3 files changed, 47 insertions, 3 deletions
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index f0910a1e1db7..eb51b0e1189c 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -151,4 +151,6 @@ ifeq ($(CONFIG_X86_64),y)
        obj-y                           += vsmp_64.o
 endif
+ifdef CONFIG_EFI
 obj-$(CONFIG_IMA)                       += ima_arch.o
+endif
diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 6c248616ee57..e47cd9390ab4 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -7,10 +7,52 @@
 extern struct boot_params boot_params;
+static enum efi_secureboot_mode get_sb_mode(void)
+{
+        efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
+        efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
+        efi_status_t status;
+        unsigned long size;
+        u8 secboot;
+        size = sizeof(secboot);
+        /* Get variable contents into buffer */
+        status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
+                                  NULL, &size, &secboot);
+        if (status == EFI_NOT_FOUND) {
+                pr_info("ima: secureboot mode disabled\n");
+                return efi_secureboot_mode_disabled;
+        }
+        if (status != EFI_SUCCESS) {
+                pr_info("ima: secureboot mode unknown\n");
+                return efi_secureboot_mode_unknown;
+        }
+        if (secboot == 0) {
+                pr_info("ima: secureboot mode disabled\n");
+                return efi_secureboot_mode_disabled;
+        }
+        pr_info("ima: secureboot mode enabled\n");
+        return efi_secureboot_mode_enabled;
+}
 bool arch_ima_get_secureboot(void)
 {
-        if (efi_enabled(EFI_BOOT) &&
+        static enum efi_secureboot_mode sb_mode;
-                (boot_params.secure_boot == efi_secureboot_mode_enabled))
+        static bool initialized;
+        if (!initialized && efi_enabled(EFI_BOOT)) {
+                sb_mode = boot_params.secure_boot;
+                if (sb_mode == efi_secureboot_mode_unset)
+                        sb_mode = get_sb_mode();
+                initialized = true;
+        }
+        if (sb_mode == efi_secureboot_mode_enabled)
                return true;
        else
                return false;
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 5ab9134d4fd7..b5e16b8c50b7 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -30,7 +30,7 @@ extern void ima_post_path_mknod(struct dentry *dentry);
 extern void ima_add_kexec_buffer(struct kimage *image);
 #endif
-#ifdef CONFIG_X86
+#if defined(CONFIG_X86) && defined(CONFIG_EFI)
 extern bool arch_ima_get_secureboot(void);
 extern const char * const *arch_get_ima_policy(void);
 #else

diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index f0910a1e1db7..eb51b0e1189c 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile
@@ -151,4 +151,6 @@ ifeq ($(CONFIG_X86_64),y)
151	obj-y += vsmp_64.o	151	obj-y += vsmp_64.o
152	endif	152	endif
153		153
		154	ifdef CONFIG_EFI
154	obj-$(CONFIG_IMA) += ima_arch.o	155	obj-$(CONFIG_IMA) += ima_arch.o
		156	endif


diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c index 6c248616ee57..e47cd9390ab4 100644 --- a/arch/x86/kernel/ima_arch.c +++ b/arch/x86/kernel/ima_arch.c
@@ -7,10 +7,52 @@
7		7
8	extern struct boot_params boot_params;	8	extern struct boot_params boot_params;
9		9
		10	static enum efi_secureboot_mode get_sb_mode(void)
		11	{
		12	efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
		13	efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
		14	efi_status_t status;
		15	unsigned long size;
		16	u8 secboot;
		17
		18	size = sizeof(secboot);
		19
		20	/* Get variable contents into buffer */
		21	status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
		22	NULL, &size, &secboot);
		23	if (status == EFI_NOT_FOUND) {
		24	pr_info("ima: secureboot mode disabled\n");
		25	return efi_secureboot_mode_disabled;
		26	}
		27
		28	if (status != EFI_SUCCESS) {
		29	pr_info("ima: secureboot mode unknown\n");
		30	return efi_secureboot_mode_unknown;
		31	}
		32
		33	if (secboot == 0) {
		34	pr_info("ima: secureboot mode disabled\n");
		35	return efi_secureboot_mode_disabled;
		36	}
		37
		38	pr_info("ima: secureboot mode enabled\n");
		39	return efi_secureboot_mode_enabled;
		40	}
		41
10	bool arch_ima_get_secureboot(void)	42	bool arch_ima_get_secureboot(void)
11	{	43	{
12	if (efi_enabled(EFI_BOOT) &&	44	static enum efi_secureboot_mode sb_mode;
13	(boot_params.secure_boot == efi_secureboot_mode_enabled))	45	static bool initialized;
		46
		47	if (!initialized && efi_enabled(EFI_BOOT)) {
		48	sb_mode = boot_params.secure_boot;
		49
		50	if (sb_mode == efi_secureboot_mode_unset)
		51	sb_mode = get_sb_mode();
		52	initialized = true;
		53	}
		54
		55	if (sb_mode == efi_secureboot_mode_enabled)
14	return true;	56	return true;
15	else	57	else
16	return false;	58	return false;


diff --git a/include/linux/ima.h b/include/linux/ima.h index 5ab9134d4fd7..b5e16b8c50b7 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h
@@ -30,7 +30,7 @@ extern void ima_post_path_mknod(struct dentry *dentry);
30	extern void ima_add_kexec_buffer(struct kimage *image);	30	extern void ima_add_kexec_buffer(struct kimage *image);
31	#endif	31	#endif
32		32
33	#ifdef CONFIG_X86	33	#if defined(CONFIG_X86) && defined(CONFIG_EFI)
34	extern bool arch_ima_get_secureboot(void);	34	extern bool arch_ima_get_secureboot(void);
35	extern const char * const *arch_get_ima_policy(void);	35	extern const char * const *arch_get_ima_policy(void);
36	#else	36	#else