Re: [PATCH] module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y

Fri, 31 Oct 2025 13:09:46 -0700 

On Fri, Oct 31, 2025 at 04:09:48PM +0800, Coiby Xu wrote:
> Currently, set_module_sig_enforced is declared as long as CONFIG_MODULES
> is enabled. This can lead to a linking error if
> set_module_sig_enforced is called with CONFIG_MODULE_SIG=n,
> 
>     ld: security/integrity/ima/ima_appraise.o: in function 
> `ima_appraise_measurement':
>     security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined 
> reference to `set_module_sig_enforced'
> 
> So only declare set_module_sig_enforced when CONFIG_MODULE_SIG is
> enabled.
> 
> Note this issue hasn't caused a real problem because all current callers
> of set_module_sig_enforced e.g. security/integrity/ima/ima_efi.c
> depend on CONFIG_MODULE_SIG=y.
> 
> Reported-by: kernel test robot <[email protected]>
> Closes: 
> https://lore.kernel.org/oe-kbuild-all/[email protected]/
> Signed-off-by: Coiby Xu <[email protected]>
> ---
>  include/linux/module.h | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/include/linux/module.h b/include/linux/module.h
> index e135cc79acee..fa251958b138 100644
> --- a/include/linux/module.h
> +++ b/include/linux/module.h
> @@ -769,8 +769,6 @@ static inline bool is_livepatch_module(struct module *mod)
>  #endif
>  }
>  
> -void set_module_sig_enforced(void);
> -
>  void module_for_each_mod(int(*func)(struct module *mod, void *data), void 
> *data);
>  
>  #else /* !CONFIG_MODULES... */
> @@ -865,10 +863,6 @@ static inline bool module_requested_async_probing(struct 
> module *module)
>  }
>  
>  
> -static inline void set_module_sig_enforced(void)
> -{
> -}
> -
>  /* Dereference module function descriptor */
>  static inline
>  void *dereference_module_function_descriptor(struct module *mod, void *ptr)
> @@ -924,6 +918,8 @@ static inline bool retpoline_module_ok(bool has_retpoline)
>  #ifdef CONFIG_MODULE_SIG
>  bool is_module_sig_enforced(void);
>  
> +void set_module_sig_enforced(void);
> +
>  static inline bool module_sig_ok(struct module *module)
>  {
>       return module->sig_ok;
> @@ -934,6 +930,10 @@ static inline bool is_module_sig_enforced(void)
>       return false;
>  }
>  
> +static inline void set_module_sig_enforced(void)
> +{
> +}
> +
>  static inline bool module_sig_ok(struct module *module)
>  {
>       return true;
> 
> base-commit: e53642b87a4f4b03a8d7e5f8507fc3cd0c595ea6
> -- 
> 2.51.0
> 
> 

Looks good to me.

Reviewed-by: Aaron Tomlin <[email protected]>

-- 
Aaron Tomlin

Reply via email to