On Wed, Jun 21, 2023 at 12:10:49PM -0500, Eric DeVolder wrote: Hi Eric, ...
NOTE: The original Kconfig has a KEXEC_SIG which depends on MODULE_SIG_FORMAT. However, attempts to keep the MODULE_SIG_FORMAT dependency (using the strategy outlined in this series, and other techniques) results in 'error: recursive dependency detected' on CRYPTO. This occurs due to any path through KEXEC_SIG attempting to select CRYPTO is ultimately dependent upon CRYPTO: CRYPTO <- ARCH_SUPPORTS_KEXEC_FILE <- KEXEC_FILE <- KEXEC_SIG Therefore, the solution is to drop the MODULE_SIG_FORMAT dependency for KEXEC_SIG. In practice, however, MODULE_SIG_FORMAT is still configured-in as the use of KEXEC_SIG is in step with the use of SYSTEM_DATA_VERIFICATION, which does select MODULE_SIG_FORMAT.No, it is actually the other way around. Could you please provide the correct explanation? AFAICT the MODULE_SIG_FORMAT dependency was introduced with commit c8424e776b09 ("MODSIGN: Export module signature definitions") and in fact was not necessary, since s390 did/does not use mod_check_sig() anyway. So the SYSTEM_DATA_VERIFICATION could have left intact.Thomas, would the correct explanation be simply indicating that MODULE_SIG_FORMAT isn't needed as it is not used by s390 (crediting your summary above)?
I guess, you asked me? Anyway, I will try to answer as if I were Thomas :) MODULE_SIG_FORMAT is needed to select SYSTEM_DATA_VERIFICATION. But SYSTEM_DATA_VERIFICATION is also selected by FS_VERITY*, so dropping MODULE_SIG_FORMAT does not hurt. Thanks!
