integrity: Eliminate weak definition of arch_get_secureboot()

security/integrity/secure_boot.c contains a single __weak function,
which breaks recordmcount when building with clang:

  $ make -skj"$(nproc)" ARCH=powerpc LLVM=1 ppc64_defconfig security/integrity/secure_boot.o
  Cannot find symbol for section 2: .text.
  security/integrity/secure_boot.o: failed

Introduce a Kconfig symbol, CONFIG_HAVE_ARCH_GET_SECUREBOOT, to indicate
that an architecture provides a definition of arch_get_secureboot().
Provide a static inline stub when this symbol is not defined to achieve
the same effect as the __weak function, allowing secure_boot.c to be
removed altogether. Move the s390 definition of arch_get_secureboot()
out of the CONFIG_KEXEC_FILE block to ensure it is always available, as
it does not actually depend on KEXEC_FILE.

Reported-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 31a6a07eefeb ("integrity: Make arch_ima_get_secureboot integrity-wide")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/arch/Kconfig b/arch/Kconfig
index 102ddbd4298efa6246b430f8fe23c8884a6b9454..a6d1c8cc1d64b684ee16b01cab4a8536c2b07087 100644 (file)
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -1841,4 +1841,7 @@ config ARCH_WANTS_PRE_LINK_VMLINUX
 config ARCH_HAS_CPU_ATTACK_VECTORS
        bool
 
+config HAVE_ARCH_GET_SECUREBOOT
+       def_bool EFI
+
 endmenu

diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index ad7a2fe63a2a451114d30ef8b5bfbc0b784ae919..da1eafb64354cb4117c372e8be2130503c90c2ae 100644 (file)
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -1061,6 +1061,7 @@ config PPC_SECURE_BOOT
        depends on IMA_ARCH_POLICY
        imply IMA_SECURE_AND_OR_TRUSTED_BOOT
        select PSERIES_PLPKS if PPC_PSERIES
+       select HAVE_ARCH_GET_SECUREBOOT
        help
          Systems with firmware secure boot enabled need to define security
          policies to extend secure boot to the OS. This config allows a user

diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 2101cc738b5edef2ed007e3e482f8229eab2a7e9..4197c20d34b4460360ed74e74f3fc305785d193b 100644 (file)
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -181,6 +181,7 @@ config S390
        select GENERIC_IOREMAP if PCI
        select HAVE_ALIGNED_STRUCT_PAGE
        select HAVE_ARCH_AUDITSYSCALL
+       select HAVE_ARCH_GET_SECUREBOOT
        select HAVE_ARCH_JUMP_LABEL
        select HAVE_ARCH_JUMP_LABEL_RELATIVE
        select HAVE_ARCH_KASAN

diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
index 2d01a17139387cdd68aec0e3e06dbd6727dae464..3c346b02ceb9532486a7573283a595adaedc9510 100644 (file)
--- a/arch/s390/kernel/ipl.c
+++ b/arch/s390/kernel/ipl.c
@@ -2388,6 +2388,11 @@ void __no_stack_protector s390_reset_system(void)
        diag_amode31_ops.diag308_reset();
 }
 
+bool arch_get_secureboot(void)
+{
+       return ipl_secure_flag;
+}
+
 #ifdef CONFIG_KEXEC_FILE
 
 int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf,
@@ -2505,11 +2510,6 @@ out:
        return buf;
 }
 
-bool arch_get_secureboot(void)
-{
-       return ipl_secure_flag;
-}
-
 int ipl_report_free(struct ipl_report *report)
 {
        struct ipl_report_component *comp, *ncomp;

diff --git a/include/linux/secure_boot.h b/include/linux/secure_boot.h
index 3ded3f03655c354e8cf96dc69d691b0b3a4c0308..d17e9235156724b5fd8f77057037306f16af3abe 100644 (file)
--- a/include/linux/secure_boot.h
+++ b/include/linux/secure_boot.h
@@ -10,10 +10,14 @@
 
 #include <linux/types.h>
 
+#ifdef CONFIG_HAVE_ARCH_GET_SECUREBOOT
 /*
  * Returns true if the platform secure boot is enabled.
  * Returns false if disabled or not supported.
  */
 bool arch_get_secureboot(void);
+#else
+static inline bool arch_get_secureboot(void) { return false; }
+#endif
 
 #endif /* _LINUX_SECURE_BOOT_H */

diff --git a/security/integrity/Makefile b/security/integrity/Makefile
index 548665e2b702e60c318c02db947666b507583f8f..45dfdedbdad48ecd934a6505dae0d1ca8c934a30 100644 (file)
--- a/security/integrity/Makefile
+++ b/security/integrity/Makefile
@@ -5,7 +5,7 @@
 
 obj-$(CONFIG_INTEGRITY) += integrity.o
 
-integrity-y := iint.o secure_boot.o
+integrity-y := iint.o
 integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o
 integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
 integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o

diff --git a/security/integrity/secure_boot.c b/security/integrity/secure_boot.c
deleted file mode 100644 (file)
index fc2693c..0000000
--- a/security/integrity/secure_boot.c
+++ /dev/null
@@ -1,16 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only
-/*
- * Copyright (C) 2026 Red Hat, Inc. All Rights Reserved.
- *
- * Author: Coiby Xu <coxu@redhat.com>
- */
-#include <linux/secure_boot.h>
-
-/*
- * Default weak implementation.
- * Architectures that support secure boot must override this.
- */
-__weak bool arch_get_secureboot(void)
-{
-       return false;
-}