ima_setup.sh: Fix check of signed policy requirement

pevik · pevik · commit 1ba58805ea54 · 2026-01-27T14:16:48.000+01:00
Kernel code in arch_get_ima_policy() depends also on CONFIG_IMA_ARCH_POLICY added in v5.0: d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86") Link: https://lore.kernel.org/ltp/20260121083343.127613-1-pvorel@suse.cz/ Fixes: c38b528 ("ima_{conditionals, policy}: Handle policy required to be signed") Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Petr Vorel <pvorel@suse.cz>
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -466,10 +466,11 @@ require_evmctl()
 }
 
 # 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is enabled") # v6.5-rc4
+# d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86") # v5.0
 check_need_signed_policy()
 {
 	tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \
-		'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'
+		'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,CONFIG_IMA_ARCH_POLICY'
 }
 
 # loop device is needed to use only for tmpfs

Original file line number	Diff line number	Diff line change
`@@ -466,10 +466,11 @@ require_evmctl()`
`466`	`466`	`}`
`467`	`467`
`468`	`468`	`# 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is enabled") # v6.5-rc4`
	`469`	`+# d958083a8f640 ("x86/ima: define arch_get_ima_policy() for x86") # v5.0`
`469`	`470`	`check_need_signed_policy()`
`470`	`471`	`{`
`471`	`472`	`tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \`
`472`		`- 'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'`
	`473`	`+ 'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,CONFIG_IMA_ARCH_POLICY'`
`473`	`474`	`}`
`474`	`475`
`475`	`476`	`# loop device is needed to use only for tmpfs`