On Tue, 14 Dec 2021 16:31:21 +0100,
Mimi Zohar wrote:

Hi Takashi,

On Mon, 2021-12-13 at 17:11 +0100, Takashi Iwai wrote:

quoted

Currently arch_ima_get_secureboot() and arch_get_ima_policy() are
defined only when CONFIG_IMA is set, and this makes the code calling
those functions without CONFIG_IMA failing.  Although there is no such
in-tree users, but the out-of-tree users already hit it.

Move the declaration and the dummy definition of those functions
outside ifdef-CONFIG_IMA block for fixing the undefined symbols.

Signed-off-by: Takashi Iwai <redacted>

Before lockdown was upstreamed, we made sure that IMA and lockdown
could co-exist.  This patch makes the stub functions available even
when IMA is not configured.  Do the remaining downstream patches
require IMA to be disabled or can IMA co-exist?

I guess Joey (Cc'ed) can explain this better.  AFAIK, currently it's
used in a part of MODSIGN stuff in SUSE kernels, and it's calling
unconditionally this function for checking whether the system is with
the Secure Boot or not.


thanks,

Takashi