0914ade209
Distros are concerned about totally disabling the kexec_load syscall. As a compromise, the kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG is configured and the system is booted with secureboot enabled. This patch defines the new arch specific function called arch_ima_get_secureboot() to retrieve the secureboot state of the system. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Suggested-by: Seth Forshee <seth.forshee@canonical.com> Cc: David Howells <dhowells@redhat.com> Cc: Eric Biederman <ebiederm@xmission.com> Cc: Peter Jones <pjones@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Dave Young <dyoung@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
18 lines
338 B
C
18 lines
338 B
C
/* SPDX-License-Identifier: GPL-2.0+ */
|
|
/*
|
|
* Copyright (C) 2018 IBM Corporation
|
|
*/
|
|
#include <linux/efi.h>
|
|
#include <linux/ima.h>
|
|
|
|
extern struct boot_params boot_params;
|
|
|
|
bool arch_ima_get_secureboot(void)
|
|
{
|
|
if (efi_enabled(EFI_BOOT) &&
|
|
(boot_params.secure_boot == efi_secureboot_mode_enabled))
|
|
return true;
|
|
else
|
|
return false;
|
|
}
|