On 7/17/25 8:29 AM, GONG Ruiqi wrote:
On 7/8/2025 4:35 AM, Nayna Jain wrote:
On 7/2/25 10:07 PM, GONG Ruiqi wrote:
...
"We encountered a boot failure issue in an in-house testing, where the
kernel refused to load its modules since it couldn't verify their
signature. The root cause turned out to be the early return of
load_uefi_certs(), where arch_ima_get_secureboot() returned false
unconditionally due to CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=n, even
though the secure boot was enabled.
Thanks for sharing additional details.
From x86 Kconfig:
/For config x86:
imply IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI
/
And IMA_SECURE_AND_OR_TRUSTED_BOOT is dependent on IMA_ARCH_POLICY .
And from Linux Kernel Kbuild documentation( https://docs.kernel.org/
kbuild/kconfig-language.html) :
/weak reverse dependencies: “imply” <symbol> [“if” <expr>]
This is similar to “select” as it enforces a lower limit on another
symbol except that the “implied” symbol’s value may still be set to n
from a direct dependency or with a visible prompt.
/Following the example from the documentation, if it is EFI enabled and
IMA_ARCH_POLICY is set to y then this config should be default enabled.
If it is EFI enabled and IMA_ARCH_POLICY is set to N, then the setting
for IMA_SECURE_AND_OR_TRUSTED_BOOT should be prompted during the build.
The default setting for prompt is N. So, the person doing the build
should actually select Y to enable IMA_ARCH_POLICY.
Wondering what is the scenario for you? Unless you have IMA_ARCH_POLICY
set to N, this config should have been ideally enabled. If you have
explicitly set it to N, am curious any specific reason for that.
Hi Nayna. Sorry for the late reply. Super busy these days...
Yes, IMA_ARCH_POLICY was not set. The testing was conducted on
openEuler[1], a Linux distro mainly for arm64 & x86, and the kernel was
compiled based on its own openeuler_defconfig[2], which set
IMA_ARCH_POLICY to N.
Thanks Ruiqi for the response.
It seems the main cause of the problem was that IMA_ARCH_POLICY config
wasn't enabled; and it sounds like you don't need IMA arch policies but
you do need the arch specific function to get the secure boot status.
In that case, removing IMA_SECURE_AND_OR_TRUSTED_BOOT config dependency
on IMA_ARCH_POLICY config and updating the corresponding help is all
that is needed.
The help text can be updated to:
This option is selected by architectures to detect systems with secure
and/or trusted boot enabled, in order to load the appropriate IMA
runtime policies and keys.
Thanks & Regards,
- Nayna
