Add IMA arch dependent support for ARM64. Some IMA functions can check arch-specific status before running. For example, the ima_load_data function or the boot param "ima_appraise=" should not be executed when UEFI secure boot is enabled. We want to fill the gap in order to complete the IMA support on ARM64. Changes in v3: - Generalize efi_get_secureboot() so both ima_arch and efistub can reuse it. - Implement ima_get_efi_secureboot() as the replacement of get_sb_mode() so x86 and arm64 can share the same logic. Changes in v2: - Separate get_sb_mode() from x86 so all EFI-based architectures can reuse the same function. - Refactor arch/arm64/kernel/ima_arch.c based on Ard's patch[1]. Test platforms: - ARM64: QEMU [aarch64-virt] + EDK2/OVMF - ARM64: NXP LX2160A-RDB + EDK2 - X86_64: Dell Lattitude 7490 + (BIOS 1.14.0 01/22/2020) [1] https://www.spinics.net/lists/linux-efi/msg20645.html Chester Lin (3): efi: generalize efi_get_secureboot ima: remove get_sb_mode() and create ima_get_efi_secureboot() arm64/ima: add ima_arch support arch/arm64/Kconfig | 1 + arch/arm64/kernel/Makefile | 2 + arch/arm64/kernel/ima_arch.c | 43 +++++++++++++ arch/x86/kernel/ima_arch.c | 69 +++++--------------- drivers/firmware/efi/libstub/Makefile | 2 +- drivers/firmware/efi/libstub/efi-stub.c | 2 +- drivers/firmware/efi/libstub/efistub.h | 22 ++++--- drivers/firmware/efi/libstub/secureboot.c | 76 ----------------------- drivers/firmware/efi/libstub/x86-stub.c | 2 +- include/linux/efi.h | 41 +++++++++++- include/linux/ima.h | 10 +++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima_efi.c | 26 ++++++++ 13 files changed, 154 insertions(+), 143 deletions(-) create mode 100644 arch/arm64/kernel/ima_arch.c delete mode 100644 drivers/firmware/efi/libstub/secureboot.c create mode 100644 security/integrity/ima/ima_efi.c -- 2.28.0
