tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

integrity: Eliminate weak definition of arch_get_secureboot()

security/integrity/secure_boot.c contains a single __weak function,
which breaks recordmcount when building with clang:

$ make -skj"$(nproc)" ARCH=powerpc LLVM=1 ppc64_defconfig security/integrity/secure_boot.o
Cannot find symbol for section 2: .text.
security/integrity/secure_boot.o: failed

Introduce a Kconfig symbol, CONFIG_HAVE_ARCH_GET_SECUREBOOT, to indicate
that an architecture provides a definition of arch_get_secureboot().
Provide a static inline stub when this symbol is not defined to achieve
the same effect as the __weak function, allowing secure_boot.c to be
removed altogether. Move the s390 definition of arch_get_secureboot()
out of the CONFIG_KEXEC_FILE block to ensure it is always available, as
it does not actually depend on KEXEC_FILE.

Reported-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 31a6a07eefeb ("integrity: Make arch_ima_get_secureboot integrity-wide")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Nathan Chancellor and committed by
Mimi Zohar 7caedbb5 5d05360d

+15 -22
+3
arch/Kconfig
··· 1841 1841 config ARCH_HAS_CPU_ATTACK_VECTORS 1842 1842 bool 1843 1843 1844 + config HAVE_ARCH_GET_SECUREBOOT 1845 + def_bool EFI 1846 + 1844 1847 endmenu
+1
arch/powerpc/Kconfig
··· 1061 1061 depends on IMA_ARCH_POLICY 1062 1062 imply IMA_SECURE_AND_OR_TRUSTED_BOOT 1063 1063 select PSERIES_PLPKS if PPC_PSERIES 1064 + select HAVE_ARCH_GET_SECUREBOOT 1064 1065 help 1065 1066 Systems with firmware secure boot enabled need to define security 1066 1067 policies to extend secure boot to the OS. This config allows a user
+1
arch/s390/Kconfig
··· 181 181 select GENERIC_IOREMAP if PCI 182 182 select HAVE_ALIGNED_STRUCT_PAGE 183 183 select HAVE_ARCH_AUDITSYSCALL 184 + select HAVE_ARCH_GET_SECUREBOOT 184 185 select HAVE_ARCH_JUMP_LABEL 185 186 select HAVE_ARCH_JUMP_LABEL_RELATIVE 186 187 select HAVE_ARCH_KASAN
+5 -5
arch/s390/kernel/ipl.c
··· 2388 2388 diag_amode31_ops.diag308_reset(); 2389 2389 } 2390 2390 2391 + bool arch_get_secureboot(void) 2392 + { 2393 + return ipl_secure_flag; 2394 + } 2395 + 2391 2396 #ifdef CONFIG_KEXEC_FILE 2392 2397 2393 2398 int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf, ··· 2508 2503 BUG_ON(ptr > buf + report->size); 2509 2504 out: 2510 2505 return buf; 2511 - } 2512 - 2513 - bool arch_get_secureboot(void) 2514 - { 2515 - return ipl_secure_flag; 2516 2506 } 2517 2507 2518 2508 int ipl_report_free(struct ipl_report *report)
+4
include/linux/secure_boot.h
··· 10 10 11 11 #include <linux/types.h> 12 12 13 + #ifdef CONFIG_HAVE_ARCH_GET_SECUREBOOT 13 14 /* 14 15 * Returns true if the platform secure boot is enabled. 15 16 * Returns false if disabled or not supported. 16 17 */ 17 18 bool arch_get_secureboot(void); 19 + #else 20 + static inline bool arch_get_secureboot(void) { return false; } 21 + #endif 18 22 19 23 #endif /* _LINUX_SECURE_BOOT_H */
+1 -1
security/integrity/Makefile
··· 5 5 6 6 obj-$(CONFIG_INTEGRITY) += integrity.o 7 7 8 - integrity-y := iint.o secure_boot.o 8 + integrity-y := iint.o 9 9 integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o 10 10 integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o 11 11 integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
-16
security/integrity/secure_boot.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * Copyright (C) 2026 Red Hat, Inc. All Rights Reserved. 4 - * 5 - * Author: Coiby Xu <coxu@redhat.com> 6 - */ 7 - #include <linux/secure_boot.h> 8 - 9 - /* 10 - * Default weak implementation. 11 - * Architectures that support secure boot must override this. 12 - */ 13 - __weak bool arch_get_secureboot(void) 14 - { 15 - return false; 16 - }