| Message ID | 20260226-ima-ifdef-v1-1-8b9613edbbdb@weissschuh.net (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG | expand |
On Thu, 2026-02-26 at 08:20 +0100, Thomas Weißschuh wrote: > When configuration settings are disabled the guarded functions are > defined as empty stubs, so the check is unnecessary. > > Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > Reviewed-by: Aaron Tomlin <atomlin@atomlin.com> > Reviewed-by: Nicolas Schier <nsc@kernel.org> > --- > security/integrity/ima/ima_efi.c | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) > > diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c > index 138029bfcce1..a35dd166ad47 100644 > --- a/security/integrity/ima/ima_efi.c > +++ b/security/integrity/ima/ima_efi.c > @@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] = { > const char * const *arch_get_ima_policy(void) > { > if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { > - if (IS_ENABLED(CONFIG_MODULE_SIG)) > - set_module_sig_enforced(); > - if (IS_ENABLED(CONFIG_KEXEC_SIG)) > - set_kexec_sig_enforced(); > + set_module_sig_enforced(); > + set_kexec_sig_enforced(); > return sb_arch_rules; > } > return NULL; Thanks, Thomas. With commit 63e8a44395a4 ("integrity: Make arch_ima_get_secureboot integrity- wide"), there was a merge conflict. After fixing the merge conflict, your patches are now queued in next-integrity. Mimi
diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c index 138029bfcce1..a35dd166ad47 100644 --- a/security/integrity/ima/ima_efi.c +++ b/security/integrity/ima/ima_efi.c @@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] = { const char * const *arch_get_ima_policy(void) { if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { - if (IS_ENABLED(CONFIG_MODULE_SIG)) - set_module_sig_enforced(); - if (IS_ENABLED(CONFIG_KEXEC_SIG)) - set_kexec_sig_enforced(); + set_module_sig_enforced(); + set_kexec_sig_enforced(); return sb_arch_rules; } return NULL;