On Thu, 2026-03-05 at 13:55 +0100, Vasily Gorbik wrote: > On Fri, Feb 13, 2026 at 09:28:46AM +0800, Coiby Xu wrote: > > EVM and other LSMs need the ability to query the secure boot status of > > the system, without directly calling the IMA arch_ima_get_secureboot > > function. Refactor the secure boot status check into a general function > > named arch_get_secureboot. > > > > Reported-and-suggested-by: Mimi Zohar <[email protected]> > > Suggested-by: Roberto Sassu <[email protected]> > > Signed-off-by: Coiby Xu <[email protected]> > > --- > > MAINTAINERS | 1 + > > arch/powerpc/kernel/ima_arch.c | 5 -- > > arch/powerpc/kernel/secure_boot.c | 6 ++ > > arch/s390/kernel/ima_arch.c | 6 -- > > arch/s390/kernel/ipl.c | 5 ++ > > arch/x86/include/asm/efi.h | 4 +- > > arch/x86/platform/efi/efi.c | 2 +- > > include/linux/ima.h | 7 +-- > > include/linux/secure_boot.h | 19 +++++++ > > security/integrity/Makefile | 3 +- > > security/integrity/efi_secureboot.c | 56 +++++++++++++++++++ > > security/integrity/ima/ima_appraise.c | 2 +- > > security/integrity/ima/ima_efi.c | 47 +--------------- > > security/integrity/ima/ima_main.c | 3 +- > > security/integrity/integrity.h | 1 + > > security/integrity/platform_certs/load_uefi.c | 2 +- > > security/integrity/secure_boot.c | 16 ++++++ > > 17 files changed, 115 insertions(+), 70 deletions(-) > > create mode 100644 include/linux/secure_boot.h > > create mode 100644 security/integrity/efi_secureboot.c > > create mode 100644 security/integrity/secure_boot.c > > This triggers a warning on s390: > > arch/s390/kernel/ipl.c:2507:6: warning: no previous prototype for > ‘arch_get_secureboot’ [-Wmissing-prototypes] > 2507 | bool arch_get_secureboot(void) > | ^~~~~~~~~~~~~~~~~~~ > > @Mimi: could you please squash this fixup into the offending commit, > or pick it up separately?
Thanks, Vasily. It's now squashed. Mimi
