On Fri, Oct 03, 2025 at 01:17:30AM +0800, kernel test robot wrote:
Hi Coiby,
Hi,
kernel test robot noticed the following build errors:
[auto build test ERROR on cec1e6e5d1ab33403b809f79cd20d6aff124ccfe]
url:
https://github.com/intel-lab-lkp/linux/commits/Coiby-Xu/ima-Fall-back-to-default-kernel-module-signature-verification/20250928-110501
base: cec1e6e5d1ab33403b809f79cd20d6aff124ccfe
patch link:
https://lore.kernel.org/r/20250928030358.3873311-1-coxu%40redhat.com
patch subject: [PATCH] ima: Fall back to default kernel module signature
verification
config: i386-randconfig-012-20251002
(https://download.01.org/0day-ci/archive/20251003/[email protected]/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build):
(https://download.01.org/0day-ci/archive/20251003/[email protected]/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <[email protected]>
| Closes:
https://lore.kernel.org/oe-kbuild-all/[email protected]/
All errors (new ones prefixed by >>):
ld: security/integrity/ima/ima_appraise.o: in function
`ima_appraise_measurement':
security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined reference to
`set_module_sig_enforced'
Thanks for reporting the error! This happens when
set_module_sig_enforced is called without CONFIG_MODULE_SIG not enabled.
I'll address this issue by declaring set_module_sig_enforced only when
CONFIG_MODULE_SIG is enabled.
vim +587 security/integrity/ima/ima_appraise.c
483
484 /*
485 * ima_appraise_measurement - appraise file measurement
486 *
487 * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
488 * Assuming success, compare the xattr hash with the collected
measurement.
489 *
490 * Return 0 on success, error code otherwise
491 */
492 int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache
*iint,
493 struct file *file, const unsigned char
*filename,
494 struct evm_ima_xattr_data *xattr_value,
495 int xattr_len, const struct modsig *modsig)
496 {
497 static const char op[] = "appraise_data";
498 int audit_msgno = AUDIT_INTEGRITY_DATA;
499 const char *cause = "unknown";
500 struct dentry *dentry = file_dentry(file);
501 struct inode *inode = d_backing_inode(dentry);
502 enum integrity_status status = INTEGRITY_UNKNOWN;
503 int rc = xattr_len;
504 bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
505 bool enforce_module_sig = iint->flags & IMA_DIGSIG_REQUIRED &&
func == MODULE_CHECK;
506
507 /* If not appraising a modsig or using default module
verification, we need an xattr. */
508 if (!(inode->i_opflags & IOP_XATTR) && !try_modsig &&
!enforce_module_sig)
509 return INTEGRITY_UNKNOWN;
510
511 /*
512 * Unlike any of the other LSM hooks where the kernel enforces
file
513 * integrity, enforcing file integrity for the
bprm_creds_for_exec()
514 * LSM hook with the AT_EXECVE_CHECK flag is left up to the
discretion
515 * of the script interpreter(userspace). Differentiate kernel
and
516 * userspace enforced integrity audit messages.
517 */
518 if (is_bprm_creds_for_exec(func, file))
519 audit_msgno = AUDIT_INTEGRITY_USERSPACE;
520
521 /* If reading the xattr failed and there's no modsig or module
verification, error out. */
522 if (rc <= 0 && !try_modsig && !enforce_module_sig) {
523 if (rc && rc != -ENODATA)
524 goto out;
525
526 if (iint->flags & IMA_DIGSIG_REQUIRED) {
527 if (iint->flags & IMA_VERITY_REQUIRED)
528 cause = "verity-signature-required";
529 else
530 cause = "IMA-signature-required";
531 } else {
532 cause = "missing-hash";
533 }
534
535 status = INTEGRITY_NOLABEL;
536 if (file->f_mode & FMODE_CREATED)
537 iint->flags |= IMA_NEW_FILE;
538 if ((iint->flags & IMA_NEW_FILE) &&
539 (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
540 (inode->i_size == 0)))
541 status = INTEGRITY_PASS;
542 goto out;
543 }
544
545 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
546 rc < 0 ? 0 : rc);
547 switch (status) {
548 case INTEGRITY_PASS:
549 case INTEGRITY_PASS_IMMUTABLE:
550 case INTEGRITY_UNKNOWN:
551 break;
552 case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
553 /* Fine to not have xattrs when using a modsig or
default module verification. */
554 if (try_modsig || enforce_module_sig)
555 break;
556 fallthrough;
557 case INTEGRITY_NOLABEL: /* No security.evm xattr. */
558 cause = "missing-HMAC";
559 goto out;
560 case INTEGRITY_FAIL_IMMUTABLE:
561 set_bit(IMA_DIGSIG, &iint->atomic_flags);
562 cause = "invalid-fail-immutable";
563 goto out;
564 case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
565 cause = "invalid-HMAC";
566 goto out;
567 default:
568 WARN_ONCE(true, "Unexpected integrity status %d\n",
status);
569 }
570
571 if (xattr_value)
572 rc = xattr_verify(func, iint, xattr_value, xattr_len,
&status,
573 &cause);
574
575 /*
576 * If we have a modsig and either no imasig or the imasig's key
isn't
577 * known, then try verifying the modsig.
578 */
579 if (try_modsig &&
580 (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
581 rc == -ENOKEY))
582 rc = modsig_verify(func, modsig, &status, &cause);
583
584 /* Fall back to default kernel module signature verification */
585 if (rc && enforce_module_sig) {
586 rc = 0;
> 587 set_module_sig_enforced();
588 /* CONFIG_MODULE_SIG may be disabled */
589 if (is_module_sig_enforced()) {
590 rc = 0;
591 status = INTEGRITY_PASS;
592 pr_debug("Fall back to default kernel module
verification for %s\n", filename);
593 }
594 }
595
596 out:
597 /*
598 * File signatures on some filesystems can not be properly
verified.
599 * When such filesystems are mounted by an untrusted mounter or
on a
600 * system not willing to accept such a risk, fail the file
signature
601 * verification.
602 */
603 if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
604 ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
605 (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
606 status = INTEGRITY_FAIL;
607 cause = "unverifiable-signature";
608 integrity_audit_msg(audit_msgno, inode, filename,
609 op, cause, rc, 0);
610 } else if (status != INTEGRITY_PASS) {
611 /* Fix mode, but don't replace file signatures. */
612 if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
613 (!xattr_value ||
614 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
615 if (!ima_fix_xattr(dentry, iint))
616 status = INTEGRITY_PASS;
617 }
618
619 /*
620 * Permit new files with file/EVM portable signatures,
but
621 * without data.
622 */
623 if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
624 test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
625 status = INTEGRITY_PASS;
626 }
627
628 integrity_audit_msg(audit_msgno, inode, filename,
629 op, cause, rc, 0);
630 } else {
631 ima_cache_flags(iint, func);
632 }
633
634 ima_set_cache_status(iint, func, status);
635 return status;
636 }
637
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
--
Best regards,
Coiby
