ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies IMA_APPRAISE_MODSIG is used for verifying the integrity of both kernel and modules. Enabling IMA_APPRAISE_MODSIG without MODULES causes a build break. Ensure the build time kernel signing key is only generated if both IMA_APPRAISE_MODSIG and MODULES are enabled. Fixes: 0165f4ca223b ("ima: enable signing of modules with build time generated key") Reported-by: Randy Dunlap <rdunlap@infradead.org> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

commit: 781a5739489949fd0f32432a9da17f7ddbccf1cc [log] [tgz]
author: Nayna Jain <nayna@linux.ibm.com> Thu Apr 22 21:16:02 2021 -0400
committer: Mimi Zohar <zohar@linux.ibm.com> Mon Apr 26 21:54:23 2021 -0400
tree: 79006c017249d34638a753e423b902e1c1affa04
parent: 28073eb09c5aa29e879490edb88cfd3e7073821e [diff] [blame]
diff --git a/certs/system_certificates.S b/certs/system_certificates.S
index dcad27e..e1645e6 100644
--- a/certs/system_certificates.S
+++ b/certs/system_certificates.S

@@ -9,7 +9,8 @@
 system_certificate_list:
 __cert_list_start:
 __module_cert_start:
-#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
+#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \
+			       && defined(CONFIG_MODULES))
 	.incbin "certs/signing_key.x509"
 #endif
 __module_cert_end:
commit	781a5739489949fd0f32432a9da17f7ddbccf1cc	[log] [tgz]
author	Nayna Jain <nayna@linux.ibm.com>	Thu Apr 22 21:16:02 2021 -0400
committer	Mimi Zohar <zohar@linux.ibm.com>	Mon Apr 26 21:54:23 2021 -0400
tree	79006c017249d34638a753e423b902e1c1affa04
parent	28073eb09c5aa29e879490edb88cfd3e7073821e [diff] [blame]