From 07aa1ca2359ef92fd419971249bee1e130ba406b Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Mon, 26 Jul 2021 17:14:03 +0800
Subject: [PATCH] integrity: use arch_ima_get_secureboot instead of checking
EFI_SECURE_BOOT when loading MokListRT
Patch-mainline: Never, SUSE only
References: bsc#1188366
The CONFIG_IMA_ARCH_POLICY=y, CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
also need to be set.
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
security/integrity/platform_certs/load_uefi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 4de76d658..cc7e19fa8 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -7,6 +7,7 @@
#include <linux/err.h>
#include <linux/efi.h>
#include <linux/slab.h>
+#include <linux/ima.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
#include "../integrity.h"
@@ -113,7 +114,7 @@ static int __init load_uefi_certs(void)
}
/* the MOK and MOKx can not be trusted when secure boot is disabled */
- if (!efi_enabled(EFI_SECURE_BOOT))
+ if (!arch_ima_get_secureboot())
return 0;
mok = get_cert_list(L"MokListRT", &mok_var, &moksize, "UEFI:MokListRT");
--
2.26.2