[PATCH v4 03/17] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
From: Thomas Weißschuh <linux@weissschuh.net>
Date: 2026-01-13 12:37:45
Also in:
linux-arch, linux-doc, linux-integrity, linux-kbuild, linux-modules, linux-security-module, lkml
Subsystem:
extended verification module (evm), integrity measurement architecture (ima), security subsystem, the rest · Maintainers:
Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds
When configuration settings are disabled the guarded functions are defined as empty stubs, so the check is unnecessary. The specific configuration option for set_module_sig_enforced() is about to change and removing the checks avoids some later churn. Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> --- security/integrity/ima/ima_efi.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
index 138029bfcce1..a35dd166ad47 100644
--- a/security/integrity/ima/ima_efi.c
+++ b/security/integrity/ima/ima_efi.c@@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] = { const char * const *arch_get_ima_policy(void) { if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { - if (IS_ENABLED(CONFIG_MODULE_SIG)) - set_module_sig_enforced(); - if (IS_ENABLED(CONFIG_KEXEC_SIG)) - set_kexec_sig_enforced(); + set_module_sig_enforced(); + set_kexec_sig_enforced(); return sb_arch_rules; } return NULL;
--
2.52.0