Re: [PATCH v2 1/3] integrity: Make arch_ima_get_secureboot integrity-wide
From: Coiby Xu
Date: Wed Feb 11 2026 - 20:30:43 EST
On Mon, Feb 09, 2026 at 03:43:08PM -0500, Mimi Zohar wrote:
On Tue, 2026-02-03 at 12:14 +0800, Coiby Xu wrote:
EVM and other LSMs need the ability to query the secure boot status of
the system, without directly calling the IMA arch_ima_get_secureboot
function. Refactor the secure boot status check into a general function
named arch_get_secureboot.
Reported-and-suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Suggested-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx>
Thanks, Coiby. Other than unnecessarily splitting a line, the patch set looks
good. As soon as the open window closes, I'll queue these patches for linux-
next.
Hi Mimi, thanks for reviewing the patch set! Would you like me to send a
new version with the line splitting issue fixed?
[...]
diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
index 138029bfcce1..27521d665d33 100644
--- a/security/integrity/ima/ima_efi.c
+++ b/security/integrity/ima/ima_efi.c
{
- if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
+ if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) &&
+ arch_get_secureboot()) {
No need to split the line here or below.
if (IS_ENABLED(CONFIG_MODULE_SIG))
set_module_sig_enforced();
if (IS_ENABLED(CONFIG_KEXEC_SIG))
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5770cf691912..6d093ac82a45 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -949,8 +949,8 @@ static int ima_load_data(enum kernel_load_data_id id, bool contents)
switch (id) {
case LOADING_KEXEC_IMAGE:
- if (IS_ENABLED(CONFIG_KEXEC_SIG)
- && arch_ima_get_secureboot()) {
+ if (IS_ENABLED(CONFIG_KEXEC_SIG) &&
+ arch_get_secureboot()) {
===>
Mimi
pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
return -EACCES;
}
--
Best regards,
Coiby