Dev news

Commit 9cdca336677b for kernel

commit 9cdca336677b4d15579ec462e33c8a330ab3a9de
Merge: ba314ed1bff9 82bbd447199f
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Apr 17 15:42:01 2026 -0700

    Merge tag 'integrity-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

    Pull integrity updates from Mimi Zohar:
     "There are two main changes, one feature removal, some code cleanup,
      and a number of bug fixes.

      Main changes:
       - Detecting secure boot mode was limited to IMA. Make detecting
         secure boot mode accessible to EVM and other LSMs
       - IMA sigv3 support was limited to fsverity. Add IMA sigv3 support
         for IMA regular file hashes and EVM portable signatures

      Remove:
       - Remove IMA support for asychronous hash calculation originally
         added for hardware acceleration

      Cleanup:
       - Remove unnecessary Kconfig CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG
         tests
       - Add descriptions of the IMA atomic flags

      Bug fixes:
       - Like IMA, properly limit EVM "fix" mode
       - Define and call evm_fix_hmac() to update security.evm
       - Fallback to using i_version to detect file change for filesystems
         that do not support STATX_CHANGE_COOKIE
       - Address missing kernel support for configured (new) TPM hash
         algorithms
       - Add missing crypto_shash_final() return value"

    * tag 'integrity-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
      evm: Enforce signatures version 3 with new EVM policy 'bit 3'
      integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG
      ima: add support to require IMA sigv3 signatures
      ima: add regular file data hash signature version 3 support
      ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures
      ima: remove buggy support for asynchronous hashes
      integrity: Eliminate weak definition of arch_get_secureboot()
      ima: Add code comments to explain IMA iint cache atomic_flags
      ima_fs: Correctly create securityfs files for unsupported hash algos
      ima: check return value of crypto_shash_final() in boot aggregate
      ima: Define and use a digest_size field in the ima_algo_desc structure
      powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG
      ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
      ima: fallback to using i_version to detect file change
      evm: fix security.evm for a file with IMA signature
      s390: Drop unnecessary CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
      evm: Don't enable fix mode when secure boot is enabled
      integrity: Make arch_ima_get_secureboot integrity-wide