From: Arnd Bergmann <arnd@xxxxxxxx>
When module support is disabled, CONFIG_MODULE_SIG_HASH cannot
be set either, so the build process fails with an error
certs/Makefile:52: *** Could not determine digest type to use from kernel config. Stop.
when IMA_APPRAISE_MODSIG is set but modules are not.
Add a Kconfig dependency to prevent this configuration.
Fixes: 0165f4ca223b ("ima: enable signing of modules with build time generated key")
Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>
---
security/integrity/ima/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 12e9250c1bec..2c36144cdd24 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -242,6 +242,7 @@ config IMA_APPRAISE_MODSIG
bool "Support module-style signatures for appraisal"
depends on IMA_APPRAISE
depends on INTEGRITY_ASYMMETRIC_KEYS
+ depends on MODULES
select PKCS7_MESSAGE_PARSER
select MODULE_SIG_FORMAT
default n
--
2.29.2
