On Fri, Apr 24, 2026 at 6:49 PM Mimi Zohar <[email protected]> wrote: > On Fri, 2026-04-24 at 18:10 -0400, Paul Moore wrote: > > (I'm assuming you meant initcall and not syscall above, but if you're > > talking about something else, please let me know.) > > > > Saying that you aren't comfortable moving IMA initialization to > > late-sync is inconsistent with allowing IMA initialization to be > > deferred to late-sync. Either it is okay to initialize IMA in > > late-sync or it isn't. You must pick one. > > Yes, we're discussing late_initcall and late_initcall_sync. > > I prefer to look at it as being pragmatic. I'd rather err on the side of > caution > and not move the syscall to late_initcall_sync, than move it.
If you were truly erring on the side of caution you wouldn't allow late-sync initialization without knowing if it was safe or not. Determine whether IMA initialization is safe at late-sync. If it is safe, move the init to late-sync; if not, keep it at late and figure out another mechanism to sync with the TPM availability. If needed, you could probably use the LSM notifier to enable the TPM driver to signal when it is up and running. -- paul-moore.com
