On Tue, 14 Dec 2021 16:31:21 +0100, Mimi Zohar wrote: > > Hi Takashi, > > On Mon, 2021-12-13 at 17:11 +0100, Takashi Iwai wrote: > > Currently arch_ima_get_secureboot() and arch_get_ima_policy() are > > defined only when CONFIG_IMA is set, and this makes the code calling > > those functions without CONFIG_IMA failing. Although there is no such > > in-tree users, but the out-of-tree users already hit it. > > > > Move the declaration and the dummy definition of those functions > > outside ifdef-CONFIG_IMA block for fixing the undefined symbols. > > > > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> > > Before lockdown was upstreamed, we made sure that IMA and lockdown > could co-exist. This patch makes the stub functions available even > when IMA is not configured. Do the remaining downstream patches > require IMA to be disabled or can IMA co-exist? I guess Joey (Cc'ed) can explain this better. AFAIK, currently it's used in a part of MODSIGN stuff in SUSE kernels, and it's calling unconditionally this function for checking whether the system is with the Secure Boot or not. thanks, Takashi
