Re: [PATCH] ima_setup.sh: Fix check of signed policy requirement

Tue, 27 Jan 2026 05:18:12 -0800 

Hi Mimi, all,

> Kernel code in arch_get_ima_policy() depends also on
> CONFIG_IMA_ARCH_POLICY added in v5.0:
> d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86")

> Fixes: c38b528783 ("ima_{conditionals, policy}: Handle policy required to be 
> signed")
> Suggested-by: Mimi Zohar <[email protected]>
> Signed-off-by: Petr Vorel <[email protected]>
> ---
> Hi Mimi, all,

> FYI I'd like to merge it this week to get it into LTP release.

> Kind regards,
> Petr

I dared to merge this to get it into upcoming LTP release (this/next week).

Kind regards,
Petr

>  testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh 
> b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 1bce78d425..df0b8d1532 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -466,10 +466,11 @@ require_evmctl()
>  }

>  # 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is 
> enabled") # v6.5-rc4
> +# d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86") # v5.0
>  check_need_signed_policy()
>  {
>       tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \
> -             'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'
> +             
> 'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,CONFIG_IMA_ARCH_POLICY'
>  }

>  # loop device is needed to use only for tmpfs

Reply via email to