public inbox for linuxppc-dev@ozlabs.org
 help / color / mirror / Atom feed
* [PATCH 0/2] efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
@ 2026-02-26  7:20 Thomas Weißschuh
  2026-02-26  7:20 ` [PATCH 1/2] ima: " Thomas Weißschuh
  2026-02-26  7:20 ` [PATCH 2/2] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Thomas Weißschuh
  0 siblings, 2 replies; 4+ messages in thread
From: Thomas Weißschuh @ 2026-02-26  7:20 UTC (permalink / raw)
  To: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
	Paul Moore, James Morris, Serge E. Hallyn, Madhavan Srinivasan,
	Michael Ellerman, Nicholas Piggin, Christophe Leroy (CS GROUP)
  Cc: linux-integrity, linux-security-module, linux-kernel,
	linuxppc-dev, Thomas Weißschuh, Aaron Tomlin, Nicolas Schier

When configuration settings are disabled the guarded functions are
defined as empty stubs, so the check is unnecessary.

This was originally part of my CONFIG_MODULE_HASHES[0] series,
but as I am dropping IMA compatibility for now, these patches
can go in independently.

[0] https://lore.kernel.org/lkml/20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net/

Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
Thomas Weißschuh (2):
      ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
      powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG

 arch/powerpc/kernel/ima_arch.c   | 3 +--
 security/integrity/ima/ima_efi.c | 6 ++----
 2 files changed, 3 insertions(+), 6 deletions(-)
---
base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
change-id: 20260225-ima-ifdef-978960c0f00e

Best regards,
-- 
Thomas Weißschuh <linux@weissschuh.net>



^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH 1/2] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
  2026-02-26  7:20 [PATCH 0/2] efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Thomas Weißschuh
@ 2026-02-26  7:20 ` Thomas Weißschuh
  2026-02-27 18:21   ` Mimi Zohar
  2026-02-26  7:20 ` [PATCH 2/2] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Thomas Weißschuh
  1 sibling, 1 reply; 4+ messages in thread
From: Thomas Weißschuh @ 2026-02-26  7:20 UTC (permalink / raw)
  To: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
	Paul Moore, James Morris, Serge E. Hallyn, Madhavan Srinivasan,
	Michael Ellerman, Nicholas Piggin, Christophe Leroy (CS GROUP)
  Cc: linux-integrity, linux-security-module, linux-kernel,
	linuxppc-dev, Thomas Weißschuh, Aaron Tomlin, Nicolas Schier

When configuration settings are disabled the guarded functions are
defined as empty stubs, so the check is unnecessary.

Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
---
 security/integrity/ima/ima_efi.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
index 138029bfcce1..a35dd166ad47 100644
--- a/security/integrity/ima/ima_efi.c
+++ b/security/integrity/ima/ima_efi.c
@@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] = {
 const char * const *arch_get_ima_policy(void)
 {
 	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
-		if (IS_ENABLED(CONFIG_MODULE_SIG))
-			set_module_sig_enforced();
-		if (IS_ENABLED(CONFIG_KEXEC_SIG))
-			set_kexec_sig_enforced();
+		set_module_sig_enforced();
+		set_kexec_sig_enforced();
 		return sb_arch_rules;
 	}
 	return NULL;

-- 
2.53.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 2/2] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG
  2026-02-26  7:20 [PATCH 0/2] efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Thomas Weißschuh
  2026-02-26  7:20 ` [PATCH 1/2] ima: " Thomas Weißschuh
@ 2026-02-26  7:20 ` Thomas Weißschuh
  1 sibling, 0 replies; 4+ messages in thread
From: Thomas Weißschuh @ 2026-02-26  7:20 UTC (permalink / raw)
  To: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
	Paul Moore, James Morris, Serge E. Hallyn, Madhavan Srinivasan,
	Michael Ellerman, Nicholas Piggin, Christophe Leroy (CS GROUP)
  Cc: linux-integrity, linux-security-module, linux-kernel,
	linuxppc-dev, Thomas Weißschuh, Aaron Tomlin, Nicolas Schier

When CONFIG_MODULE_SIG is disabled set_module_sig_enforced() is defined
as an empty stub, so the check is unnecessary.

Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
---
 arch/powerpc/kernel/ima_arch.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index b7029beed847..690263bf4265 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -63,8 +63,7 @@ static const char *const secure_and_trusted_rules[] = {
 const char *const *arch_get_ima_policy(void)
 {
 	if (is_ppc_secureboot_enabled()) {
-		if (IS_ENABLED(CONFIG_MODULE_SIG))
-			set_module_sig_enforced();
+		set_module_sig_enforced();
 
 		if (is_ppc_trustedboot_enabled())
 			return secure_and_trusted_rules;

-- 
2.53.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
  2026-02-26  7:20 ` [PATCH 1/2] ima: " Thomas Weißschuh
@ 2026-02-27 18:21   ` Mimi Zohar
  0 siblings, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2026-02-27 18:21 UTC (permalink / raw)
  To: Thomas Weißschuh, Roberto Sassu, Dmitry Kasatkin,
	Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
	Madhavan Srinivasan, Michael Ellerman, Nicholas Piggin,
	Christophe Leroy (CS GROUP)
  Cc: linux-integrity, linux-security-module, linux-kernel,
	linuxppc-dev, Aaron Tomlin, Nicolas Schier

On Thu, 2026-02-26 at 08:20 +0100, Thomas Weißschuh wrote:
> When configuration settings are disabled the guarded functions are
> defined as empty stubs, so the check is unnecessary.
> 
> Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
> Reviewed-by: Nicolas Schier <nsc@kernel.org>
> ---
>  security/integrity/ima/ima_efi.c | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
> index 138029bfcce1..a35dd166ad47 100644
> --- a/security/integrity/ima/ima_efi.c
> +++ b/security/integrity/ima/ima_efi.c
> @@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] = {
>  const char * const *arch_get_ima_policy(void)
>  {
>  	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> -		if (IS_ENABLED(CONFIG_MODULE_SIG))
> -			set_module_sig_enforced();
> -		if (IS_ENABLED(CONFIG_KEXEC_SIG))
> -			set_kexec_sig_enforced();
> +		set_module_sig_enforced();
> +		set_kexec_sig_enforced();
>  		return sb_arch_rules;
>  	}
>  	return NULL;

Thanks, Thomas.

With commit 63e8a44395a4 ("integrity: Make arch_ima_get_secureboot integrity-
wide"), there was a merge conflict.  After fixing the merge conflict, your
patches are now queued in next-integrity.

Mimi


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-27 18:22 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-26  7:20 [PATCH 0/2] efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Thomas Weißschuh
2026-02-26  7:20 ` [PATCH 1/2] ima: " Thomas Weißschuh
2026-02-27 18:21   ` Mimi Zohar
2026-02-26  7:20 ` [PATCH 2/2] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Thomas Weißschuh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox