Re: [PATCH] ima_setup.sh: Fix check of signed policy requirement

Wed, 28 Jan 2026 04:55:08 -0800 

Hi Mimi,

> Hi Petr,

> On Tue, 2026-01-27 at 14:17 +0100, Petr Vorel wrote:
> > Hi Mimi, all,

> > > Kernel code in arch_get_ima_policy() depends also on
> > > CONFIG_IMA_ARCH_POLICY added in v5.0:
> > > d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86")

> > > Fixes: c38b528783 ("ima_{conditionals, policy}: Handle policy required to 
> > > be signed")
> > > Suggested-by: Mimi Zohar <[email protected]>
> > > Signed-off-by: Petr Vorel <[email protected]>
> > > ---
> > > Hi Mimi, all,

> > > FYI I'd like to merge it this week to get it into LTP release.

> > > Kind regards,
> > > Petr

> > I dared to merge this to get it into upcoming LTP release (this/next week).

> I'm so sorry for the delay.

> Only if CONFIG_IMA_ARCH_POLICY IS configured, should check_need_signed_policy 
> be
> set to true and the test skipped.  However, I'm seeing:

> tst_kconfig.c:531: TINFO: Constraint 'CONFIG_IMA_ARCH_POLICY' not satisfied!
> tst_kconfig.c:477: TINFO: Variables:
> tst_kconfig.c:495: TINFO:  CONFIG_IMA_ARCH_POLICY=n
> ima_conditionals 1 TCONF: Aborting due to unsuitable kernel config, see above!

> Instead it's requiring CONFIG_IMA_ARCH_POLICY to be enabled.

Thanks for the report. I'm sorry, I should have used tst_check_kconfigs binary
directly, I'll send a fix shortly.

Kind regards,
Petr

> Mimi


> > >  testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)

> > > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh 
> > > b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > > index 1bce78d425..df0b8d1532 100644
> > > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > > @@ -466,10 +466,11 @@ require_evmctl()
> > >  }

> > >  # 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot 
> > > is enabled") # v6.5-rc4
> > > +# d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86") # v5.0
> > >  check_need_signed_policy()
> > >  {
> > >   tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \
> > > -         'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'
> > > +         
> > > 'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,CONFIG_IMA_ARCH_POLICY'
> > >  }

> > >  # loop device is needed to use only for tmpfs

Reply via email to