lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <barlwlddbdnk5ke2a4zbu7ckfzjssfo7lc4w6ffsg2cl6c7rmn@buuhox6wd6zt>
Date: Thu, 16 Oct 2025 11:51:23 +0800
From: Coiby Xu <coxu@...hat.com>
To: kernel test robot <lkp@...el.com>
Cc: linux-integrity@...r.kernel.org, oe-kbuild-all@...ts.linux.dev, 
	Dmitry Torokhov <dmitry.torokhov@...il.com>, Karel Srot <ksrot@...hat.com>, Mimi Zohar <zohar@...ux.ibm.com>, 
	Roberto Sassu <roberto.sassu@...wei.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, 
	Eric Snowberg <eric.snowberg@...cle.com>, Paul Moore <paul@...l-moore.com>, 
	James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, 
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ima: Fall back to default kernel module signature
 verification

On Fri, Oct 03, 2025 at 01:17:30AM +0800, kernel test robot wrote:
>Hi Coiby,

Hi,

>
>kernel test robot noticed the following build errors:
>
>[auto build test ERROR on cec1e6e5d1ab33403b809f79cd20d6aff124ccfe]
>
>url:    https://github.com/intel-lab-lkp/linux/commits/Coiby-Xu/ima-Fall-back-to-default-kernel-module-signature-verification/20250928-110501
>base:   cec1e6e5d1ab33403b809f79cd20d6aff124ccfe
>patch link:    https://lore.kernel.org/r/20250928030358.3873311-1-coxu%40redhat.com
>patch subject: [PATCH] ima: Fall back to default kernel module signature verification
>config: i386-randconfig-012-20251002 (https://download.01.org/0day-ci/archive/20251003/202510030029.VRKgik99-lkp@intel.com/config)
>compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
>reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251003/202510030029.VRKgik99-lkp@intel.com/reproduce)
>
>If you fix the issue in a separate patch/commit (i.e. not just a new version of
>the same patch/commit), kindly add following tags
>| Reported-by: kernel test robot <lkp@...el.com>
>| Closes: https://lore.kernel.org/oe-kbuild-all/202510030029.VRKgik99-lkp@intel.com/
>
>All errors (new ones prefixed by >>):
>
>   ld: security/integrity/ima/ima_appraise.o: in function `ima_appraise_measurement':
>>> security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined reference to `set_module_sig_enforced'

Thanks for reporting the error! This happens when
set_module_sig_enforced is called without CONFIG_MODULE_SIG not enabled.
I'll address this issue by declaring set_module_sig_enforced only when
CONFIG_MODULE_SIG is enabled.

>
>
>vim +587 security/integrity/ima/ima_appraise.c
>
>   483	
>   484	/*
>   485	 * ima_appraise_measurement - appraise file measurement
>   486	 *
>   487	 * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
>   488	 * Assuming success, compare the xattr hash with the collected measurement.
>   489	 *
>   490	 * Return 0 on success, error code otherwise
>   491	 */
>   492	int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
>   493				     struct file *file, const unsigned char *filename,
>   494				     struct evm_ima_xattr_data *xattr_value,
>   495				     int xattr_len, const struct modsig *modsig)
>   496	{
>   497		static const char op[] = "appraise_data";
>   498		int audit_msgno = AUDIT_INTEGRITY_DATA;
>   499		const char *cause = "unknown";
>   500		struct dentry *dentry = file_dentry(file);
>   501		struct inode *inode = d_backing_inode(dentry);
>   502		enum integrity_status status = INTEGRITY_UNKNOWN;
>   503		int rc = xattr_len;
>   504		bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
>   505		bool enforce_module_sig = iint->flags & IMA_DIGSIG_REQUIRED && func == MODULE_CHECK;
>   506	
>   507		/* If not appraising a modsig or using default module verification, we need an xattr. */
>   508		if (!(inode->i_opflags & IOP_XATTR) && !try_modsig && !enforce_module_sig)
>   509			return INTEGRITY_UNKNOWN;
>   510	
>   511		/*
>   512		 * Unlike any of the other LSM hooks where the kernel enforces file
>   513		 * integrity, enforcing file integrity for the bprm_creds_for_exec()
>   514		 * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion
>   515		 * of the script interpreter(userspace). Differentiate kernel and
>   516		 * userspace enforced integrity audit messages.
>   517		 */
>   518		if (is_bprm_creds_for_exec(func, file))
>   519			audit_msgno = AUDIT_INTEGRITY_USERSPACE;
>   520	
>   521		/* If reading the xattr failed and there's no modsig or module verification, error out. */
>   522		if (rc <= 0 && !try_modsig && !enforce_module_sig) {
>   523			if (rc && rc != -ENODATA)
>   524				goto out;
>   525	
>   526			if (iint->flags & IMA_DIGSIG_REQUIRED) {
>   527				if (iint->flags & IMA_VERITY_REQUIRED)
>   528					cause = "verity-signature-required";
>   529				else
>   530					cause = "IMA-signature-required";
>   531			} else {
>   532				cause = "missing-hash";
>   533			}
>   534	
>   535			status = INTEGRITY_NOLABEL;
>   536			if (file->f_mode & FMODE_CREATED)
>   537				iint->flags |= IMA_NEW_FILE;
>   538			if ((iint->flags & IMA_NEW_FILE) &&
>   539			    (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
>   540			     (inode->i_size == 0)))
>   541				status = INTEGRITY_PASS;
>   542			goto out;
>   543		}
>   544	
>   545		status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
>   546					 rc < 0 ? 0 : rc);
>   547		switch (status) {
>   548		case INTEGRITY_PASS:
>   549		case INTEGRITY_PASS_IMMUTABLE:
>   550		case INTEGRITY_UNKNOWN:
>   551			break;
>   552		case INTEGRITY_NOXATTRS:	/* No EVM protected xattrs. */
>   553			/* Fine to not have xattrs when using a modsig or default module verification. */
>   554			if (try_modsig || enforce_module_sig)
>   555				break;
>   556			fallthrough;
>   557		case INTEGRITY_NOLABEL:		/* No security.evm xattr. */
>   558			cause = "missing-HMAC";
>   559			goto out;
>   560		case INTEGRITY_FAIL_IMMUTABLE:
>   561			set_bit(IMA_DIGSIG, &iint->atomic_flags);
>   562			cause = "invalid-fail-immutable";
>   563			goto out;
>   564		case INTEGRITY_FAIL:		/* Invalid HMAC/signature. */
>   565			cause = "invalid-HMAC";
>   566			goto out;
>   567		default:
>   568			WARN_ONCE(true, "Unexpected integrity status %d\n", status);
>   569		}
>   570	
>   571		if (xattr_value)
>   572			rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
>   573					  &cause);
>   574	
>   575		/*
>   576		 * If we have a modsig and either no imasig or the imasig's key isn't
>   577		 * known, then try verifying the modsig.
>   578		 */
>   579		if (try_modsig &&
>   580		    (!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
>   581		     rc == -ENOKEY))
>   582			rc = modsig_verify(func, modsig, &status, &cause);
>   583	
>   584		/* Fall back to default kernel module signature verification */
>   585		if (rc && enforce_module_sig) {
>   586			rc = 0;
> > 587			set_module_sig_enforced();
>   588			/* CONFIG_MODULE_SIG may be disabled */
>   589			if (is_module_sig_enforced()) {
>   590				rc = 0;
>   591				status = INTEGRITY_PASS;
>   592				pr_debug("Fall back to default kernel module verification for %s\n", filename);
>   593			}
>   594		}
>   595	
>   596	out:
>   597		/*
>   598		 * File signatures on some filesystems can not be properly verified.
>   599		 * When such filesystems are mounted by an untrusted mounter or on a
>   600		 * system not willing to accept such a risk, fail the file signature
>   601		 * verification.
>   602		 */
>   603		if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
>   604		    ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
>   605		     (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
>   606			status = INTEGRITY_FAIL;
>   607			cause = "unverifiable-signature";
>   608			integrity_audit_msg(audit_msgno, inode, filename,
>   609					    op, cause, rc, 0);
>   610		} else if (status != INTEGRITY_PASS) {
>   611			/* Fix mode, but don't replace file signatures. */
>   612			if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
>   613			    (!xattr_value ||
>   614			     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
>   615				if (!ima_fix_xattr(dentry, iint))
>   616					status = INTEGRITY_PASS;
>   617			}
>   618	
>   619			/*
>   620			 * Permit new files with file/EVM portable signatures, but
>   621			 * without data.
>   622			 */
>   623			if (inode->i_size == 0 && iint->flags & IMA_NEW_FILE &&
>   624			    test_bit(IMA_DIGSIG, &iint->atomic_flags)) {
>   625				status = INTEGRITY_PASS;
>   626			}
>   627	
>   628			integrity_audit_msg(audit_msgno, inode, filename,
>   629					    op, cause, rc, 0);
>   630		} else {
>   631			ima_cache_flags(iint, func);
>   632		}
>   633	
>   634		ima_set_cache_status(iint, func, status);
>   635		return status;
>   636	}
>   637	
>
>-- 
>0-DAY CI Kernel Test Service
>https://github.com/intel/lkp-tests/wiki
>

-- 
Best regards,
Coiby

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ