Re: [PATCH v2 1/3] integrity: Make arch_ima_get_secureboot integrity-wide

Thu, 12 Feb 2026 12:26:20 -0800 

On Thu, 2026-02-12 at 09:28 +0800, Coiby Xu wrote:
> On Mon, Feb 09, 2026 at 03:43:08PM -0500, Mimi Zohar wrote:
> > On Tue, 2026-02-03 at 12:14 +0800, Coiby Xu wrote:
> > > EVM and other LSMs need the ability to query the secure boot status of
> > > the system, without directly calling the IMA arch_ima_get_secureboot
> > > function. Refactor the secure boot status check into a general function
> > > named arch_get_secureboot.
> > > 
> > > Reported-and-suggested-by: Mimi Zohar <[email protected]>
> > > Suggested-by: Roberto Sassu <[email protected]>
> > > Signed-off-by: Coiby Xu <[email protected]>
> > 
> > Thanks, Coiby.  Other than unnecessarily splitting a line, the patch set 
> > looks
> > good.  As soon as the open window closes, I'll queue these patches for 
> > linux-
> > next.
> 
> Hi Mimi, thanks for reviewing the patch set! Would you like me to send a
> new version with the line splitting issue fixed?

Yes, thanks.

Mimi

> 
> > 
> > > diff --git a/security/integrity/ima/ima_efi.c 
> > > b/security/integrity/ima/ima_efi.c
> > > index 138029bfcce1..27521d665d33 100644
> > > --- a/security/integrity/ima/ima_efi.c
> > > +++ b/security/integrity/ima/ima_efi.c
> [...]
> > >  {
> > > - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> > > + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) &&
> > > +     arch_get_secureboot()) {
> > 
> > No need to split the line here or below.
> > 
> > 
> > >           if (IS_ENABLED(CONFIG_MODULE_SIG))
> > >                   set_module_sig_enforced();
> > >           if (IS_ENABLED(CONFIG_KEXEC_SIG))
> > > diff --git a/security/integrity/ima/ima_main.c 
> > > b/security/integrity/ima/ima_main.c
> > > index 5770cf691912..6d093ac82a45 100644
> > > --- a/security/integrity/ima/ima_main.c
> > > +++ b/security/integrity/ima/ima_main.c
> > > @@ -949,8 +949,8 @@ static int ima_load_data(enum kernel_load_data_id id, 
> > > bool contents)
> > > 
> > >   switch (id) {
> > >   case LOADING_KEXEC_IMAGE:
> > > -         if (IS_ENABLED(CONFIG_KEXEC_SIG)
> > > -             && arch_ima_get_secureboot()) {
> > > +         if (IS_ENABLED(CONFIG_KEXEC_SIG) &&
> > > +             arch_get_secureboot()) {
> > 
> > ===>
> > 
> > Mimi
> > 
> > >                   pr_err("impossible to appraise a kernel image without a 
> > > file descriptor; try using kexec_file_load syscall.\n");
> > >                   return -EACCES;
> > >           }
> >

Reply via email to