Patch "ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 7 Oct 2023 08:25:34 -0400

This is a note to let you know that I've just added the patch titled

    ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ima-finish-deprecation-of-ima_trusted_keyring-kconfi.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ff1c7ee528a4be6489caad0b6b04c603b20636ef
Author: Oleksandr Tymoshenko <ovt@xxxxxxxxxx>
Date:   Thu Sep 21 06:45:05 2023 +0000

    ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig
    
    [ Upstream commit be210c6d3597faf330cb9af33b9f1591d7b2a983 ]
    
    The removal of IMA_TRUSTED_KEYRING made IMA_LOAD_X509
    and IMA_BLACKLIST_KEYRING unavailable because the latter
    two depend on the former. Since IMA_TRUSTED_KEYRING was
    deprecated in favor of INTEGRITY_TRUSTED_KEYRING use it
    as a dependency for the two Kconfigs affected by the
    deprecation.
    
    Fixes: 5087fd9e80e5 ("ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig")
    Signed-off-by: Oleksandr Tymoshenko <ovt@xxxxxxxxxx>
    Reviewed-by: Nayna Jain <nayna@xxxxxxxxxxxxx>
    Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 7bc416c172119..2200262489103 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -268,7 +268,7 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
 config IMA_BLACKLIST_KEYRING
 	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
 	depends on SYSTEM_TRUSTED_KEYRING
-	depends on IMA_TRUSTED_KEYRING
+	depends on INTEGRITY_TRUSTED_KEYRING
 	default n
 	help
 	   This option creates an IMA blacklist keyring, which contains all
@@ -278,7 +278,7 @@ config IMA_BLACKLIST_KEYRING
 
 config IMA_LOAD_X509
 	bool "Load X509 certificate onto the '.ima' trusted keyring"
-	depends on IMA_TRUSTED_KEYRING
+	depends on INTEGRITY_TRUSTED_KEYRING
 	default n
 	help
 	   File signature verification is based on the public keys






