On Tue, 2020-10-13 at 18:59 +0200, Ard Biesheuvel wrote: > Suggestion: can we take the get_sb_mode() code from ima_arch.c in > arch/x86, and generalize it for all EFI architectures? That way, we > can enable 32-bit ARM and RISC-V seamlessly once someone gets around > to enabling IMA on those platforms. In fact, get_sb_mode() itself > should probably be factored out into a generic helper for use outside > of IMA as well (Xen/x86 has code that does roughly the same already) On Power, there are three different policies - secure, trusted, and secure & trusted boot policy rules. Based on whether secure or trusted boot is enabled, the appropriate policy is enabled. On x86, if secure_boot is enabled (and CONFIG_IMA_ARCH_POLICY is enabled) both the secure and trusted boot rules are defined. Is this design fine enough granularity or should should there be a get_trustedboot_mode() function as well? Agreed, the code should not be duplicated across arch's. As for making get_sb_mode() generic, not dependent on IMA, where would it reside? Would this be in EFI? thanks, Mimi
