On 7/8/2025 4:35 AM, Nayna Jain wrote: > > On 7/2/25 10:07 PM, GONG Ruiqi wrote: >> >> ... >> >> "We encountered a boot failure issue in an in-house testing, where the >> kernel refused to load its modules since it couldn't verify their >> signature. The root cause turned out to be the early return of >> load_uefi_certs(), where arch_ima_get_secureboot() returned false >> unconditionally due to CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=n, even >> though the secure boot was enabled. > Thanks for sharing additional details. > > From x86 Kconfig: > > /For config x86: > > imply IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI > / > And IMA_SECURE_AND_OR_TRUSTED_BOOT is dependent on IMA_ARCH_POLICY . > > And from Linux Kernel Kbuild documentation( https://docs.kernel.org/ > kbuild/kconfig-language.html) : > > /weak reverse dependencies: “imply” <symbol> [“if” <expr>] > > This is similar to “select” as it enforces a lower limit on another > symbol except that the “implied” symbol’s value may still be set to n > from a direct dependency or with a visible prompt. > > /Following the example from the documentation, if it is EFI enabled and > IMA_ARCH_POLICY is set to y then this config should be default enabled. > > If it is EFI enabled and IMA_ARCH_POLICY is set to N, then the setting > for IMA_SECURE_AND_OR_TRUSTED_BOOT should be prompted during the build. > The default setting for prompt is N. So, the person doing the build > should actually select Y to enable IMA_ARCH_POLICY. > > Wondering what is the scenario for you? Unless you have IMA_ARCH_POLICY > set to N, this config should have been ideally enabled. If you have > explicitly set it to N, am curious any specific reason for that.
Hi Nayna. Sorry for the late reply. Super busy these days... Yes, IMA_ARCH_POLICY was not set. The testing was conducted on openEuler[1], a Linux distro mainly for arm64 & x86, and the kernel was compiled based on its own openeuler_defconfig[2], which set IMA_ARCH_POLICY to N. -Ruiqi [1]: https://www.openeuler.org/en/ [2]: https://gitee.com/openeuler/kernel/blob/OLK-6.6/arch/arm64/configs/openeuler_defconfig > > Thanks & Regards, > > - Nayna >> >> ...
