[PATCH] integrity: Eliminate weak definition of arch_get_secureboot()

[PATCH] integrity: Eliminate weak definition of arch_get_secureboot()

[Nathan Chancellor]

security/integrity/secure_boot.c contains a single __weak function,
which breaks recordmcount when building with clang:

  $ make -skj"$(nproc)" ARCH=powerpc LLVM=1 ppc64_defconfig security/integrity/secure_boot.o
  Cannot find symbol for section 2: .text.
  security/integrity/secure_boot.o: failed

Introduce a Kconfig symbol, CONFIG_HAVE_ARCH_GET_SECUREBOOT, to indicate
that an architecture provides a definition of arch_get_secureboot().
Provide a static inline stub when this symbol is not defined to achieve
the same effect as the __weak function, allowing secure_boot.c to be
removed altogether. Move the s390 definition of arch_get_secureboot()
out of the CONFIG_KEXEC_FILE block to ensure it is always available, as
it does not actually depend on KEXEC_FILE.

Fixes: 31a6a07eefeb ("integrity: Make arch_ima_get_secureboot integrity-wide")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
---
 arch/Kconfig                     |  3 +++
 arch/powerpc/Kconfig             |  1 +
 arch/s390/Kconfig                |  1 +
 arch/s390/kernel/ipl.c           | 10 +++++-----
 include/linux/secure_boot.h      |  4 ++++
 security/integrity/Makefile      |  2 +-
 security/integrity/secure_boot.c | 16 ----------------
 7 files changed, 15 insertions(+), 22 deletions(-)

diff --git a/arch/Kconfig b/arch/Kconfig
index 102ddbd4298e..a6d1c8cc1d64 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -1841,4 +1841,7 @@ config ARCH_WANTS_PRE_LINK_VMLINUX
 config ARCH_HAS_CPU_ATTACK_VECTORS
 	bool
 
+config HAVE_ARCH_GET_SECUREBOOT
+	def_bool EFI
+
 endmenu
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index ad7a2fe63a2a..da1eafb64354 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -1061,6 +1061,7 @@ config PPC_SECURE_BOOT
 	depends on IMA_ARCH_POLICY
 	imply IMA_SECURE_AND_OR_TRUSTED_BOOT
 	select PSERIES_PLPKS if PPC_PSERIES
+	select HAVE_ARCH_GET_SECUREBOOT
 	help
 	  Systems with firmware secure boot enabled need to define security
 	  policies to extend secure boot to the OS. This config allows a user
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 2101cc738b5e..4197c20d34b4 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -181,6 +181,7 @@ config S390
 	select GENERIC_IOREMAP if PCI
 	select HAVE_ALIGNED_STRUCT_PAGE
 	select HAVE_ARCH_AUDITSYSCALL
+	select HAVE_ARCH_GET_SECUREBOOT
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_JUMP_LABEL_RELATIVE
 	select HAVE_ARCH_KASAN
diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
index 2d01a1713938..3c346b02ceb9 100644
--- a/arch/s390/kernel/ipl.c
+++ b/arch/s390/kernel/ipl.c
@@ -2388,6 +2388,11 @@ void __no_stack_protector s390_reset_system(void)
 	diag_amode31_ops.diag308_reset();
 }
 
+bool arch_get_secureboot(void)
+{
+	return ipl_secure_flag;
+}
+
 #ifdef CONFIG_KEXEC_FILE
 
 int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf,
@@ -2505,11 +2510,6 @@ void *ipl_report_finish(struct ipl_report *report)
 	return buf;
 }
 
-bool arch_get_secureboot(void)
-{
-	return ipl_secure_flag;
-}
-
 int ipl_report_free(struct ipl_report *report)
 {
 	struct ipl_report_component *comp, *ncomp;
diff --git a/include/linux/secure_boot.h b/include/linux/secure_boot.h
index 3ded3f03655c..d17e92351567 100644
--- a/include/linux/secure_boot.h
+++ b/include/linux/secure_boot.h
@@ -10,10 +10,14 @@
 
 #include <linux/types.h>
 
+#ifdef CONFIG_HAVE_ARCH_GET_SECUREBOOT
 /*
  * Returns true if the platform secure boot is enabled.
  * Returns false if disabled or not supported.
  */
 bool arch_get_secureboot(void);
+#else
+static inline bool arch_get_secureboot(void) { return false; }
+#endif
 
 #endif /* _LINUX_SECURE_BOOT_H */
diff --git a/security/integrity/Makefile b/security/integrity/Makefile
index 548665e2b702..45dfdedbdad4 100644
--- a/security/integrity/Makefile
+++ b/security/integrity/Makefile
@@ -5,7 +5,7 @@
 
 obj-$(CONFIG_INTEGRITY) += integrity.o
 
-integrity-y := iint.o secure_boot.o
+integrity-y := iint.o
 integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o
 integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
 integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
diff --git a/security/integrity/secure_boot.c b/security/integrity/secure_boot.c
deleted file mode 100644
index fc2693c286f8..000000000000
--- a/security/integrity/secure_boot.c
+++ /dev/null
@@ -1,16 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only
-/*
- * Copyright (C) 2026 Red Hat, Inc. All Rights Reserved.
- *
- * Author: Coiby Xu <coxu@redhat.com>
- */
-#include <linux/secure_boot.h>
-
-/*
- * Default weak implementation.
- * Architectures that support secure boot must override this.
- */
-__weak bool arch_get_secureboot(void)
-{
-	return false;
-}

---
base-commit: 870819434c8dfcc3158033b66e7851b81bb17e21
change-id: 20260309-integrity-drop-weak-arch-get-secureboot-cead298d493f

Best regards,
--  
Nathan Chancellor <nathan@kernel.org>

Re: [PATCH] integrity: Eliminate weak definition of arch_get_secureboot()

[Arnd Bergmann]

On Mon, Mar 9, 2026, at 21:37, Nathan Chancellor wrote:
> security/integrity/secure_boot.c contains a single __weak function,
> which breaks recordmcount when building with clang:
>
>   $ make -skj"$(nproc)" ARCH=powerpc LLVM=1 ppc64_defconfig 
> security/integrity/secure_boot.o
>   Cannot find symbol for section 2: .text.
>   security/integrity/secure_boot.o: failed
>
> Introduce a Kconfig symbol, CONFIG_HAVE_ARCH_GET_SECUREBOOT, to indicate
> that an architecture provides a definition of arch_get_secureboot().
> Provide a static inline stub when this symbol is not defined to achieve
> the same effect as the __weak function, allowing secure_boot.c to be
> removed altogether. Move the s390 definition of arch_get_secureboot()
> out of the CONFIG_KEXEC_FILE block to ensure it is always available, as
> it does not actually depend on KEXEC_FILE.
>
> Fixes: 31a6a07eefeb ("integrity: Make arch_ima_get_secureboot integrity-wide")
> Signed-off-by: Nathan Chancellor <nathan@kernel.org>

Acked-by: Arnd Bergmann <arnd@arndb.de>

Re: [PATCH] integrity: Eliminate weak definition of arch_get_secureboot()

[Mimi Zohar]

On Thu, 2026-03-12 at 16:03 +0100, Arnd Bergmann wrote:
> On Mon, Mar 9, 2026, at 21:37, Nathan Chancellor wrote:
> > security/integrity/secure_boot.c contains a single __weak function,
> > which breaks recordmcount when building with clang:
> > 
> >   $ make -skj"$(nproc)" ARCH=powerpc LLVM=1 ppc64_defconfig 
> > security/integrity/secure_boot.o
> >   Cannot find symbol for section 2: .text.
> >   security/integrity/secure_boot.o: failed
> > 
> > Introduce a Kconfig symbol, CONFIG_HAVE_ARCH_GET_SECUREBOOT, to indicate
> > that an architecture provides a definition of arch_get_secureboot().
> > Provide a static inline stub when this symbol is not defined to achieve
> > the same effect as the __weak function, allowing secure_boot.c to be
> > removed altogether. Move the s390 definition of arch_get_secureboot()
> > out of the CONFIG_KEXEC_FILE block to ensure it is always available, as
> > it does not actually depend on KEXEC_FILE.
> > 
> > Fixes: 31a6a07eefeb ("integrity: Make arch_ima_get_secureboot integrity-wide")
> > Signed-off-by: Nathan Chancellor <nathan@kernel.org>
> 
> Acked-by: Arnd Bergmann <arnd@arndb.de>

I pushed out the patch to next-integrity, but am a bit concerned about the
definition:

+config HAVE_ARCH_GET_SECUREBOOT
+       def_bool EFI
+

Has anyone actually tested this patch on s390, not just compiled it?  If so, I'd
appreciate a tested-by tag.

thanks,

Mimi

Re: [PATCH] integrity: Eliminate weak definition of arch_get_secureboot()

[Nathan Chancellor]

On Thu, Mar 12, 2026 at 12:07:41PM -0400, Mimi Zohar wrote:
> I pushed out the patch to next-integrity, but am a bit concerned about the
> definition:
> 
> +config HAVE_ARCH_GET_SECUREBOOT
> +       def_bool EFI
> +

What is concerning about the definition with regards to s390?

> Has anyone actually tested this patch on s390, not just compiled it?  If so, I'd
> appreciate a tested-by tag.

It would be good to test (if it is possible to test in QEMU, I am happy
to attempt to do so). As far as I can tell, 31a6a07eefeb placed
arch_get_secureboot() in such a way that the __weak definition would be
used when CONFIG_KEXEC_FILE was disabled, even though ipl_secure_flag
should always be available, which this patch avoids.

Cheers,
Nathan

Re: [PATCH] integrity: Eliminate weak definition of arch_get_secureboot()

[Mimi Zohar]

On Thu, 2026-03-12 at 13:55 -0700, Nathan Chancellor wrote:
> On Thu, Mar 12, 2026 at 12:07:41PM -0400, Mimi Zohar wrote:
> > I pushed out the patch to next-integrity, but am a bit concerned about the
> > definition:
> > 
> > +config HAVE_ARCH_GET_SECUREBOOT
> > +       def_bool EFI
> > +
> 
> What is concerning about the definition with regards to s390?
> 
> > Has anyone actually tested this patch on s390, not just compiled it?  If so, I'd
> > appreciate a tested-by tag.
> 
> It would be good to test (if it is possible to test in QEMU, I am happy
> to attempt to do so). As far as I can tell, 31a6a07eefeb placed
> arch_get_secureboot() in such a way that the __weak definition would be
> used when CONFIG_KEXEC_FILE was disabled, even though ipl_secure_flag
> should always be available, which this patch avoids.

Thanks, Nathan.  Fortunately I got access to an s390 and was able to test.  It
seems to be working.

Mimi