[PATCH] ima: debugging late_initcall_sync measurements
Mimi Zohar
zohar at linux.ibm.com
Tue May 5 14:02:29 PDT 2026
On Mon, 2026-05-04 at 16:51 -0400, Paul Moore wrote:
> On Mon, May 4, 2026 at 8:03 AM Mimi Zohar <zohar at linux.ibm.com> wrote:
> > On Sun, 2026-05-03 at 12:46 -0400, Paul Moore wrote:
> > > Regardless, assuming you always want IMA to leverage a TPMs when they
> > > exist, your reply suggests that using an initcall based IMA init
> > > scheme, even a late-sync initcall, may not be sufficient because
> > > deferred TPM initialization could happen later, yes?
> >
> > Well yeah. The TPM could be configured as a module, but that scenario is not of
> > interest. That's way too late. The case being addressed in this patch set is
> > when the TPM driver tries to initialize at device_initcall, returns
> > EPROBE_DEFER, and is retried at deferred_probe_initcall (late_initcall). Since
> > ordering within an initcall is not supported, this patch attempts to initialize
> > IMA at late_initcall and similarly retries, in this case, at late_initcall_sync.
>
> Okay, so from a TPM initialization perspective you are satisfied with
> a late-sync IMA initialization, yes?
No. On some architectures moving IMA initialization from the late_initcall to
late_initcall_sync does not miss any measurement records. However, as previously
mentioned, Linux running in a PowerVM LPAR the move would drop ~30 measurement
records[1]. So no, only if the TPM is not initialized by late_initcall, should
IMA retry at late_initcall_sync.
Mimi
[1]
https://lore.kernel.org/linux-integrity/201b9172ac47c6766443c1f2343cab3548f33c29.camel@linux.ibm.com/
More information about the linux-arm-kernel
mailing list