git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Coiby Xu <coxu@redhat.com>
	Mon, 1 Dec 2025 03:06:05 +0000 (11:06 +0800)
committer	Sami Tolvanen <samitolvanen@google.com>
	Mon, 22 Dec 2025 16:35:54 +0000 (16:35 +0000)
commit	1ae719a43b0336678172b3eb55c5187816f9a130
tree	d9cd7a53aae9cbeed1982c94282b7cfc08f57ea6	tree
parent	68e85558587e6bbb5c3ea3c8b4c71ab852e4b53e	commit \| diff

module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y

Currently if set_module_sig_enforced is called with CONFIG_MODULE_SIG=n
e.g. [1], it can lead to a linking error,

ld: security/integrity/ima/ima_appraise.o: in function `ima_appraise_measurement':
security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined reference to `set_module_sig_enforced'

This happens because the actual implementation of
set_module_sig_enforced comes from CONFIG_MODULE_SIG but both the
function declaration and the empty stub definition are tied to
CONFIG_MODULES.

So bind set_module_sig_enforced to CONFIG_MODULE_SIG instead. This
allows (future) users to call set_module_sig_enforced directly without
the "if IS_ENABLED(CONFIG_MODULE_SIG)" safeguard.

Note this issue hasn't caused a real problem because all current callers
of set_module_sig_enforced e.g. security/integrity/ima/ima_efi.c
use "if IS_ENABLED(CONFIG_MODULE_SIG)" safeguard.

[1] https://lore.kernel.org/lkml/20250928030358.3873311-1-coxu@redhat.com/

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202510030029.VRKgik99-lkp@intel.com/
Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>