Re: [PATCH] ima_setup.sh: Fix check of signed policy requirement

Tue, 27 Jan 2026 10:25:05 -0800 

Hi Petr,

On Tue, 2026-01-27 at 14:17 +0100, Petr Vorel wrote:
> Hi Mimi, all,
> 
> > Kernel code in arch_get_ima_policy() depends also on
> > CONFIG_IMA_ARCH_POLICY added in v5.0:
> > d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86")
> 
> > Fixes: c38b528783 ("ima_{conditionals, policy}: Handle policy required to 
> > be signed")
> > Suggested-by: Mimi Zohar <[email protected]>
> > Signed-off-by: Petr Vorel <[email protected]>
> > ---
> > Hi Mimi, all,
> 
> > FYI I'd like to merge it this week to get it into LTP release.
> 
> > Kind regards,
> > Petr
> 
> I dared to merge this to get it into upcoming LTP release (this/next week).

I'm so sorry for the delay.

Only if CONFIG_IMA_ARCH_POLICY IS configured, should check_need_signed_policy be
set to true and the test skipped.  However, I'm seeing:

tst_kconfig.c:531: TINFO: Constraint 'CONFIG_IMA_ARCH_POLICY' not satisfied!
tst_kconfig.c:477: TINFO: Variables:
tst_kconfig.c:495: TINFO:  CONFIG_IMA_ARCH_POLICY=n
ima_conditionals 1 TCONF: Aborting due to unsuitable kernel config, see above!

Instead it's requiring CONFIG_IMA_ARCH_POLICY to be enabled.

Mimi

> 
> >  testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh 
> > b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > index 1bce78d425..df0b8d1532 100644
> > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > @@ -466,10 +466,11 @@ require_evmctl()
> >  }
> 
> >  # 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is 
> > enabled") # v6.5-rc4
> > +# d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86") # v5.0
> >  check_need_signed_policy()
> >  {
> >     tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \
> > -           'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'
> > +           
> > 'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,CONFIG_IMA_ARCH_POLICY'
> >  }
> 
> >  # loop device is needed to use only for tmpfs

Reply via email to