On Tue, 2020-10-13 at 18:59 +0200, Ard Biesheuvel wrote:

Suggestion: can we take the get_sb_mode() code from ima_arch.c in
arch/x86, and generalize it for all EFI architectures? That way, we
can enable 32-bit ARM and RISC-V seamlessly once someone gets around
to enabling IMA on those platforms. In fact, get_sb_mode() itself
should probably be factored out into a generic helper for use outside
of IMA as well (Xen/x86 has code that does roughly the same already)

On Power, there are three different policies - secure, trusted, and
secure & trusted boot policy rules.  Based on whether secure or trusted
boot is enabled, the appropriate policy is enabled.  On x86, if
secure_boot is enabled (and CONFIG_IMA_ARCH_POLICY is enabled) both the
secure and trusted boot rules are defined.  Is this design fine enough
granularity or should should there be a get_trustedboot_mode() function
as well?

Agreed, the code should not be duplicated across arch's.  As for making
get_sb_mode() generic, not dependent on IMA, where would it reside? 
Would this be in EFI?

thanks,

Mimi