no longer depend on IMA, but a
>> a configuration without IMA results in link failures:
>> 
>> arm-linux-gnueabi-ld: security/integrity/iint.o: in function `integrity_load_keys':
>> iint.c:(.init.text+0xd8): undefined reference to `ima_load_x509'
>> 
>> aarch64-linux-ld: security/integrity/digsig_asymmetric.o: in function `asymmetric_verify':
>> digsig_asymmetric.c:(.text+0x104): undefined reference to `ima_blacklist_keyring'
>> 
>> Adding explicit dependencies on IMA would fix this, but a more reliable
>> way to do this is to enclose the entire Kconfig file in an 'if IMA' block.
>> This also allows removing the existing direct dependencies.
>> 
>> Fixes: be210c6d3597f ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig")
>> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
>
> Oleksandr Tymoshenko's patch to address this, made it into linux-next
> today.
>
> Commit be210c6d3597 ("ima: Finish deprecation of IMA_TRUSTED_KEYRING
> Kconfig") made it last night into linux-next.

No, that is the patch that caused the regression for me, since it
is missing the IMA dependencies.

    Arnd
diff mbox series

Patch

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 4e559bd1fd41c..a6bd817efc1a6 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -29,9 +29,11 @@  config IMA
 	  to learn more about IMA.
 	  If unsure, say N.
 
+if IMA
+
 config IMA_KEXEC
 	bool "Enable carrying the IMA measurement list across a soft boot"
-	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
+	depends on TCG_TPM && HAVE_IMA_KEXEC
 	default n
 	help
 	   TPM PCRs are only reset on a hard reboot.  In order to validate
@@ -43,7 +45,6 @@  config IMA_KEXEC
 
 config IMA_MEASURE_PCR_IDX
 	int
-	depends on IMA
 	range 8 14
 	default 10
 	help
@@ -53,7 +54,7 @@  config IMA_MEASURE_PCR_IDX
 
 config IMA_LSM_RULES
 	bool
-	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
+	depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
 	default y
 	help
 	  Disabling this option will disregard LSM based policy rules.
@@ -61,7 +62,6 @@  config IMA_LSM_RULES
 choice
 	prompt "Default template"
 	default IMA_NG_TEMPLATE
-	depends on IMA
 	help
 	  Select the default IMA measurement template.
 
@@ -80,14 +80,12 @@  endchoice
 
 config IMA_DEFAULT_TEMPLATE
 	string
-	depends on IMA
 	default "ima-ng" if IMA_NG_TEMPLATE
 	default "ima-sig" if IMA_SIG_TEMPLATE
 
 choice
 	prompt "Default integrity hash algorithm"
 	default IMA_DEFAULT_HASH_SHA1
-	depends on IMA
 	help
 	   Select the default hash algorithm used for the measurement
 	   list, integrity appraisal and audit log.  The compiled default
@@ -117,7 +115,6 @@  endchoice
 
 config IMA_DEFAULT_HASH
 	string
-	depends on IMA
 	default "sha1" if IMA_DEFAULT_HASH_SHA1
 	default "sha256" if IMA_DEFAULT_HASH_SHA256
 	default "sha512" if IMA_DEFAULT_HASH_SHA512
@@ -126,7 +123,6 @@  config IMA_DEFAULT_HASH
 
 config IMA_WRITE_POLICY
 	bool "Enable multiple writes to the IMA policy"
-	depends on IMA
 	default n
 	help
 	  IMA policy can now be updated multiple times.  The new rules get
@@ -137,7 +133,6 @@  config IMA_WRITE_POLICY
 
 config IMA_READ_POLICY
 	bool "Enable reading back the current IMA policy"
-	depends on IMA
 	default y if IMA_WRITE_POLICY
 	default n if !IMA_WRITE_POLICY
 	help
@@ -147,7 +142,6 @@  config IMA_READ_POLICY
 
 config IMA_APPRAISE
 	bool "Appraise integrity measurements"
-	depends on IMA
 	default n
 	help
 	  This option enables local measurement integrity appraisal.
@@ -304,7 +298,6 @@  config IMA_APPRAISE_SIGNED_INIT
 
 config IMA_MEASURE_ASYMMETRIC_KEYS
 	bool
-	depends on IMA
 	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
 	default y
 
@@ -323,7 +316,8 @@  config IMA_SECURE_AND_OR_TRUSTED_BOOT
 
 config IMA_DISABLE_HTABLE
 	bool "Disable htable to allow measurement of duplicate records"
-	depends on IMA
 	default n
 	help
 	   This option disables htable to allow measurement of duplicate records.
+
+endif