* Re: linux-next: Tree for Apr 16 (IMA appraise causing build error) [not found] <20210416213625.14542675@canb.auug.org.au> @ 2021-04-16 18:53 ` Randy Dunlap 2021-04-16 20:25 ` Nayna 0 siblings, 1 reply; 3+ messages in thread From: Randy Dunlap @ 2021-04-16 18:53 UTC (permalink / raw) To: Stephen Rothwell, Linux Next Mailing List Cc: Linux Kernel Mailing List, linux-integrity, Mimi Zohar, Dmitry Kasatkin, Masahiro Yamada [-- Attachment #1: Type: text/plain, Size: 1211 bytes --] On 4/16/21 4:36 AM, Stephen Rothwell wrote: > Hi all, > > Changes since 20210415: > I noticed this build error message (on an i386 build): ../certs/Makefile:52: *** Could not determine digest type to use from kernel config. Stop. and when I was checking on why it happened, I noticed that # CONFIG_MODULES is not set and hence ifndef CONFIG_MODULE_SIG_HASH $(error Could not determine digest type to use from kernel config) endif CONFIG_MODULE_SIG_HASH is not set/enabled/defined. However, the .config file does have CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_APPRAISE_MODSIG=y as well as CONFIG_MODULE_SIG_FORMAT=y due to a "select" by IMA_APPRAISE_MODSIG. (although I see that MODULE_SIG_FORMAT does not depend on MODULES) Is there anything that you can do (or recommend) to prevent the build error? BTW, it looks like this: config IMA_APPRAISE_REQUIRE_MODULE_SIGS bool "Appraise kernel modules signatures" depends on IMA_APPRAISE_BUILD_POLICY could also depend on MODULES. Full i386 randconfig file is attached. thanks. -- ~Randy Reported-by: Randy Dunlap <rdunlap@infradead.org> [-- Attachment #2: config-r8835.gz --] [-- Type: application/gzip, Size: 37123 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: linux-next: Tree for Apr 16 (IMA appraise causing build error) 2021-04-16 18:53 ` linux-next: Tree for Apr 16 (IMA appraise causing build error) Randy Dunlap @ 2021-04-16 20:25 ` Nayna 2021-04-16 20:32 ` Randy Dunlap 0 siblings, 1 reply; 3+ messages in thread From: Nayna @ 2021-04-16 20:25 UTC (permalink / raw) To: Randy Dunlap, Stephen Rothwell, Linux Next Mailing List Cc: Linux Kernel Mailing List, linux-integrity, Mimi Zohar, Dmitry Kasatkin, Masahiro Yamada On 4/16/21 2:53 PM, Randy Dunlap wrote: > On 4/16/21 4:36 AM, Stephen Rothwell wrote: >> Hi all, >> >> Changes since 20210415: >> > I noticed this build error message (on an i386 build): > > ../certs/Makefile:52: *** Could not determine digest type to use from kernel config. Stop. > > and when I was checking on why it happened, I noticed that > # CONFIG_MODULES is not set > > and hence > ifndef CONFIG_MODULE_SIG_HASH > $(error Could not determine digest type to use from kernel config) > endif > > CONFIG_MODULE_SIG_HASH is not set/enabled/defined. > > However, the .config file does have > CONFIG_IMA_APPRAISE=y > # CONFIG_IMA_ARCH_POLICY is not set > # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set > CONFIG_IMA_APPRAISE_BOOTPARAM=y > CONFIG_IMA_APPRAISE_MODSIG=y > > as well as > CONFIG_MODULE_SIG_FORMAT=y > > due to a "select" by IMA_APPRAISE_MODSIG. > (although I see that MODULE_SIG_FORMAT does not depend on MODULES) > > > Is there anything that you can do (or recommend) to prevent > the build error? > > > > BTW, it looks like this: > config IMA_APPRAISE_REQUIRE_MODULE_SIGS > bool "Appraise kernel modules signatures" > depends on IMA_APPRAISE_BUILD_POLICY > > could also depend on MODULES. > > > > Full i386 randconfig file is attached. With the new patchset "ima: kernel build support for loading the kernel module signing key", there shouldn't be a difference when generating the config file between MODULE_SIG and IMA_APPRAISE_MODSIG. Both prompt for the hash algorithm. Can you please explain how you generate randconfig? Do you use make xconfig? Thanks & Regards, - Nayna ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: linux-next: Tree for Apr 16 (IMA appraise causing build error) 2021-04-16 20:25 ` Nayna @ 2021-04-16 20:32 ` Randy Dunlap 0 siblings, 0 replies; 3+ messages in thread From: Randy Dunlap @ 2021-04-16 20:32 UTC (permalink / raw) To: Nayna, Stephen Rothwell, Linux Next Mailing List Cc: Linux Kernel Mailing List, linux-integrity, Mimi Zohar, Dmitry Kasatkin, Masahiro Yamada Hi, On 4/16/21 1:25 PM, Nayna wrote: > > On 4/16/21 2:53 PM, Randy Dunlap wrote: >> On 4/16/21 4:36 AM, Stephen Rothwell wrote: >>> Hi all, >>> >>> Changes since 20210415: >>> >> I noticed this build error message (on an i386 build): >> >> ../certs/Makefile:52: *** Could not determine digest type to use from kernel config. Stop. >> >> and when I was checking on why it happened, I noticed that >> # CONFIG_MODULES is not set >> >> and hence >> ifndef CONFIG_MODULE_SIG_HASH >> $(error Could not determine digest type to use from kernel config) >> endif >> >> CONFIG_MODULE_SIG_HASH is not set/enabled/defined. >> >> However, the .config file does have >> CONFIG_IMA_APPRAISE=y >> # CONFIG_IMA_ARCH_POLICY is not set >> # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set >> CONFIG_IMA_APPRAISE_BOOTPARAM=y >> CONFIG_IMA_APPRAISE_MODSIG=y >> >> as well as >> CONFIG_MODULE_SIG_FORMAT=y >> >> due to a "select" by IMA_APPRAISE_MODSIG. >> (although I see that MODULE_SIG_FORMAT does not depend on MODULES) >> >> >> Is there anything that you can do (or recommend) to prevent >> the build error? >> >> >> >> BTW, it looks like this: >> config IMA_APPRAISE_REQUIRE_MODULE_SIGS >> bool "Appraise kernel modules signatures" >> depends on IMA_APPRAISE_BUILD_POLICY >> >> could also depend on MODULES. >> >> >> >> Full i386 randconfig file is attached. > > > With the new patchset "ima: kernel build support for loading the kernel module signing key", there shouldn't be a difference when generating the config file between MODULE_SIG and IMA_APPRAISE_MODSIG. Both prompt for the hash algorithm. That patchset appears to be included in today's linux-next 2021-04-16. > Can you please explain how you generate randconfig? Do you use make xconfig? with the 'make randconfig' command. -- ~Randy ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-16 20:32 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20210416213625.14542675@canb.auug.org.au> 2021-04-16 18:53 ` linux-next: Tree for Apr 16 (IMA appraise causing build error) Randy Dunlap 2021-04-16 20:25 ` Nayna 2021-04-16 20:32 ` Randy Dunlap
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).