| Message ID | 20230921064506.3420402-1-ovt@google.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig | expand |
On Wed, Sep 20, 2023 at 11:45 PM Oleksandr Tymoshenko <ovt@google.com> wrote: > > The removal of IMA_TRUSTED_KEYRING made IMA_LOAD_X509 > and IMA_BLACKLIST_KEYRING unavailable because the latter > two depend on the former. Since IMA_TRUSTED_KEYRING was > deprecated in favor of INTEGRITY_TRUSTED_KEYRING use it > as a dependency for the two Kconfigs affected by the > deprecation. > > Fixes: 5087fd9e80e5 ("ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig") > Signed-off-by: Oleksandr Tymoshenko <ovt@google.com> Gentle ping, IMA_LOAD_X509 and IMA_BLACKLIST_KEYRING options are currently broken on all branches.
On 9/21/23 02:45, Oleksandr Tymoshenko wrote: > The removal of IMA_TRUSTED_KEYRING made IMA_LOAD_X509 > and IMA_BLACKLIST_KEYRING unavailable because the latter > two depend on the former. Since IMA_TRUSTED_KEYRING was > deprecated in favor of INTEGRITY_TRUSTED_KEYRING use it > as a dependency for the two Kconfigs affected by the > deprecation. > > Fixes: 5087fd9e80e5 ("ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig") > Signed-off-by: Oleksandr Tymoshenko <ovt@google.com> Thanks for doing this. Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
On Mon, 2023-09-25 at 21:20 -0700, Oleksandr Tymoshenko wrote: > On Wed, Sep 20, 2023 at 11:45 PM Oleksandr Tymoshenko <ovt@google.com> wrote: > > > > The removal of IMA_TRUSTED_KEYRING made IMA_LOAD_X509 > > and IMA_BLACKLIST_KEYRING unavailable because the latter > > two depend on the former. Since IMA_TRUSTED_KEYRING was > > deprecated in favor of INTEGRITY_TRUSTED_KEYRING use it > > as a dependency for the two Kconfigs affected by the > > deprecation. > > > > Fixes: 5087fd9e80e5 ("ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig") > > Signed-off-by: Oleksandr Tymoshenko <ovt@google.com> > > Gentle ping, IMA_LOAD_X509 and IMA_BLACKLIST_KEYRING options are > currently broken on all branches. Sorry for the delay. It's now in linux-next.
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index ecddc807c536..4e559bd1fd41 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -269,7 +269,7 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY config IMA_BLACKLIST_KEYRING bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" depends on SYSTEM_TRUSTED_KEYRING - depends on IMA_TRUSTED_KEYRING + depends on INTEGRITY_TRUSTED_KEYRING default n help This option creates an IMA blacklist keyring, which contains all @@ -279,7 +279,7 @@ config IMA_BLACKLIST_KEYRING config IMA_LOAD_X509 bool "Load X509 certificate onto the '.ima' trusted keyring" - depends on IMA_TRUSTED_KEYRING + depends on INTEGRITY_TRUSTED_KEYRING default n help File signature verification is based on the public keys
The removal of IMA_TRUSTED_KEYRING made IMA_LOAD_X509 and IMA_BLACKLIST_KEYRING unavailable because the latter two depend on the former. Since IMA_TRUSTED_KEYRING was deprecated in favor of INTEGRITY_TRUSTED_KEYRING use it as a dependency for the two Kconfigs affected by the deprecation. Fixes: 5087fd9e80e5 ("ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig") Signed-off-by: Oleksandr Tymoshenko <ovt@google.com> --- security/integrity/ima/Kconfig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)