ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies

IMA_APPRAISE_MODSIG is used for verifying the integrity of both kernel and modules. Enabling IMA_APPRAISE_MODSIG without MODULES causes a build break. Ensure the build time kernel signing key is only generated if both IMA_APPRAISE_MODSIG and MODULES are enabled. Fixes: 0165f4c ("ima: enable signing of modules with build time generated key") Reported-by: Randy Dunlap <[email protected]> Reported-by: Stephen Rothwell <[email protected]> Acked-by: Randy Dunlap <[email protected]> # build-tested Signed-off-by: Nayna Jain <[email protected]> Signed-off-by: Mimi Zohar <[email protected]>
josf · Apr 27, 2021 · 781a573 · 781a573
1 parent 28073eb
commit 781a573
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/certs/Kconfig b/certs/Kconfig
@@ -4,7 +4,7 @@ menu "Certificates for signature checking"
 config MODULE_SIG_KEY
 	string "File name or PKCS#11 URI of module signing key"
 	default "certs/signing_key.pem"
-	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
+	depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
 	help
          Provide the file name of a private key/certificate in PEM format,
          or a PKCS#11 URI according to RFC7512. The file should contain, or

diff --git a/certs/Makefile b/certs/Makefile
@@ -36,8 +36,10 @@ ifeq ($(CONFIG_MODULE_SIG),y)
 endif
 
 ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+ifeq ($(CONFIG_MODULES),y)
 	SIGN_KEY = y
 endif
+endif
 
 ifdef SIGN_KEY
 ###############################################################################

diff --git a/certs/system_certificates.S b/certs/system_certificates.S
@@ -9,7 +9,8 @@
 system_certificate_list:
 __cert_list_start:
 __module_cert_start:
-#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
+#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \
+			       && defined(CONFIG_MODULES))
 	.incbin "certs/signing_key.x509"
 #endif
 __module_cert_end: