[RFC PATCH 25/29] ima,evm: move initcalls to the LSM framework

[Paul Moore]

On Wed, May 14, 2025 at 9:06 AM John Johansen
<john.johansen at canonical.com> wrote:
> On 4/9/25 11:50, Paul Moore wrote:
> > This patch converts IMA and EVM to use the LSM frameworks's initcall
> > mechanism.  There were two challenges to doing this conversion: the
> > first simply being the number of initcalls across IMA and EVM, and the
> > second was the number of resources shared between the two related,
> > yet independent LSMs.
> >
> > The first problem was resolved by the creation of two new functions,
> > integrity_device_init() and integrity_late_init(), with each focused on
> > calling all of the various IMA/EVM initcalls for a single initcall type.
> > The second problem was resolved by registering both of these new
> > functions as initcalls for each LSM and including code in each
> > registered initcall to ensure it only executes once.
> >
> > Signed-off-by: Paul Moore <paul at paul-moore.com>
> > ---
> >   security/integrity/Makefile                   |  2 +-
> >   security/integrity/evm/evm_main.c             |  7 +-
> >   security/integrity/iint.c                     |  4 +-
> >   security/integrity/ima/ima_main.c             |  7 +-
> >   security/integrity/ima/ima_mok.c              |  4 +-
> >   security/integrity/initcalls.c                | 97 +++++++++++++++++++
> >   security/integrity/initcalls.h                | 23 +++++
> >   .../integrity/platform_certs/load_ipl_s390.c  |  4 +-
> >   .../integrity/platform_certs/load_powerpc.c   |  4 +-
> >   security/integrity/platform_certs/load_uefi.c |  4 +-
> >   .../platform_certs/machine_keyring.c          |  4 +-
> >   .../platform_certs/platform_keyring.c         | 14 ++-
> >   12 files changed, 147 insertions(+), 27 deletions(-)
> >   create mode 100644 security/integrity/initcalls.c
> >   create mode 100644 security/integrity/initcalls.h

...

> > diff --git a/security/integrity/initcalls.c b/security/integrity/initcalls.c
> > new file mode 100644
> > index 000000000000..de39754a1c2c
> > --- /dev/null
> > +++ b/security/integrity/initcalls.c
> > @@ -0,0 +1,97 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +/*
> > + * Platform certificate / keyring initcalls
> > + *
> > + */
> > +
> > +#include <linux/init.h>
> > +
> > +#include "initcalls.h"
> > +
> > +/**
> > + * integrity_device_init - device_initcalls for IMA/EVM
> > + *
> > + * This helper function wraps all of the device_initcalls for both IMA and EVM.
> > + * It can be called multiple times, e.g. once from IMA and once from EVM,
> > + * without problem as it maintains an internal static state variable which
> > + * ensures that any setup/initialization is only done once.
> > + */
> > +int __init integrity_device_init(void)
> > +{
> > +     int rc = 0, rc_tmp;
> if none of the below config options are defined then rc_tmp is unused and the build can kick out with
>
> ../security/integrity/initcalls.c:21:21: error: unused variable ‘rc_tmp’ [-Werror=unused-variable]

Thanks.  I fixed this by adding a __maybe_unused annotation as that
seemed like the cleanest fix.

-- 
paul-moore.com