summaryrefslogtreecommitdiffstats
path: root/init
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2021-05-01 15:32:18 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2021-05-01 15:32:18 -0700
commite6f0bf09f0669b3c2cd77fa906830123279a0a21 (patch)
tree57aed6ff25d40e31f129b934403c7fac7a8cc8c8 /init
parent10a3efd0fee5e881b1866cf45950808575cb0f24 (diff)
parent781a5739489949fd0f32432a9da17f7ddbccf1cc (diff)
downloadlinux-e6f0bf09f0669b3c2cd77fa906830123279a0a21.tar.bz2
Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull IMA updates from Mimi Zohar: "In addition to loading the kernel module signing key onto the builtin keyring, load it onto the IMA keyring as well. Also six trivial changes and bug fixes" * tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies ima: Fix fall-through warnings for Clang integrity: Add declarations to init_once void arguments. ima: Fix function name error in comment. ima: enable loading of build time generated key on .ima keyring ima: enable signing of modules with build time generated key keys: cleanup build time module signing keys ima: Fix the error code for restoring the PCR value ima: without an IMA policy loaded, return quickly
Diffstat (limited to 'init')
-rw-r--r--init/Kconfig6
1 files changed, 3 insertions, 3 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 9acb7762e971..b71bf0cf5688 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2182,7 +2182,7 @@ config MODULE_SIG_FORCE
config MODULE_SIG_ALL
bool "Automatically sign all modules"
default y
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help
Sign all modules during make modules_install. Without this option,
modules must be signed manually, using the scripts/sign-file tool.
@@ -2192,7 +2192,7 @@ comment "Do not forget to sign required modules with scripts/sign-file"
choice
prompt "Which hash algorithm should modules be signed with?"
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help
This determines which sort of hashing algorithm will be used during
signature generation. This algorithm _must_ be built into the kernel
@@ -2224,7 +2224,7 @@ endchoice
config MODULE_SIG_HASH
string
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
default "sha1" if MODULE_SIG_SHA1
default "sha224" if MODULE_SIG_SHA224
default "sha256" if MODULE_SIG_SHA256