Comment 30 for bug 1866909

------- Comment From <email address hidden> 2020-04-03 12:45 EDT-------
We've been working with Mimi and I think that what we need now aren't config option changes, but this patch:

diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index e341162..c1ea55d 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -50,7 +50,7 @@ bool arch_ima_get_secureboot(void)
"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
"measure func=MODULE_CHECK template=ima-modsig",
"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
-#ifndef CONFIG_MODULE_SIG_FORCE
+#ifndef CONFIG_MODULE_SIG
"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
#endif
NULL

We're going to test that, but it's similar to commit 8db5da0b8618 on the x86 side.

It looks like the MODULE_SIG_FORCE/IMA_ARCH_POLICY change is the wrong path right now. But testing that, too. ;)