* [PATCH] ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies
@ 2021-04-23 1:16 Nayna Jain
2021-04-23 2:57 ` Randy Dunlap
0 siblings, 1 reply; 2+ messages in thread
From: Nayna Jain @ 2021-04-23 1:16 UTC (permalink / raw)
To: linux-integrity, keyrings
Cc: linux-security-module, David Howells, Jarkko Sakkinen,
Stefan Berger, Linux Kernel Mailing List, David Woodhouse,
Mimi Zohar, Arnd Bergmann, Randy Dunlap, Stephen Rothwell,
Nayna Jain
IMA_APPRAISE_MODSIG is used for verifying the integrity of both kernel
and modules. Enabling IMA_APPRAISE_MODSIG without MODULES causes a build
break.
Ensure the build time kernel signing key is only generated if both
IMA_APPRAISE_MODSIG and MODULES are enabled.
Fixes: 0165f4ca223b ("ima: enable signing of modules with build time generated key")
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
certs/Kconfig | 2 +-
certs/Makefile | 2 ++
certs/system_certificates.S | 3 ++-
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/certs/Kconfig b/certs/Kconfig
index 48675ad319db..e4d00348fd73 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -4,7 +4,7 @@ menu "Certificates for signature checking"
config MODULE_SIG_KEY
string "File name or PKCS#11 URI of module signing key"
default "certs/signing_key.pem"
- depends on MODULE_SIG || IMA_APPRAISE_MODSIG
+ depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
help
Provide the file name of a private key/certificate in PEM format,
or a PKCS#11 URI according to RFC7512. The file should contain, or
diff --git a/certs/Makefile b/certs/Makefile
index e3185c57fbd8..2f369d6aa494 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -36,8 +36,10 @@ ifeq ($(CONFIG_MODULE_SIG),y)
endif
ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+ifeq ($(CONFIG_MODULES),y)
SIGN_KEY = y
endif
+endif
ifdef SIGN_KEY
###############################################################################
diff --git a/certs/system_certificates.S b/certs/system_certificates.S
index dcad27ea8527..e1645e6f4d97 100644
--- a/certs/system_certificates.S
+++ b/certs/system_certificates.S
@@ -9,7 +9,8 @@
system_certificate_list:
__cert_list_start:
__module_cert_start:
-#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
+#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \
+ && defined(CONFIG_MODULES))
.incbin "certs/signing_key.x509"
#endif
__module_cert_end:
--
2.29.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies
2021-04-23 1:16 [PATCH] ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies Nayna Jain
@ 2021-04-23 2:57 ` Randy Dunlap
0 siblings, 0 replies; 2+ messages in thread
From: Randy Dunlap @ 2021-04-23 2:57 UTC (permalink / raw)
To: Nayna Jain, linux-integrity, keyrings
Cc: linux-security-module, David Howells, Jarkko Sakkinen,
Stefan Berger, Linux Kernel Mailing List, David Woodhouse,
Mimi Zohar, Arnd Bergmann, Stephen Rothwell
On 4/22/21 6:16 PM, Nayna Jain wrote:
> IMA_APPRAISE_MODSIG is used for verifying the integrity of both kernel
> and modules. Enabling IMA_APPRAISE_MODSIG without MODULES causes a build
> break.
>
> Ensure the build time kernel signing key is only generated if both
> IMA_APPRAISE_MODSIG and MODULES are enabled.
>
> Fixes: 0165f4ca223b ("ima: enable signing of modules with build time generated key")
> Reported-by: Randy Dunlap <rdunlap@infradead.org>
> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Works For Me. Thanks.
Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
> ---
> certs/Kconfig | 2 +-
> certs/Makefile | 2 ++
> certs/system_certificates.S | 3 ++-
> 3 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/certs/Kconfig b/certs/Kconfig
> index 48675ad319db..e4d00348fd73 100644
> --- a/certs/Kconfig
> +++ b/certs/Kconfig
> @@ -4,7 +4,7 @@ menu "Certificates for signature checking"
> config MODULE_SIG_KEY
> string "File name or PKCS#11 URI of module signing key"
> default "certs/signing_key.pem"
> - depends on MODULE_SIG || IMA_APPRAISE_MODSIG
> + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
> help
> Provide the file name of a private key/certificate in PEM format,
> or a PKCS#11 URI according to RFC7512. The file should contain, or
> diff --git a/certs/Makefile b/certs/Makefile
> index e3185c57fbd8..2f369d6aa494 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -36,8 +36,10 @@ ifeq ($(CONFIG_MODULE_SIG),y)
> endif
>
> ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +ifeq ($(CONFIG_MODULES),y)
> SIGN_KEY = y
> endif
> +endif
>
> ifdef SIGN_KEY
> ###############################################################################
> diff --git a/certs/system_certificates.S b/certs/system_certificates.S
> index dcad27ea8527..e1645e6f4d97 100644
> --- a/certs/system_certificates.S
> +++ b/certs/system_certificates.S
> @@ -9,7 +9,8 @@
> system_certificate_list:
> __cert_list_start:
> __module_cert_start:
> -#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
> +#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \
> + && defined(CONFIG_MODULES))
> .incbin "certs/signing_key.x509"
> #endif
> __module_cert_end:
>
--
~Randy
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-23 2:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-23 1:16 [PATCH] ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies Nayna Jain
2021-04-23 2:57 ` Randy Dunlap
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).