Hi Coiby, kernel test robot noticed the following build errors:
[auto build test ERROR on cec1e6e5d1ab33403b809f79cd20d6aff124ccfe] url: https://github.com/intel-lab-lkp/linux/commits/Coiby-Xu/ima-Fall-back-to-default-kernel-module-signature-verification/20250928-110501 base: cec1e6e5d1ab33403b809f79cd20d6aff124ccfe patch link: https://lore.kernel.org/r/20250928030358.3873311-1-coxu%40redhat.com patch subject: [PATCH] ima: Fall back to default kernel module signature verification config: i386-randconfig-012-20251002 (https://download.01.org/0day-ci/archive/20251003/[email protected]/config) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251003/[email protected]/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <[email protected]> | Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/ All errors (new ones prefixed by >>): ld: security/integrity/ima/ima_appraise.o: in function `ima_appraise_measurement': >> security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined reference >> to `set_module_sig_enforced' vim +587 security/integrity/ima/ima_appraise.c 483 484 /* 485 * ima_appraise_measurement - appraise file measurement 486 * 487 * Call evm_verifyxattr() to verify the integrity of 'security.ima'. 488 * Assuming success, compare the xattr hash with the collected measurement. 489 * 490 * Return 0 on success, error code otherwise 491 */ 492 int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint, 493 struct file *file, const unsigned char *filename, 494 struct evm_ima_xattr_data *xattr_value, 495 int xattr_len, const struct modsig *modsig) 496 { 497 static const char op[] = "appraise_data"; 498 int audit_msgno = AUDIT_INTEGRITY_DATA; 499 const char *cause = "unknown"; 500 struct dentry *dentry = file_dentry(file); 501 struct inode *inode = d_backing_inode(dentry); 502 enum integrity_status status = INTEGRITY_UNKNOWN; 503 int rc = xattr_len; 504 bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig; 505 bool enforce_module_sig = iint->flags & IMA_DIGSIG_REQUIRED && func == MODULE_CHECK; 506 507 /* If not appraising a modsig or using default module verification, we need an xattr. */ 508 if (!(inode->i_opflags & IOP_XATTR) && !try_modsig && !enforce_module_sig) 509 return INTEGRITY_UNKNOWN; 510 511 /* 512 * Unlike any of the other LSM hooks where the kernel enforces file 513 * integrity, enforcing file integrity for the bprm_creds_for_exec() 514 * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion 515 * of the script interpreter(userspace). Differentiate kernel and 516 * userspace enforced integrity audit messages. 517 */ 518 if (is_bprm_creds_for_exec(func, file)) 519 audit_msgno = AUDIT_INTEGRITY_USERSPACE; 520 521 /* If reading the xattr failed and there's no modsig or module verification, error out. */ 522 if (rc <= 0 && !try_modsig && !enforce_module_sig) { 523 if (rc && rc != -ENODATA) 524 goto out; 525 526 if (iint->flags & IMA_DIGSIG_REQUIRED) { 527 if (iint->flags & IMA_VERITY_REQUIRED) 528 cause = "verity-signature-required"; 529 else 530 cause = "IMA-signature-required"; 531 } else { 532 cause = "missing-hash"; 533 } 534 535 status = INTEGRITY_NOLABEL; 536 if (file->f_mode & FMODE_CREATED) 537 iint->flags |= IMA_NEW_FILE; 538 if ((iint->flags & IMA_NEW_FILE) && 539 (!(iint->flags & IMA_DIGSIG_REQUIRED) || 540 (inode->i_size == 0))) 541 status = INTEGRITY_PASS; 542 goto out; 543 } 544 545 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, 546 rc < 0 ? 0 : rc); 547 switch (status) { 548 case INTEGRITY_PASS: 549 case INTEGRITY_PASS_IMMUTABLE: 550 case INTEGRITY_UNKNOWN: 551 break; 552 case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ 553 /* Fine to not have xattrs when using a modsig or default module verification. */ 554 if (try_modsig || enforce_module_sig) 555 break; 556 fallthrough; 557 case INTEGRITY_NOLABEL: /* No security.evm xattr. */ 558 cause = "missing-HMAC"; 559 goto out; 560 case INTEGRITY_FAIL_IMMUTABLE: 561 set_bit(IMA_DIGSIG, &iint->atomic_flags); 562 cause = "invalid-fail-immutable"; 563 goto out; 564 case INTEGRITY_FAIL: /* Invalid HMAC/signature. */ 565 cause = "invalid-HMAC"; 566 goto out; 567 default: 568 WARN_ONCE(true, "Unexpected integrity status %d\n", status); 569 } 570 571 if (xattr_value) 572 rc = xattr_verify(func, iint, xattr_value, xattr_len, &status, 573 &cause); 574 575 /* 576 * If we have a modsig and either no imasig or the imasig's key isn't 577 * known, then try verifying the modsig. 578 */ 579 if (try_modsig && 580 (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG || 581 rc == -ENOKEY)) 582 rc = modsig_verify(func, modsig, &status, &cause); 583 584 /* Fall back to default kernel module signature verification */ 585 if (rc && enforce_module_sig) { 586 rc = 0; > 587 set_module_sig_enforced(); 588 /* CONFIG_MODULE_SIG may be disabled */ 589 if (is_module_sig_enforced()) { 590 rc = 0; 591 status = INTEGRITY_PASS; 592 pr_debug("Fall back to default kernel module verification for %s\n", filename); 593 } 594 } 595 596 out: 597 /* 598 * File signatures on some filesystems can not be properly verified. 599 * When such filesystems are mounted by an untrusted mounter or on a 600 * system not willing to accept such a risk, fail the file signature 601 * verification. 602 */ 603 if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) && 604 ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) || 605 (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) { 606 status = INTEGRITY_FAIL; 607 cause = "unverifiable-signature"; 608 integrity_audit_msg(audit_msgno, inode, filename, 609 op, cause, rc, 0); 610 } else if (status != INTEGRITY_PASS) { 611 /* Fix mode, but don't replace file signatures. */ 612 if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig && 613 (!xattr_value || 614 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { 615 if (!ima_fix_xattr(dentry, iint)) 616 status = INTEGRITY_PASS; 617 } 618 619 /* 620 * Permit new files with file/EVM portable signatures, but 621 * without data. 622 */ 623 if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE && 624 test_bit(IMA_DIGSIG, &iint->atomic_flags)) { 625 status = INTEGRITY_PASS; 626 } 627 628 integrity_audit_msg(audit_msgno, inode, filename, 629 op, cause, rc, 0); 630 } else { 631 ima_cache_flags(iint, func); 632 } 633 634 ima_set_cache_status(iint, func, status); 635 return status; 636 } 637 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki
