[PATCH v2 1/3] integrity: Make arch_ima_get_secureboot integrity-wide

Mimi Zohar zohar at linux.ibm.com
Thu Feb 12 20:25:17 UTC 2026 

On Thu, 2026-02-12 at 09:28 +0800, Coiby Xu wrote:
> On Mon, Feb 09, 2026 at 03:43:08PM -0500, Mimi Zohar wrote:
> > On Tue, 2026-02-03 at 12:14 +0800, Coiby Xu wrote:
> > > EVM and other LSMs need the ability to query the secure boot status of
> > > the system, without directly calling the IMA arch_ima_get_secureboot
> > > function. Refactor the secure boot status check into a general function
> > > named arch_get_secureboot.
> > > 
> > > Reported-and-suggested-by: Mimi Zohar <zohar at linux.ibm.com>
> > > Suggested-by: Roberto Sassu <roberto.sassu at huawei.com>
> > > Signed-off-by: Coiby Xu <coxu at redhat.com>
> > 
> > Thanks, Coiby.  Other than unnecessarily splitting a line, the patch set looks
> > good.  As soon as the open window closes, I'll queue these patches for linux-
> > next.
> 
> Hi Mimi, thanks for reviewing the patch set! Would you like me to send a
> new version with the line splitting issue fixed?

Yes, thanks.

Mimi

> 
> > 
> > > diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
> > > index 138029bfcce1..27521d665d33 100644
> > > --- a/security/integrity/ima/ima_efi.c
> > > +++ b/security/integrity/ima/ima_efi.c
> [...]
> > >  {
> > > -	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> > > +	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) &&
> > > +	    arch_get_secureboot()) {
> > 
> > No need to split the line here or below.
> > 
> > 
> > >  		if (IS_ENABLED(CONFIG_MODULE_SIG))
> > >  			set_module_sig_enforced();
> > >  		if (IS_ENABLED(CONFIG_KEXEC_SIG))
> > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > > index 5770cf691912..6d093ac82a45 100644
> > > --- a/security/integrity/ima/ima_main.c
> > > +++ b/security/integrity/ima/ima_main.c
> > > @@ -949,8 +949,8 @@ static int ima_load_data(enum kernel_load_data_id id, bool contents)
> > > 
> > >  	switch (id) {
> > >  	case LOADING_KEXEC_IMAGE:
> > > -		if (IS_ENABLED(CONFIG_KEXEC_SIG)
> > > -		    && arch_ima_get_secureboot()) {
> > > +		if (IS_ENABLED(CONFIG_KEXEC_SIG) &&
> > > +		    arch_get_secureboot()) {
> > 
> > ===>
> > 
> > Mimi
> > 
> > >  			pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
> > >  			return -EACCES;
> > >  		}
> >

More information about the Linux-security-module-archive mailing list