[PATCH] ima_setup.sh: Fix check of signed policy requirement

public inbox for linux-integrity@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ima_setup.sh: Fix check of signed policy requirement
@ 2026-01-21  8:33 Petr Vorel
  2026-01-27 13:17 ` Petr Vorel
  0 siblings, 1 reply; 4+ messages in thread
From: Petr Vorel @ 2026-01-21  8:33 UTC (permalink / raw)
  To: ltp; +Cc: Petr Vorel, Mimi Zohar, linux-integrity

Kernel code in arch_get_ima_policy() depends also on
CONFIG_IMA_ARCH_POLICY added in v5.0:
d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86")

Fixes: c38b528783 ("ima_{conditionals, policy}: Handle policy required to be signed")
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Hi Mimi, all,

FYI I'd like to merge it this week to get it into LTP release.

Kind regards,
Petr

 testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 1bce78d425..df0b8d1532 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -466,10 +466,11 @@ require_evmctl()
 }
 
 # 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is enabled") # v6.5-rc4
+# d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86") # v5.0
 check_need_signed_policy()
 {
 	tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \
-		'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'
+		'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,CONFIG_IMA_ARCH_POLICY'
 }
 
 # loop device is needed to use only for tmpfs
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima_setup.sh: Fix check of signed policy requirement
  2026-01-21  8:33 [PATCH] ima_setup.sh: Fix check of signed policy requirement Petr Vorel
@ 2026-01-27 13:17 ` Petr Vorel
  2026-01-27 18:24   ` Mimi Zohar
  0 siblings, 1 reply; 4+ messages in thread
From: Petr Vorel @ 2026-01-27 13:17 UTC (permalink / raw)
  To: ltp; +Cc: Mimi Zohar, linux-integrity

Hi Mimi, all,

> Kernel code in arch_get_ima_policy() depends also on
> CONFIG_IMA_ARCH_POLICY added in v5.0:
> d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86")

> Fixes: c38b528783 ("ima_{conditionals, policy}: Handle policy required to be signed")
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> Hi Mimi, all,

> FYI I'd like to merge it this week to get it into LTP release.

> Kind regards,
> Petr

I dared to merge this to get it into upcoming LTP release (this/next week).

Kind regards,
Petr

>  testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 1bce78d425..df0b8d1532 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -466,10 +466,11 @@ require_evmctl()
>  }

>  # 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is enabled") # v6.5-rc4
> +# d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86") # v5.0
>  check_need_signed_policy()
>  {
>  	tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \
> -		'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'
> +		'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,CONFIG_IMA_ARCH_POLICY'
>  }

>  # loop device is needed to use only for tmpfs

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima_setup.sh: Fix check of signed policy requirement
  2026-01-27 13:17 ` Petr Vorel
@ 2026-01-27 18:24   ` Mimi Zohar
  2026-01-28 12:51     ` Petr Vorel
  0 siblings, 1 reply; 4+ messages in thread
From: Mimi Zohar @ 2026-01-27 18:24 UTC (permalink / raw)
  To: Petr Vorel, ltp; +Cc: linux-integrity

Hi Petr,

On Tue, 2026-01-27 at 14:17 +0100, Petr Vorel wrote:
> Hi Mimi, all,
> 
> > Kernel code in arch_get_ima_policy() depends also on
> > CONFIG_IMA_ARCH_POLICY added in v5.0:
> > d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86")
> 
> > Fixes: c38b528783 ("ima_{conditionals, policy}: Handle policy required to be signed")
> > Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> > ---
> > Hi Mimi, all,
> 
> > FYI I'd like to merge it this week to get it into LTP release.
> 
> > Kind regards,
> > Petr
> 
> I dared to merge this to get it into upcoming LTP release (this/next week).

I'm so sorry for the delay.

Only if CONFIG_IMA_ARCH_POLICY IS configured, should check_need_signed_policy be
set to true and the test skipped.  However, I'm seeing:

tst_kconfig.c:531: TINFO: Constraint 'CONFIG_IMA_ARCH_POLICY' not satisfied!
tst_kconfig.c:477: TINFO: Variables:
tst_kconfig.c:495: TINFO:  CONFIG_IMA_ARCH_POLICY=n
ima_conditionals 1 TCONF: Aborting due to unsuitable kernel config, see above!

Instead it's requiring CONFIG_IMA_ARCH_POLICY to be enabled.

Mimi

> 
> >  testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > index 1bce78d425..df0b8d1532 100644
> > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > @@ -466,10 +466,11 @@ require_evmctl()
> >  }
> 
> >  # 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is enabled") # v6.5-rc4
> > +# d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86") # v5.0
> >  check_need_signed_policy()
> >  {
> >  	tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \
> > -		'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'
> > +		'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,CONFIG_IMA_ARCH_POLICY'
> >  }
> 
> >  # loop device is needed to use only for tmpfs

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima_setup.sh: Fix check of signed policy requirement
  2026-01-27 18:24   ` Mimi Zohar
@ 2026-01-28 12:51     ` Petr Vorel
  0 siblings, 0 replies; 4+ messages in thread
From: Petr Vorel @ 2026-01-28 12:51 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: ltp, linux-integrity

Hi Mimi,

> Hi Petr,

> On Tue, 2026-01-27 at 14:17 +0100, Petr Vorel wrote:
> > Hi Mimi, all,

> > > Kernel code in arch_get_ima_policy() depends also on
> > > CONFIG_IMA_ARCH_POLICY added in v5.0:
> > > d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86")

> > > Fixes: c38b528783 ("ima_{conditionals, policy}: Handle policy required to be signed")
> > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> > > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> > > ---
> > > Hi Mimi, all,

> > > FYI I'd like to merge it this week to get it into LTP release.

> > > Kind regards,
> > > Petr

> > I dared to merge this to get it into upcoming LTP release (this/next week).

> I'm so sorry for the delay.

> Only if CONFIG_IMA_ARCH_POLICY IS configured, should check_need_signed_policy be
> set to true and the test skipped.  However, I'm seeing:

> tst_kconfig.c:531: TINFO: Constraint 'CONFIG_IMA_ARCH_POLICY' not satisfied!
> tst_kconfig.c:477: TINFO: Variables:
> tst_kconfig.c:495: TINFO:  CONFIG_IMA_ARCH_POLICY=n
> ima_conditionals 1 TCONF: Aborting due to unsuitable kernel config, see above!

> Instead it's requiring CONFIG_IMA_ARCH_POLICY to be enabled.

Thanks for the report. I'm sorry, I should have used tst_check_kconfigs binary
directly, I'll send a fix shortly.

Kind regards,
Petr

> Mimi


> > >  testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)

> > > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > > index 1bce78d425..df0b8d1532 100644
> > > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > > @@ -466,10 +466,11 @@ require_evmctl()
> > >  }

> > >  # 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is enabled") # v6.5-rc4
> > > +# d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86") # v5.0
> > >  check_need_signed_policy()
> > >  {
> > >  	tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \
> > > -		'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'
> > > +		'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,CONFIG_IMA_ARCH_POLICY'
> > >  }

> > >  # loop device is needed to use only for tmpfs

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-01-28 12:52 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-21  8:33 [PATCH] ima_setup.sh: Fix check of signed policy requirement Petr Vorel
2026-01-27 13:17 ` Petr Vorel
2026-01-27 18:24   ` Mimi Zohar
2026-01-28 12:51     ` Petr Vorel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox