From 07aa1ca2359ef92fd419971249bee1e130ba406b Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Mon, 26 Jul 2021 17:14:03 +0800
Subject: [PATCH] integrity: use arch_ima_get_secureboot instead of checking
 EFI_SECURE_BOOT when loading MokListRT
Patch-mainline: Never, SUSE only
References: bsc#1188366

The CONFIG_IMA_ARCH_POLICY=y, CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
also need to be set.

Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
 security/integrity/platform_certs/load_uefi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 4de76d658..cc7e19fa8 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -7,6 +7,7 @@
 #include <linux/err.h>
 #include <linux/efi.h>
 #include <linux/slab.h>
+#include <linux/ima.h>
 #include <keys/asymmetric-type.h>
 #include <keys/system_keyring.h>
 #include "../integrity.h"
@@ -113,7 +114,7 @@ static int __init load_uefi_certs(void)
 	}
 
 	/* the MOK and MOKx can not be trusted when secure boot is disabled */
-	if (!efi_enabled(EFI_SECURE_BOOT))
+	if (!arch_ima_get_secureboot())
 		return 0;
 
 	mok = get_cert_list(L"MokListRT", &mok_var, &moksize, "UEFI:MokListRT");
-- 
2.26.2