[mcgrof:modules-testing 7/14] security/integrity/ima/ima_main.c:799: undefined reference to `is_module_sig_enforced'
From: kernel test robot
Date: Tue Mar 01 2022 - 03:53:14 EST
tree: https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git modules-testing
head: 8ca5e1dab7c3e51c63f07cd86e004a4df9ac7e76
commit: 6fbb12ccf3a340cf8bbd224e36106d1eccfcc54c [7/14] module: Move extra signature support out of core code
config: i386-randconfig-c001 (https://download.01.org/0day-ci/archive/20220301/202203011657.jvIKXd3v-lkp@xxxxxxxxx/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
# https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git/commit/?id=6fbb12ccf3a340cf8bbd224e36106d1eccfcc54c
git remote add mcgrof https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git
git fetch --no-tags mcgrof modules-testing
git checkout 6fbb12ccf3a340cf8bbd224e36106d1eccfcc54c
# save the config file to linux build tree
mkdir build_dir
make W=1 O=build_dir ARCH=i386 SHELL=/bin/bash
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
All errors (new ones prefixed by >>):
ld: security/integrity/ima/ima_main.o: in function `ima_load_data':
>> security/integrity/ima/ima_main.c:799: undefined reference to `is_module_sig_enforced'
vim +799 security/integrity/ima/ima_main.c
5a9196d715607f Mimi Zohar 2014-07-22 759
16c267aac86b46 Mimi Zohar 2018-07-13 760 /**
16c267aac86b46 Mimi Zohar 2018-07-13 761 * ima_load_data - appraise decision based on policy
16c267aac86b46 Mimi Zohar 2018-07-13 762 * @id: kernel load data caller identifier
b64fcae74b6d69 Kees Cook 2020-10-02 763 * @contents: whether the full contents will be available in a later
b64fcae74b6d69 Kees Cook 2020-10-02 764 * call to ima_post_load_data().
16c267aac86b46 Mimi Zohar 2018-07-13 765 *
16c267aac86b46 Mimi Zohar 2018-07-13 766 * Callers of this LSM hook can not measure, appraise, or audit the
16c267aac86b46 Mimi Zohar 2018-07-13 767 * data provided by userspace. Enforce policy rules requring a file
16c267aac86b46 Mimi Zohar 2018-07-13 768 * signature (eg. kexec'ed kernel image).
16c267aac86b46 Mimi Zohar 2018-07-13 769 *
16c267aac86b46 Mimi Zohar 2018-07-13 770 * For permission return 0, otherwise return -EACCES.
16c267aac86b46 Mimi Zohar 2018-07-13 771 */
b64fcae74b6d69 Kees Cook 2020-10-02 772 int ima_load_data(enum kernel_load_data_id id, bool contents)
16c267aac86b46 Mimi Zohar 2018-07-13 773 {
b5ca117365d960 Nayna Jain 2018-10-09 774 bool ima_enforce, sig_enforce;
c77b8cdf745d91 Mimi Zohar 2018-07-13 775
b5ca117365d960 Nayna Jain 2018-10-09 776 ima_enforce =
b5ca117365d960 Nayna Jain 2018-10-09 777 (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
16c267aac86b46 Mimi Zohar 2018-07-13 778
16c267aac86b46 Mimi Zohar 2018-07-13 779 switch (id) {
16c267aac86b46 Mimi Zohar 2018-07-13 780 case LOADING_KEXEC_IMAGE:
99d5cadfde2b1a Jiri Bohac 2019-08-19 781 if (IS_ENABLED(CONFIG_KEXEC_SIG)
b5ca117365d960 Nayna Jain 2018-10-09 782 && arch_ima_get_secureboot()) {
b5ca117365d960 Nayna Jain 2018-10-09 783 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
b5ca117365d960 Nayna Jain 2018-10-09 784 return -EACCES;
b5ca117365d960 Nayna Jain 2018-10-09 785 }
b5ca117365d960 Nayna Jain 2018-10-09 786
b5ca117365d960 Nayna Jain 2018-10-09 787 if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
16c267aac86b46 Mimi Zohar 2018-07-13 788 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
16c267aac86b46 Mimi Zohar 2018-07-13 789 return -EACCES; /* INTEGRITY_UNKNOWN */
16c267aac86b46 Mimi Zohar 2018-07-13 790 }
fed2512a7ccc8f Mimi Zohar 2018-07-13 791 break;
fed2512a7ccc8f Mimi Zohar 2018-07-13 792 case LOADING_FIRMWARE:
4f2d99b06b7380 Kees Cook 2020-10-02 793 if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) {
fed2512a7ccc8f Mimi Zohar 2018-07-13 794 pr_err("Prevent firmware sysfs fallback loading.\n");
fed2512a7ccc8f Mimi Zohar 2018-07-13 795 return -EACCES; /* INTEGRITY_UNKNOWN */
fed2512a7ccc8f Mimi Zohar 2018-07-13 796 }
c77b8cdf745d91 Mimi Zohar 2018-07-13 797 break;
c77b8cdf745d91 Mimi Zohar 2018-07-13 798 case LOADING_MODULE:
c77b8cdf745d91 Mimi Zohar 2018-07-13 @799 sig_enforce = is_module_sig_enforced();
c77b8cdf745d91 Mimi Zohar 2018-07-13 800
b5ca117365d960 Nayna Jain 2018-10-09 801 if (ima_enforce && (!sig_enforce
b5ca117365d960 Nayna Jain 2018-10-09 802 && (ima_appraise & IMA_APPRAISE_MODULES))) {
c77b8cdf745d91 Mimi Zohar 2018-07-13 803 pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
c77b8cdf745d91 Mimi Zohar 2018-07-13 804 return -EACCES; /* INTEGRITY_UNKNOWN */
c77b8cdf745d91 Mimi Zohar 2018-07-13 805 }
28073eb09c5aa2 Gustavo A. R. Silva 2020-11-20 806 break;
16c267aac86b46 Mimi Zohar 2018-07-13 807 default:
16c267aac86b46 Mimi Zohar 2018-07-13 808 break;
16c267aac86b46 Mimi Zohar 2018-07-13 809 }
16c267aac86b46 Mimi Zohar 2018-07-13 810 return 0;
16c267aac86b46 Mimi Zohar 2018-07-13 811 }
16c267aac86b46 Mimi Zohar 2018-07-13 812
:::::: The code at line 799 was first introduced by commit
:::::: c77b8cdf745d91eca138e7bfa430dc6640b604a0 module: replace the existing LSM hook in init_module
:::::: TO: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
:::::: CC: James Morris <james.morris@xxxxxxxxxxxxx>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx