[Cc'ing linuxppc-dev@lists.ozlabs.org] On Tue, 2020-10-13 at 10:18 +0200, Ard Biesheuvel wrote: > Chester reports that it is necessary to introduce a new way to pass > the EFI secure boot status between the EFI stub and the core kernel > on ARM systems. The usual way of obtaining this information is by > checking the SecureBoot and SetupMode EFI variables, but this can > only be done after the EFI variable workqueue is created, which > occurs in a subsys_initcall(), whereas arch_ima_get_secureboot() > is called much earlier by the IMA framework. > > However, the IMA framework itself is started as a late_initcall, > and the only reason the call to arch_ima_get_secureboot() occurs > so early is because it happens in the context of a __setup() > callback that parses the ima_appraise= command line parameter. > > So let's refactor this code a little bit, by using a core_param() > callback to capture the command line argument, and deferring any > reasoning based on its contents to the IMA init routine. > > Cc: Chester Lin <c...@suse.com> > Cc: Mimi Zohar <zo...@linux.ibm.com> > Cc: Dmitry Kasatkin <dmitry.kasat...@gmail.com> > Cc: James Morris <jmor...@namei.org> > Cc: "Serge E. Hallyn" <se...@hallyn.com> > Link: > https://lore.kernel.org/linux-arm-kernel/20200904072905.25332-2-c...@suse.com/ > Signed-off-by: Ard Biesheuvel <a...@kernel.org> > --- > v2: rebase onto series 'integrity: improve user feedback for invalid > bootparams'
Thanks, Ard. Based on my initial, limited testing on Power, it looks good, but I'm hesistant to include it in the integrity 5.10 pull request without it having been in linux-next and some additional testing. It's now queued in the next-integrity-testing branch awaiting some tags. thanks, Mimi
