Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBC40C433FE for ; Tue, 14 Dec 2021 15:58:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235455AbhLNP6t (ORCPT ); Tue, 14 Dec 2021 10:58:49 -0500 Received: from smtp-out1.suse.de ([195.135.220.28]:58654 "EHLO smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230000AbhLNP6s (ORCPT ); Tue, 14 Dec 2021 10:58:48 -0500 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id 1923621136; Tue, 14 Dec 2021 15:58:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1639497527; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=UhhGDQnWony4j1hGbzPdaShVFEiYxyIjzLwj5SPn/zY=; b=Mans+jxwM80rXKffxwZPuwyrgFGUnunDApPsVaknSF7XIeb//gG4+DWdrI0P/TET5JNp0g M6OVM9k6krJbm0glqeYmksEVP2mT+eTQ5Lbzx/dyW2KoQw2uOeaeFAwfB2FBFXBuUyXyG0 jPSyCzxPy20J1mlohBUfZs0JOqE+93U= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1639497527; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=UhhGDQnWony4j1hGbzPdaShVFEiYxyIjzLwj5SPn/zY=; b=ZOkbvo6WQyXJ0KJHnt0N1UwvjcbR78RGSRKN89+621ruS61XRfS21t3ZkwH49XvykP5uiT Vu2tKGlXxX7TWrDw== Received: from alsa1.suse.de (alsa1.suse.de [10.160.4.42]) by relay2.suse.de (Postfix) with ESMTP id 10383A3B89; Tue, 14 Dec 2021 15:58:47 +0000 (UTC) Date: Tue, 14 Dec 2021 16:58:47 +0100 Message-ID: From: Takashi Iwai To: Mimi Zohar Cc: Takashi Iwai , Dmitry Kasatkin , linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Joey Lee Subject: Re: [PATCH] ima: Fix undefined arch_ima_get_secureboot() and co In-Reply-To: References: <20211213161145.3447-1-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 14 Dec 2021 16:31:21 +0100, Mimi Zohar wrote: > > Hi Takashi, > > On Mon, 2021-12-13 at 17:11 +0100, Takashi Iwai wrote: > > Currently arch_ima_get_secureboot() and arch_get_ima_policy() are > > defined only when CONFIG_IMA is set, and this makes the code calling > > those functions without CONFIG_IMA failing. Although there is no such > > in-tree users, but the out-of-tree users already hit it. > > > > Move the declaration and the dummy definition of those functions > > outside ifdef-CONFIG_IMA block for fixing the undefined symbols. > > > > Signed-off-by: Takashi Iwai > > Before lockdown was upstreamed, we made sure that IMA and lockdown > could co-exist. This patch makes the stub functions available even > when IMA is not configured. Do the remaining downstream patches > require IMA to be disabled or can IMA co-exist? I guess Joey (Cc'ed) can explain this better. AFAIK, currently it's used in a part of MODSIGN stuff in SUSE kernels, and it's calling unconditionally this function for checking whether the system is with the Secure Boot or not. thanks, Takashi