The IMA_APPRAISE_BOOTPARM config allows enabling different "ima_appraise="
modes (log, fix, enforce) to be configured at boot time. When booting
with Secure Boot enabled, all modes are ignored except enforce. To use
log or fix, Secure Boot must be disabled.
With a policy such as:
appraise func=BPRM_CHECK appraise_type=imasig
A user may just want to audit signature validation. Not all users
are interested in full enforcement and find the audit log appropriate
for their use case.
Add a new IMA_APPRAISE_SB_BOOTPARAM config allowing "ima_appraise="
to work when Secure Boot is enabled.