On Thu, 2026-01-15 at 08:43 +0800, Coiby Xu wrote:

EVM and other LSMs need the ability to query the secure boot status of
the system, without directly calling the IMA arch_ima_get_secureboot
function. Refactor the secure boot status check into a general,
integrity-wide function named arch_integrity_get_secureboot.

Define a new Kconfig option CONFIG_INTEGRITY_SECURE_BOOT, which is
automatically configured by the supported architectures. The existing
IMA_SECURE_AND_OR_TRUSTED_BOOT Kconfig loads the architecture specific
IMA policy based on the refactored secure boot status code.

Reported-and-suggested-by: Mimi Zohar [off-list ref]
Suggested-by: Roberto Sassu <redacted>
Signed-off-by: Coiby Xu <redacted>

Thanks, Coiby!

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>