From: Mimi Zohar <zohar@linux.ibm.com>
To: Ard Biesheuvel <ardb@kernel.org>, Coiby Xu <coxu@redhat.com>
Cc: linux-integrity@vger.kernel.org,
Heiko Carstens <hca@linux.ibm.com>,
Roberto Sassu <roberto.sassu@huaweicloud.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
"Christophe Leroy (CS GROUP)" <chleroy@kernel.org>,
Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
"moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)"
<linux-arm-kernel@lists.infradead.org>,
open list <linux-kernel@vger.kernel.org>,
"open list:LINUX FOR POWERPC (32-BIT AND 64-BIT)"
<linuxppc-dev@lists.ozlabs.org>,
"open list:S390 ARCHITECTURE" <linux-s390@vger.kernel.org>,
"open list:EXTENSIBLE FIRMWARE INTERFACE (EFI)"
<linux-efi@vger.kernel.org>,
"open list:SECURITY SUBSYSTEM"
<linux-security-module@vger.kernel.org>,
"open list:KEYS/KEYRINGS_INTEGRITY" <keyrings@vger.kernel.org>
Subject: Re: [PATCH 1/3] integrity: Make arch_ima_get_secureboot integrity-wide
Date: Fri, 16 Jan 2026 08:11:14 -0500 [thread overview]
Message-ID: <8bfa859ed3a4f1cf0db0ab64d8c1c3b24684582a.camel@linux.ibm.com> (raw)
In-Reply-To: <CAMj1kXFXNo1-pMbo-VZrjQ3TYe1tufebrLr_avL12A0nHMSGnA@mail.gmail.com>
On Fri, 2026-01-16 at 10:41 +0100, Ard Biesheuvel wrote:
> On Thu, 15 Jan 2026 at 01:43, Coiby Xu <coxu@redhat.com> wrote:
> >
> > EVM and other LSMs need the ability to query the secure boot status of
> > the system, without directly calling the IMA arch_ima_get_secureboot
> > function. Refactor the secure boot status check into a general,
> > integrity-wide function named arch_integrity_get_secureboot.
> >
> > Define a new Kconfig option CONFIG_INTEGRITY_SECURE_BOOT, which is
> > automatically configured by the supported architectures. The existing
> > IMA_SECURE_AND_OR_TRUSTED_BOOT Kconfig loads the architecture specific
> > IMA policy based on the refactored secure boot status code.
> >
> > Reported-and-suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> > Suggested-by: Roberto Sassu <roberto.sassu@huaweicloud.com>
> > Signed-off-by: Coiby Xu <coxu@redhat.com>
> > ---
> > arch/arm64/Kconfig | 1 +
> > arch/powerpc/Kconfig | 1 +
> > arch/powerpc/kernel/Makefile | 2 +-
> > arch/powerpc/kernel/ima_arch.c | 5 --
> > arch/powerpc/kernel/integrity_sb_arch.c | 13 +++++
> > arch/s390/Kconfig | 1 +
> > arch/s390/kernel/Makefile | 1 +
> > arch/s390/kernel/ima_arch.c | 6 --
> > arch/s390/kernel/integrity_sb_arch.c | 9 +++
> > arch/x86/Kconfig | 1 +
> > arch/x86/include/asm/efi.h | 4 +-
> > arch/x86/platform/efi/efi.c | 2 +-
> > include/linux/ima.h | 7 +--
> > include/linux/integrity.h | 8 +++
> > security/integrity/Kconfig | 6 ++
> > security/integrity/Makefile | 3 +
> > security/integrity/efi_secureboot.c | 56 +++++++++++++++++++
> > security/integrity/ima/ima_appraise.c | 2 +-
> > security/integrity/ima/ima_efi.c | 47 +---------------
> > security/integrity/ima/ima_main.c | 4 +-
> > security/integrity/platform_certs/load_uefi.c | 2 +-
> > 21 files changed, 111 insertions(+), 70 deletions(-)
> > create mode 100644 arch/powerpc/kernel/integrity_sb_arch.c
> > create mode 100644 arch/s390/kernel/integrity_sb_arch.c
> > create mode 100644 security/integrity/efi_secureboot.c
> >
> > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> > index 93173f0a09c7..4c265b7386bb 100644
> > --- a/arch/arm64/Kconfig
> > +++ b/arch/arm64/Kconfig
> > @@ -2427,6 +2427,7 @@ config EFI
> > select EFI_STUB
> > select EFI_GENERIC_STUB
> > imply IMA_SECURE_AND_OR_TRUSTED_BOOT
> > + imply INTEGRITY_SECURE_BOOT
>
> This allows both to be en/disabled individually, which I don't think
> is what we want. It also results in more churn across the
> arch-specific Kconfigs than needed.
>
> Wouldn't it be better if IMA_SECURE_AND_OR_TRUSTED_BOOT 'select'ed
> INTEGRITY_SECURE_BOOT in its Kconfig definition?
As much as possible, EVM (and other LSMs) shouldn't be dependent on another LSM,
in this case IMA, being configured.
next prev parent reply other threads:[~2026-01-16 13:49 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260115004328.194142-1-coxu@redhat.com>
2026-01-15 0:43 ` [PATCH 1/3] integrity: Make arch_ima_get_secureboot integrity-wide Coiby Xu
2026-01-15 18:14 ` Mimi Zohar
2026-01-16 9:41 ` Ard Biesheuvel
2026-01-16 13:11 ` Mimi Zohar [this message]
2026-01-16 13:18 ` Ard Biesheuvel
2026-01-16 16:38 ` Mimi Zohar
2026-01-16 17:27 ` Ard Biesheuvel
2026-01-18 18:25 ` Mimi Zohar
2026-01-19 4:04 ` Coiby Xu
2026-01-21 15:40 ` Mimi Zohar
2026-01-21 16:25 ` Ard Biesheuvel
2026-01-24 0:18 ` Coiby Xu
2026-02-25 0:03 ` Mimi Zohar
2026-02-26 10:23 ` Ard Biesheuvel
2026-01-19 18:44 ` Dave Hansen
2026-01-21 15:29 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8bfa859ed3a4f1cf0db0ab64d8c1c3b24684582a.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=ardb@kernel.org \
--cc=borntraeger@linux.ibm.com \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=chleroy@kernel.org \
--cc=coxu@redhat.com \
--cc=dave.hansen@linux.intel.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=hpa@zytor.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=npiggin@gmail.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=serge@hallyn.com \
--cc=svens@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox