diff options
| author | Coiby Xu <coxu@redhat.com> | 2025-12-01 11:06:05 +0800 |
|---|---|---|
| committer | Sami Tolvanen <samitolvanen@google.com> | 2025-12-22 16:35:54 +0000 |
| commit | 1ae719a43b0336678172b3eb55c5187816f9a130 (patch) | |
| tree | d9cd7a53aae9cbeed1982c94282b7cfc08f57ea6 /include/linux/moduleparam.h | |
| parent | 68e85558587e6bbb5c3ea3c8b4c71ab852e4b53e (diff) | |
module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y
Currently if set_module_sig_enforced is called with CONFIG_MODULE_SIG=n
e.g. [1], it can lead to a linking error,
ld: security/integrity/ima/ima_appraise.o: in function `ima_appraise_measurement':
security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined reference to `set_module_sig_enforced'
This happens because the actual implementation of
set_module_sig_enforced comes from CONFIG_MODULE_SIG but both the
function declaration and the empty stub definition are tied to
CONFIG_MODULES.
So bind set_module_sig_enforced to CONFIG_MODULE_SIG instead. This
allows (future) users to call set_module_sig_enforced directly without
the "if IS_ENABLED(CONFIG_MODULE_SIG)" safeguard.
Note this issue hasn't caused a real problem because all current callers
of set_module_sig_enforced e.g. security/integrity/ima/ima_efi.c
use "if IS_ENABLED(CONFIG_MODULE_SIG)" safeguard.
[1] https://lore.kernel.org/lkml/20250928030358.3873311-1-coxu@redhat.com/
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202510030029.VRKgik99-lkp@intel.com/
Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Diffstat (limited to 'include/linux/moduleparam.h')
0 files changed, 0 insertions, 0 deletions