integrity: Make arch_ima_get_secureboot integrity-wide

+1

MAINTAINERS

··· 12668 12668 L: linux-integrity@vger.kernel.org 12669 12669 S: Supported 12670 12670 T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git 12671 + F: include/linux/secure_boot.h 12671 12672 F: security/integrity/ 12672 12673 F: security/integrity/ima/ 12673 12674

-5

arch/powerpc/kernel/ima_arch.c

··· 7 7 #include <linux/ima.h> 8 8 #include <asm/secure_boot.h> 9 9 10 - bool arch_ima_get_secureboot(void) 11 - { 12 - return is_ppc_secureboot_enabled(); 13 - } 14 - 15 10 /* 16 11 * The "secure_rules" are enabled only on "secureboot" enabled systems. 17 12 * These rules verify the file signatures against known good values.

+6

arch/powerpc/kernel/secure_boot.c

··· 5 5 */ 6 6 #include <linux/types.h> 7 7 #include <linux/of.h> 8 + #include <linux/secure_boot.h> 8 9 #include <linux/string_choices.h> 9 10 #include <asm/secure_boot.h> 10 11 ··· 43 42 pr_info("Secure boot mode %s\n", str_enabled_disabled(enabled)); 44 43 45 44 return enabled; 45 + } 46 + 47 + bool arch_get_secureboot(void) 48 + { 49 + return is_ppc_secureboot_enabled(); 46 50 } 47 51 48 52 bool is_ppc_trustedboot_enabled(void)

-6

arch/s390/kernel/ima_arch.c

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 3 3 #include <linux/ima.h> 4 - #include <asm/boot_data.h> 5 - 6 - bool arch_ima_get_secureboot(void) 7 - { 8 - return ipl_secure_flag; 9 - } 10 4 11 5 const char * const *arch_get_ima_policy(void) 12 6 {

+5

arch/s390/kernel/ipl.c

··· 2504 2504 return buf; 2505 2505 } 2506 2506 2507 + bool arch_get_secureboot(void) 2508 + { 2509 + return ipl_secure_flag; 2510 + } 2511 + 2507 2512 int ipl_report_free(struct ipl_report *report) 2508 2513 { 2509 2514 struct ipl_report_component *comp, *ncomp;

+2 -2

arch/x86/include/asm/efi.h

··· 401 401 extern void __init efi_memmap_insert(struct efi_memory_map *old_memmap, 402 402 void *buf, struct efi_mem_range *mem); 403 403 404 - extern enum efi_secureboot_mode __x86_ima_efi_boot_mode(void); 404 + enum efi_secureboot_mode __x86_efi_boot_mode(void); 405 405 406 - #define arch_ima_efi_boot_mode __x86_ima_efi_boot_mode() 406 + #define arch_efi_boot_mode __x86_efi_boot_mode() 407 407 408 408 #ifdef CONFIG_EFI_RUNTIME_MAP 409 409 int efi_get_runtime_map_size(void);

+1 -1

arch/x86/platform/efi/efi.c

··· 920 920 return attr->mode; 921 921 } 922 922 923 - enum efi_secureboot_mode __x86_ima_efi_boot_mode(void) 923 + enum efi_secureboot_mode __x86_efi_boot_mode(void) 924 924 { 925 925 return boot_params.secure_boot; 926 926 }

+1 -6

include/linux/ima.h

··· 11 11 #include <linux/fs.h> 12 12 #include <linux/security.h> 13 13 #include <linux/kexec.h> 14 + #include <linux/secure_boot.h> 14 15 #include <crypto/hash_info.h> 15 16 struct linux_binprm; 16 17 ··· 74 73 #endif 75 74 76 75 #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT 77 - extern bool arch_ima_get_secureboot(void); 78 76 extern const char * const *arch_get_ima_policy(void); 79 77 #else 80 - static inline bool arch_ima_get_secureboot(void) 81 - { 82 - return false; 83 - } 84 - 85 78 static inline const char * const *arch_get_ima_policy(void) 86 79 { 87 80 return NULL;

+19

include/linux/secure_boot.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-only */ 2 + /* 3 + * Copyright (C) 2026 Red Hat, Inc. All Rights Reserved. 4 + * 5 + * Author: Coiby Xu <coxu@redhat.com> 6 + */ 7 + 8 + #ifndef _LINUX_SECURE_BOOT_H 9 + #define _LINUX_SECURE_BOOT_H 10 + 11 + #include <linux/types.h> 12 + 13 + /* 14 + * Returns true if the platform secure boot is enabled. 15 + * Returns false if disabled or not supported. 16 + */ 17 + bool arch_get_secureboot(void); 18 + 19 + #endif /* _LINUX_SECURE_BOOT_H */

+2 -1

security/integrity/Makefile

··· 5 5 6 6 obj-$(CONFIG_INTEGRITY) += integrity.o 7 7 8 - integrity-y := iint.o 8 + integrity-y := iint.o secure_boot.o 9 9 integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o 10 10 integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o 11 11 integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o ··· 18 18 integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ 19 19 platform_certs/load_powerpc.o \ 20 20 platform_certs/keyring_handler.o 21 + integrity-$(CONFIG_EFI) += efi_secureboot.o 21 22 # The relative order of the 'ima' and 'evm' LSMs depends on the order below. 22 23 obj-$(CONFIG_IMA) += ima/ 23 24 obj-$(CONFIG_EVM) += evm/

+56

security/integrity/efi_secureboot.c

··· 1 + // SPDX-License-Identifier: GPL-1.0+ 2 + /* 3 + * Copyright (C) 2018 IBM Corporation 4 + */ 5 + #include <linux/efi.h> 6 + #include <linux/secure_boot.h> 7 + #include <asm/efi.h> 8 + 9 + #ifndef arch_efi_boot_mode 10 + #define arch_efi_boot_mode efi_secureboot_mode_unset 11 + #endif 12 + 13 + static enum efi_secureboot_mode get_sb_mode(void) 14 + { 15 + enum efi_secureboot_mode mode; 16 + 17 + if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) { 18 + pr_info("integrity: secureboot mode unknown, no efi\n"); 19 + return efi_secureboot_mode_unknown; 20 + } 21 + 22 + mode = efi_get_secureboot_mode(efi.get_variable); 23 + if (mode == efi_secureboot_mode_disabled) 24 + pr_info("integrity: secureboot mode disabled\n"); 25 + else if (mode == efi_secureboot_mode_unknown) 26 + pr_info("integrity: secureboot mode unknown\n"); 27 + else 28 + pr_info("integrity: secureboot mode enabled\n"); 29 + return mode; 30 + } 31 + 32 + /* 33 + * Query secure boot status 34 + * 35 + * Note don't call this function too early e.g. in __setup hook otherwise the 36 + * kernel may hang when calling efi_get_secureboot_mode. 37 + * 38 + */ 39 + bool arch_get_secureboot(void) 40 + { 41 + static enum efi_secureboot_mode sb_mode; 42 + static bool initialized; 43 + 44 + if (!initialized && efi_enabled(EFI_BOOT)) { 45 + sb_mode = arch_efi_boot_mode; 46 + 47 + if (sb_mode == efi_secureboot_mode_unset) 48 + sb_mode = get_sb_mode(); 49 + initialized = true; 50 + } 51 + 52 + if (sb_mode == efi_secureboot_mode_enabled) 53 + return true; 54 + else 55 + return false; 56 + }

+1 -1

security/integrity/ima/ima_appraise.c

··· 27 27 void __init ima_appraise_parse_cmdline(void) 28 28 { 29 29 const char *str = ima_appraise_cmdline_default; 30 - bool sb_state = arch_ima_get_secureboot(); 30 + bool sb_state = arch_get_secureboot(); 31 31 int appraisal_state = ima_appraise; 32 32 33 33 if (!str)

+2 -45

security/integrity/ima/ima_efi.c

··· 2 2 /* 3 3 * Copyright (C) 2018 IBM Corporation 4 4 */ 5 - #include <linux/efi.h> 6 5 #include <linux/module.h> 7 6 #include <linux/ima.h> 8 - #include <asm/efi.h> 9 - 10 - #ifndef arch_ima_efi_boot_mode 11 - #define arch_ima_efi_boot_mode efi_secureboot_mode_unset 12 - #endif 13 - 14 - static enum efi_secureboot_mode get_sb_mode(void) 15 - { 16 - enum efi_secureboot_mode mode; 17 - 18 - if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) { 19 - pr_info("ima: secureboot mode unknown, no efi\n"); 20 - return efi_secureboot_mode_unknown; 21 - } 22 - 23 - mode = efi_get_secureboot_mode(efi.get_variable); 24 - if (mode == efi_secureboot_mode_disabled) 25 - pr_info("ima: secureboot mode disabled\n"); 26 - else if (mode == efi_secureboot_mode_unknown) 27 - pr_info("ima: secureboot mode unknown\n"); 28 - else 29 - pr_info("ima: secureboot mode enabled\n"); 30 - return mode; 31 - } 32 - 33 - bool arch_ima_get_secureboot(void) 34 - { 35 - static enum efi_secureboot_mode sb_mode; 36 - static bool initialized; 37 - 38 - if (!initialized && efi_enabled(EFI_BOOT)) { 39 - sb_mode = arch_ima_efi_boot_mode; 40 - 41 - if (sb_mode == efi_secureboot_mode_unset) 42 - sb_mode = get_sb_mode(); 43 - initialized = true; 44 - } 45 - 46 - if (sb_mode == efi_secureboot_mode_enabled) 47 - return true; 48 - else 49 - return false; 50 - } 7 + #include <linux/secure_boot.h> 51 8 52 9 /* secureboot arch rules */ 53 10 static const char * const sb_arch_rules[] = { ··· 24 67 25 68 const char * const *arch_get_ima_policy(void) 26 69 { 27 - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { 70 + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_get_secureboot()) { 28 71 if (IS_ENABLED(CONFIG_MODULE_SIG)) 29 72 set_module_sig_enforced(); 30 73 if (IS_ENABLED(CONFIG_KEXEC_SIG))

+1 -2

security/integrity/ima/ima_main.c

··· 953 953 954 954 switch (id) { 955 955 case LOADING_KEXEC_IMAGE: 956 - if (IS_ENABLED(CONFIG_KEXEC_SIG) 957 - && arch_ima_get_secureboot()) { 956 + if (IS_ENABLED(CONFIG_KEXEC_SIG) && arch_get_secureboot()) { 958 957 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); 959 958 return -EACCES; 960 959 }

+1

security/integrity/integrity.h

··· 14 14 15 15 #include <linux/types.h> 16 16 #include <linux/integrity.h> 17 + #include <linux/secure_boot.h> 17 18 #include <crypto/sha1.h> 18 19 #include <crypto/hash.h> 19 20 #include <linux/key.h>

+1 -1

security/integrity/platform_certs/load_uefi.c

··· 212 212 } 213 213 214 214 /* the MOK/MOKx can not be trusted when secure boot is disabled */ 215 - if (!arch_ima_get_secureboot()) 215 + if (!arch_get_secureboot()) 216 216 return 0; 217 217 218 218 mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);

+16

security/integrity/secure_boot.c

··· 1 + // SPDX-License-Identifier: GPL-2.0-only 2 + /* 3 + * Copyright (C) 2026 Red Hat, Inc. All Rights Reserved. 4 + * 5 + * Author: Coiby Xu <coxu@redhat.com> 6 + */ 7 + #include <linux/secure_boot.h> 8 + 9 + /* 10 + * Default weak implementation. 11 + * Architectures that support secure boot must override this. 12 + */ 13 + __weak bool arch_get_secureboot(void) 14 + { 15 + return false; 16 + }

Configure Feed

Configure Feed