Changes in efi_secureboot.c en Copyright 2015 Java 9cdca336677b4d15579ec462e33c8a330ab3a9de - Merge tag 'integrity-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity http://kernelsources.org:8080/source/history/linux/security/integrity/efi_secureboot.c#9cdca336677b4d15579ec462e33c8a330ab3a9de Merge tag 'integrity-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrityPull integrity updates from Mimi Zohar: "There are two main changes, one feature removal, some code cleanup, and a number of bug fixes. Main changes: - Detecting secure boot mode was limited to IMA. Make detecting secure boot mode accessible to EVM and other LSMs - IMA sigv3 support was limited to fsverity. Add IMA sigv3 support for IMA regular file hashes and EVM portable signatures Remove: - Remove IMA support for asychronous hash calculation originally added for hardware acceleration Cleanup: - Remove unnecessary Kconfig CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG tests - Add descriptions of the IMA atomic flags Bug fixes: - Like IMA, properly limit EVM "fix" mode - Define and call evm_fix_hmac() to update security.evm - Fallback to using i_version to detect file change for filesystems that do not support STATX_CHANGE_COOKIE - Address missing kernel support for configured (new) TPM hash algorithms - Add missing crypto_shash_final() return value"* tag 'integrity-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: evm: Enforce signatures version 3 with new EVM policy 'bit 3' integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG ima: add support to require IMA sigv3 signatures ima: add regular file data hash signature version 3 support ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures ima: remove buggy support for asynchronous hashes integrity: Eliminate weak definition of arch_get_secureboot() ima: Add code comments to explain IMA iint cache atomic_flags ima_fs: Correctly create securityfs files for unsupported hash algos ima: check return value of crypto_shash_final() in boot aggregate ima: Define and use a digest_size field in the ima_algo_desc structure powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG ima: fallback to using i_version to detect file change evm: fix security.evm for a file with IMA signature s390: Drop unnecessary CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT evm: Don't enable fix mode when secure boot is enabled integrity: Make arch_ima_get_secureboot integrity-wide List of files: /linux/security/integrity/efi_secureboot.c Sat, 18 Apr 2026 00:42:01 +0200 Linus Torvalds <torvalds@linux-foundation.org> 31a6a07eefeb4c84bd6730fbe9e95fd9221712cf - integrity: Make arch_ima_get_secureboot integrity-wide http://kernelsources.org:8080/source/history/linux/security/integrity/efi_secureboot.c#31a6a07eefeb4c84bd6730fbe9e95fd9221712cf integrity: Make arch_ima_get_secureboot integrity-wideEVM and other LSMs need the ability to query the secure boot status ofthe system, without directly calling the IMA arch_ima_get_securebootfunction. Refactor the secure boot status check into a general functionnamed arch_get_secureboot.Reported-and-suggested-by: Mimi Zohar <zohar@linux.ibm.com>Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>Signed-off-by: Coiby Xu <coxu@redhat.com>Acked-by: Ard Biesheuvel <ardb@kernel.org>Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> List of files: /linux/security/integrity/efi_secureboot.c Fri, 13 Feb 2026 02:28:46 +0100 Coiby Xu <coxu@redhat.com>