On Mon, 2026-06-01 at 15:27 +0100, Yeoreum Yun wrote: > From: Jonathan McDowell <[email protected]> > > The Linux IMA (Integrity Measurement Architecture) subsystem used for > secure boot, file integrity, or remote attestation cannot be a loadable > module for few reasons listed below: > > o Boot-Time Integrity: IMA’s main role is to measure and appraise files > before they are used. This includes measuring critical system files > during early boot (e.g., init, init scripts, login binaries). If IMA > were a module, it would be loaded too late to cover those. > > o TPM Dependency: IMA integrates tightly with the TPM to record > measurements into PCRs. The TPM must be initialized early (ideally > before init_ima()), which aligns with IMA being built-in. > > o Security Model: IMA is part of a Trusted Computing Base (TCB). Making > it a module would weaken the security model, as a potentially > compromised system could delay or tamper with its initialization. > > IMA must be built-in to ensure it starts measuring from the earliest > possible point in boot which inturn implies TPM must be initialised and > ready to use before IMA. > > Unfortunately some TPM drivers (such as Arm FF-A, or SPI attached TPM > devices) are not reliably available during the initcall_late stage, > resulting in a log error: > > ima: No TPM chip found, activating TPM-bypass! > > To address this issue, IMA_INIT_LATE_SYNC is introduced. > However, a remote attestation service cannot determine when IMA has been > initialized because the boot_aggregate measurement name remains unchanged, > even though IMA is initialized later at late_initcall_sync when > IMA_INIT_LATE_SYNC is enabled. > > Therefore, use a distinct boot_aggregate name when IMA_INIT_LATE_SYNC > is enabled, allowing the remote attestation service to identify > when IMA has been initialized. > > Signed-off-by: Jonathan McDowell <[email protected]> > [[email protected]: modified to align with the IMA_INIT_LATE_SYNC change]
Thanks, Yeoreum. This version requires your Signed-off-by tag as well as Jonathan's. Otherwise the patch looks good. Mimi
