EVM and other LSMs need the ability to query the secure boot status of the system, without directly calling the IMA arch_ima_get_secureboot function. Make arch_ima_get_secureboot integrity-wide.
Coiby Xu (3): integrity: Make arch_ima_get_secureboot integrity-wide evm: Don't enable fix mode when secure boot is enabled s390: Drop unnecessary CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT arch/arm64/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/powerpc/kernel/Makefile | 2 +- arch/powerpc/kernel/ima_arch.c | 5 -- arch/powerpc/kernel/integrity_sb_arch.c | 13 +++++ arch/s390/Kconfig | 2 +- arch/s390/kernel/Makefile | 2 +- arch/s390/kernel/ima_arch.c | 14 ----- arch/s390/kernel/integrity_sb_arch.c | 9 +++ arch/x86/Kconfig | 1 + arch/x86/include/asm/efi.h | 4 +- arch/x86/platform/efi/efi.c | 2 +- include/linux/ima.h | 7 +-- include/linux/integrity.h | 8 +++ security/integrity/Kconfig | 6 ++ security/integrity/Makefile | 3 + security/integrity/efi_secureboot.c | 56 +++++++++++++++++++ security/integrity/evm/evm_main.c | 24 +++++--- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_efi.c | 47 +--------------- security/integrity/ima/ima_main.c | 4 +- security/integrity/platform_certs/load_uefi.c | 2 +- 22 files changed, 128 insertions(+), 87 deletions(-) create mode 100644 arch/powerpc/kernel/integrity_sb_arch.c delete mode 100644 arch/s390/kernel/ima_arch.c create mode 100644 arch/s390/kernel/integrity_sb_arch.c create mode 100644 security/integrity/efi_secureboot.c base-commit: 7f98ab9da046865d57c102fd3ca9669a29845f67 -- 2.52.0
