From: kernel test robot <lkp@intel.com>
To: Coiby Xu <coxu@redhat.com>, linux-integrity@vger.kernel.org
Cc: oe-kbuild-all@lists.linux.dev,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Karel Srot <ksrot@redhat.com>, Mimi Zohar <zohar@linux.ibm.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ima: Fall back to default kernel module signature verification
Date: Fri, 3 Oct 2025 01:17:30 +0800 [thread overview]
Message-ID: <202510030029.VRKgik99-lkp@intel.com> (raw)
In-Reply-To: <20250928030358.3873311-1-coxu@redhat.com>
Hi Coiby,
kernel test robot noticed the following build errors:
[auto build test ERROR on cec1e6e5d1ab33403b809f79cd20d6aff124ccfe]
url: https://github.com/intel-lab-lkp/linux/commits/Coiby-Xu/ima-Fall-back-to-default-kernel-module-signature-verification/20250928-110501
base: cec1e6e5d1ab33403b809f79cd20d6aff124ccfe
patch link: https://lore.kernel.org/r/20250928030358.3873311-1-coxu%40redhat.com
patch subject: [PATCH] ima: Fall back to default kernel module signature verification
config: i386-randconfig-012-20251002 (https://download.01.org/0day-ci/archive/20251003/202510030029.VRKgik99-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251003/202510030029.VRKgik99-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202510030029.VRKgik99-lkp@intel.com/
All errors (new ones prefixed by >>):
ld: security/integrity/ima/ima_appraise.o: in function `ima_appraise_measurement':
>> security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined reference to `set_module_sig_enforced'
vim +587 security/integrity/ima/ima_appraise.c
483
484 /*
485 * ima_appraise_measurement - appraise file measurement
486 *
487 * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
488 * Assuming success, compare the xattr hash with the collected measurement.
489 *
490 * Return 0 on success, error code otherwise
491 */
492 int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
493 struct file *file, const unsigned char *filename,
494 struct evm_ima_xattr_data *xattr_value,
495 int xattr_len, const struct modsig *modsig)
496 {
497 static const char op[] = "appraise_data";
498 int audit_msgno = AUDIT_INTEGRITY_DATA;
499 const char *cause = "unknown";
500 struct dentry *dentry = file_dentry(file);
501 struct inode *inode = d_backing_inode(dentry);
502 enum integrity_status status = INTEGRITY_UNKNOWN;
503 int rc = xattr_len;
504 bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
505 bool enforce_module_sig = iint->flags & IMA_DIGSIG_REQUIRED && func == MODULE_CHECK;
506
507 /* If not appraising a modsig or using default module verification, we need an xattr. */
508 if (!(inode->i_opflags & IOP_XATTR) && !try_modsig && !enforce_module_sig)
509 return INTEGRITY_UNKNOWN;
510
511 /*
512 * Unlike any of the other LSM hooks where the kernel enforces file
513 * integrity, enforcing file integrity for the bprm_creds_for_exec()
514 * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion
515 * of the script interpreter(userspace). Differentiate kernel and
516 * userspace enforced integrity audit messages.
517 */
518 if (is_bprm_creds_for_exec(func, file))
519 audit_msgno = AUDIT_INTEGRITY_USERSPACE;
520
521 /* If reading the xattr failed and there's no modsig or module verification, error out. */
522 if (rc <= 0 && !try_modsig && !enforce_module_sig) {
523 if (rc && rc != -ENODATA)
524 goto out;
525
526 if (iint->flags & IMA_DIGSIG_REQUIRED) {
527 if (iint->flags & IMA_VERITY_REQUIRED)
528 cause = "verity-signature-required";
529 else
530 cause = "IMA-signature-required";
531 } else {
532 cause = "missing-hash";
533 }
534
535 status = INTEGRITY_NOLABEL;
536 if (file->f_mode & FMODE_CREATED)
537 iint->flags |= IMA_NEW_FILE;
538 if ((iint->flags & IMA_NEW_FILE) &&
539 (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
540 (inode->i_size == 0)))
541 status = INTEGRITY_PASS;
542 goto out;
543 }
544
545 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
546 rc < 0 ? 0 : rc);
547 switch (status) {
548 case INTEGRITY_PASS:
549 case INTEGRITY_PASS_IMMUTABLE:
550 case INTEGRITY_UNKNOWN:
551 break;
552 case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
553 /* Fine to not have xattrs when using a modsig or default module verification. */
554 if (try_modsig || enforce_module_sig)
555 break;
556 fallthrough;
557 case INTEGRITY_NOLABEL: /* No security.evm xattr. */
558 cause = "missing-HMAC";
559 goto out;
560 case INTEGRITY_FAIL_IMMUTABLE:
561 set_bit(IMA_DIGSIG, &iint->atomic_flags);
562 cause = "invalid-fail-immutable";
563 goto out;
564 case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
565 cause = "invalid-HMAC";
566 goto out;
567 default:
568 WARN_ONCE(true, "Unexpected integrity status %d\n", status);
569 }
570
571 if (xattr_value)
572 rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
573 &cause);
574
575 /*
576 * If we have a modsig and either no imasig or the imasig's key isn't
577 * known, then try verifying the modsig.
578 */
579 if (try_modsig &&
580 (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
581 rc == -ENOKEY))
582 rc = modsig_verify(func, modsig, &status, &cause);
583
584 /* Fall back to default kernel module signature verification */
585 if (rc && enforce_module_sig) {
586 rc = 0;
> 587 set_module_sig_enforced();
588 /* CONFIG_MODULE_SIG may be disabled */
589 if (is_module_sig_enforced()) {
590 rc = 0;
591 status = INTEGRITY_PASS;
592 pr_debug("Fall back to default kernel module verification for %s\n", filename);
593 }
594 }
595
596 out:
597 /*
598 * File signatures on some filesystems can not be properly verified.
599 * When such filesystems are mounted by an untrusted mounter or on a
600 * system not willing to accept such a risk, fail the file signature
601 * verification.
602 */
603 if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
604 ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
605 (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
606 status = INTEGRITY_FAIL;
607 cause = "unverifiable-signature";
608 integrity_audit_msg(audit_msgno, inode, filename,
609 op, cause, rc, 0);
610 } else if (status != INTEGRITY_PASS) {
611 /* Fix mode, but don't replace file signatures. */
612 if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
613 (!xattr_value ||
614 xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
615 if (!ima_fix_xattr(dentry, iint))
616 status = INTEGRITY_PASS;
617 }
618
619 /*
620 * Permit new files with file/EVM portable signatures, but
621 * without data.
622 */
623 if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
624 test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
625 status = INTEGRITY_PASS;
626 }
627
628 integrity_audit_msg(audit_msgno, inode, filename,
629 op, cause, rc, 0);
630 } else {
631 ima_cache_flags(iint, func);
632 }
633
634 ima_set_cache_status(iint, func, status);
635 return status;
636 }
637
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2025-10-02 17:18 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-28 3:03 [PATCH] ima: Fall back to default kernel module signature verification Coiby Xu
2025-09-30 13:57 ` Mimi Zohar
2025-09-30 20:28 ` Mimi Zohar
2025-10-16 3:46 ` Coiby Xu
2025-10-17 2:31 ` Mimi Zohar
2025-10-17 3:19 ` Coiby Xu
2025-10-17 17:49 ` Mimi Zohar
2025-10-17 23:19 ` Coiby Xu
2025-10-20 12:21 ` Mimi Zohar
2025-10-20 12:45 ` Roberto Sassu
2025-10-20 13:57 ` Mimi Zohar
2025-10-30 0:33 ` Coiby Xu
2025-10-24 15:16 ` Mimi Zohar
2025-10-30 0:31 ` Coiby Xu
2025-10-30 3:01 ` Mimi Zohar
2025-10-30 13:42 ` Coiby Xu
2025-10-30 16:50 ` Mimi Zohar
2025-10-31 7:58 ` Coiby Xu
2025-10-02 17:17 ` kernel test robot [this message]
2025-10-16 3:51 ` Coiby Xu
2025-10-31 7:40 ` [PATCH v2] lsm,ima: new LSM hook security_kernel_module_read_file to access decompressed kernel module Coiby Xu
2025-11-01 16:50 ` Paul Moore
2025-11-02 15:05 ` Mimi Zohar
2025-11-02 15:43 ` Paul Moore
2025-11-05 0:18 ` Coiby Xu
2025-11-05 2:47 ` Paul Moore
2025-11-05 14:07 ` Mimi Zohar
2025-11-05 15:42 ` Paul Moore
2025-11-05 20:25 ` Mimi Zohar
2025-11-06 13:35 ` Coiby Xu
2025-11-05 20:47 ` Mimi Zohar
2025-11-06 13:29 ` Coiby Xu
2025-11-06 22:15 ` Mimi Zohar
2025-11-07 19:28 ` Mimi Zohar
2025-11-13 4:06 ` Coiby Xu
2025-11-18 12:19 ` Mimi Zohar
2025-11-19 3:52 ` Coiby Xu
2025-11-19 3:47 ` [PATCH v3] ima: Access decompressed kernel module to verify appended signature Coiby Xu
2025-11-19 13:29 ` Mimi Zohar
2025-11-19 14:05 ` Coiby Xu
2025-11-19 14:03 ` [PATCH v4] " Coiby Xu
2025-11-19 15:29 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202510030029.VRKgik99-lkp@intel.com \
--to=lkp@intel.com \
--cc=coxu@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dmitry.torokhov@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jmorris@namei.org \
--cc=ksrot@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.