On Wed, Apr 29, 2026 at 9:33 AM Roberto Sassu <[email protected]> wrote: > On Mon, 2026-04-27 at 21:31 -0400, Paul Moore wrote: > > On Fri, Apr 24, 2026 at 6:49 PM Mimi Zohar <[email protected]> wrote: > > > On Fri, 2026-04-24 at 18:10 -0400, Paul Moore wrote: > > > > (I'm assuming you meant initcall and not syscall above, but if you're > > > > talking about something else, please let me know.) > > > > > > > > Saying that you aren't comfortable moving IMA initialization to > > > > late-sync is inconsistent with allowing IMA initialization to be > > > > deferred to late-sync. Either it is okay to initialize IMA in > > > > late-sync or it isn't. You must pick one. > > > > > > Yes, we're discussing late_initcall and late_initcall_sync. > > > > > > I prefer to look at it as being pragmatic. I'd rather err on the side of > > > caution > > > and not move the syscall to late_initcall_sync, than move it. > > > > If you were truly erring on the side of caution you wouldn't allow > > late-sync initialization without knowing if it was safe or not. > > Determine whether IMA initialization is safe at late-sync. If it is > > safe, move the init to late-sync; if not, keep it at late and figure > > out another mechanism to sync with the TPM availability. If needed, > > you could probably use the LSM notifier to enable the TPM driver to > > signal when it is up and running. > > Yes, I agree with you, or transition or not. > > However, all of this looks very fragile and easy to be broken. If we > want to be on the safe side, we can use any notification mechanism that > is suitable, but at the same time from IMA side we need to deny any > file access that would require a measurement until the TPM comes up. > > If you accept this, I don't have any problem to move to late_sync.
To be perfectly honest, I don't care what the solution to the IMA/TPM dependency issue looks like as long as it doesn't involve simply trying to initialize IMA multiple times hoping that at one of those times all of the dependencies have been satisfied and it isn't too late. If the notifier helps you solve this, great. If the notifier isn't helpful, that's fine too. If you need to decompose IMA initialization into a multi-step process spread across multiple initcall levels, that's okay; we do that with other LSMs. However, calling into the same init code across multiple initcall levels is not okay; you need to figure out what is needed when, and establish some synchronization mechanisms to provide some assurance that the system will boot up correctly. -- paul-moore.com
