[PATCH v3 1/3] integrity: Make arch_ima_get_secureboot integrity-wide

Mimi Zohar zohar at linux.ibm.com
Thu Mar 5 17:25:42 UTC 2026 

On Thu, 2026-03-05 at 13:55 +0100, Vasily Gorbik wrote:
> On Fri, Feb 13, 2026 at 09:28:46AM +0800, Coiby Xu wrote:
> > EVM and other LSMs need the ability to query the secure boot status of
> > the system, without directly calling the IMA arch_ima_get_secureboot
> > function. Refactor the secure boot status check into a general function
> > named arch_get_secureboot.
> > 
> > Reported-and-suggested-by: Mimi Zohar <zohar at linux.ibm.com>
> > Suggested-by: Roberto Sassu <roberto.sassu at huawei.com>
> > Signed-off-by: Coiby Xu <coxu at redhat.com>
> > ---
> >  MAINTAINERS                                   |  1 +
> >  arch/powerpc/kernel/ima_arch.c                |  5 --
> >  arch/powerpc/kernel/secure_boot.c             |  6 ++
> >  arch/s390/kernel/ima_arch.c                   |  6 --
> >  arch/s390/kernel/ipl.c                        |  5 ++
> >  arch/x86/include/asm/efi.h                    |  4 +-
> >  arch/x86/platform/efi/efi.c                   |  2 +-
> >  include/linux/ima.h                           |  7 +--
> >  include/linux/secure_boot.h                   | 19 +++++++
> >  security/integrity/Makefile                   |  3 +-
> >  security/integrity/efi_secureboot.c           | 56 +++++++++++++++++++
> >  security/integrity/ima/ima_appraise.c         |  2 +-
> >  security/integrity/ima/ima_efi.c              | 47 +---------------
> >  security/integrity/ima/ima_main.c             |  3 +-
> >  security/integrity/integrity.h                |  1 +
> >  security/integrity/platform_certs/load_uefi.c |  2 +-
> >  security/integrity/secure_boot.c              | 16 ++++++
> >  17 files changed, 115 insertions(+), 70 deletions(-)
> >  create mode 100644 include/linux/secure_boot.h
> >  create mode 100644 security/integrity/efi_secureboot.c
> >  create mode 100644 security/integrity/secure_boot.c
> 
> This triggers a warning on s390:
> 
> arch/s390/kernel/ipl.c:2507:6: warning: no previous prototype for ‘arch_get_secureboot’ [-Wmissing-prototypes]
>  2507 | bool arch_get_secureboot(void)
>       |      ^~~~~~~~~~~~~~~~~~~
> 
> @Mimi: could you please squash this fixup into the offending commit,
> or pick it up separately?

Thanks, Vasily.  It's now squashed.

Mimi

More information about the Linux-security-module-archive mailing list