> Hi Mimi, > > > On Wed, 2026-04-22 at 17:24 +0100, Yeoreum Yun wrote: > > > To generate the boot_aggregate log in the IMA subsystem with TPM PCR > > > values, > > > the TPM driver must be built as built-in and > > > must be probed before the IMA subsystem is initialized. > > > > > > However, when the TPM device operates over the FF-A protocol using > > > the CRB interface, probing fails and returns -EPROBE_DEFER if > > > the tpm_crb_ffa device — an FF-A device that provides the communication > > > interface to the tpm_crb driver — has not yet been probed. > > > > > > To ensure the TPM device operating over the FF-A protocol with > > > the CRB interface is probed before IMA initialization, > > > the following conditions must be met: > > > > > > 1. The corresponding ffa_device must be registered, > > > which is done via ffa_init(). > > > > > > 2. The tpm_crb_driver must successfully probe this device via > > > tpm_crb_ffa_init(). > > > > > > 3. The tpm_crb driver using CRB over FF-A can then > > > be probed successfully. (See crb_acpi_add() and > > > tpm_crb_ffa_init() for reference.) > > > > > > Unfortunately, ffa_init(), tpm_crb_ffa_init(), and crb_acpi_driver_init() > > > are > > > all registered with device_initcall, which means crb_acpi_driver_init() > > > may > > > be invoked before ffa_init() and tpm_crb_ffa_init() are completed. > > > > > > When this occurs, probing the TPM device is deferred. > > > However, the deferred probe can happen after the IMA subsystem > > > has already been initialized, since IMA initialization is performed > > > during late_initcall, and deferred_probe_initcall() is performed > > > at the same level. > > > > > > To resolve this, call ima_init() again at late_inicall_sync level > > > so that let IMA not miss TPM PCR value when generating boot_aggregate > > > log though TPM device presents in the system. > > > > > > Signed-off-by: Yeoreum Yun <[email protected]> > > > > A lot of change for just detecting whether ima_init() is being called on > > late_initcall or late_initcall_sync(), without any explanation for all the > > other > > changes (e.g. ima_init_core). > > > > Please just limit the change to just calling ima_init() twice. > > My concern is that ima_update_policy_flags() will be called > when ima_init() is deferred -- not initialised anything. > though functionally, it might be okay however, > I think ima_update_policy_flags() and notifier should work after ima_init() > works logically. > > This change I think not much quite a lot. just wrapper ima_init() with > ima_init_core() with some error handling. > > Am I missing something?
Also, if we handle in ima_init() only, but it failed with other reason, we shouldn't call again ima_init() in the late_initcall_sync. To handle this, It wouldn't do in the ima_init() but we need to handle it by caller of ima_init(). -- Sincerely, Yeoreum Yun
