Hi Linus, There are 2 main changes, 1 feature removal, some code cleanup, and a number of bug fixes.
Main changes: - Detecting secure boot mode was limited to IMA. Make detecting secure boot mode accessible to EVM and other LSMs. - IMA sigv3 support was limited to fsverity. Add IMA sigv3 support for IMA regular file hashes and EVM portable signatures. Remove: - Remove IMA support for asychronous hash calculation originally added for hardware acceleration. Cleanup: - Remove unnecessary Kconfig CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG tests. - Add descriptions of the IMA atomic flags. Bug fixes: - Like IMA, properly limit EVM "fix" mode. - Define and call evm_fix_hmac() to update security.evm. - Fallback to using i_version to detect file change for filesystems that do not support STATX_CHANGE_COOKIE. - Address missing kernel support for configured (new) TPM hash algorithms. - Add missing crypto_shash_final() return value. Thanks, Mimi The following changes since commit 11439c4635edd669ae435eec308f4ab8a0804808: Linux 7.0-rc2 (2026-03-01 15:39:31 -0800) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/ tags/integrity-v7.1 for you to fetch changes up to 82bbd447199ff1441031d2eaf9afe041550cf525: evm: Enforce signatures version 3 with new EVM policy 'bit 3' (2026-04-01 10:16:53 -0400) ---------------------------------------------------------------- integrity-v7.1 ---------------------------------------------------------------- Coiby Xu (5): integrity: Make arch_ima_get_secureboot integrity-wide evm: Don't enable fix mode when secure boot is enabled s390: Drop unnecessary CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT evm: fix security.evm for a file with IMA signature ima: Add code comments to explain IMA iint cache atomic_flags Daniel Hodges (1): ima: check return value of crypto_shash_final() in boot aggregate Dmitry Safonov (1): ima_fs: Correctly create securityfs files for unsupported hash algos Eric Biggers (1): ima: remove buggy support for asynchronous hashes Mimi Zohar (4): ima: fallback to using i_version to detect file change ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures ima: add regular file data hash signature version 3 support ima: add support to require IMA sigv3 signatures Nathan Chancellor (1): integrity: Eliminate weak definition of arch_get_secureboot() Roberto Sassu (1): ima: Define and use a digest_size field in the ima_algo_desc structure Stefan Berger (2): integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG evm: Enforce signatures version 3 with new EVM policy 'bit 3' Thomas Weißschuh (2): ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Documentation/ABI/testing/evm | 1 + Documentation/ABI/testing/ima_policy | 10 +- Documentation/admin-guide/kernel-parameters.txt | 17 -- MAINTAINERS | 1 + arch/Kconfig | 3 + arch/powerpc/Kconfig | 1 + arch/powerpc/kernel/ima_arch.c | 8 +- arch/powerpc/kernel/secure_boot.c | 6 + arch/s390/Kconfig | 2 +- arch/s390/kernel/Makefile | 1 - arch/s390/kernel/ima_arch.c | 14 - arch/s390/kernel/ipl.c | 6 + arch/x86/include/asm/efi.h | 4 +- arch/x86/platform/efi/efi.c | 2 +- include/linux/evm.h | 8 + include/linux/ima.h | 7 +- include/linux/secure_boot.h | 23 ++ security/integrity/Makefile | 1 + security/integrity/digsig.c | 8 +- security/integrity/digsig_asymmetric.c | 59 ++++ security/integrity/efi_secureboot.c | 56 ++++ security/integrity/evm/evm.h | 3 +- security/integrity/evm/evm_main.c | 69 ++++- security/integrity/ima/ima.h | 29 +- security/integrity/ima/ima_api.c | 13 +- security/integrity/ima/ima_appraise.c | 79 ++--- security/integrity/ima/ima_crypto.c | 390 +----------------------- security/integrity/ima/ima_efi.c | 53 +--- security/integrity/ima/ima_fs.c | 34 ++- security/integrity/ima/ima_main.c | 37 ++- security/integrity/ima/ima_policy.c | 22 +- security/integrity/integrity.h | 15 +- security/integrity/platform_certs/load_uefi.c | 2 +- 33 files changed, 398 insertions(+), 586 deletions(-) delete mode 100644 arch/s390/kernel/ima_arch.c create mode 100644 include/linux/secure_boot.h create mode 100644 security/integrity/efi_secureboot.c
