[RFC PATCH 25/29] ima,evm: move initcalls to the LSM framework

Paul Moore paul at paul-moore.com
Wed Jun 11 20:27:05 UTC 2025 

On Fri, May 30, 2025 at 6:04 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> On Wed, 2025-04-09 at 14:50 -0400, Paul Moore wrote:
> > This patch converts IMA and EVM to use the LSM frameworks's initcall
> > mechanism.  There were two challenges to doing this conversion: the
> > first simply being the number of initcalls across IMA and EVM, and the
> > second was the number of resources shared between the two related,
> > yet independent LSMs.
>
> There are a number of the initcalls under integrity/platform/, which load arch
> specific keys onto the platform and machine keyrings, which shouldn't be
> included in this patch.

I don't want to assume too much from your reply, but if the cert/key
loading under integrity/platform shouldn't be subject to the LSM
initcall rework, that implies that the integrity/platform cert/key
loading is independent of IMA/EVM and should perhaps live somewhere
else, e.g. security/keys?

Or am I misunderstanding something?

> > The first problem was resolved by the creation of two new functions,
> > integrity_device_init() and integrity_late_init(), with each focused on
> > calling all of the various IMA/EVM initcalls for a single initcall type.
> > The second problem was resolved by registering both of these new
> > functions as initcalls for each LSM and including code in each
> > registered initcall to ensure it only executes once.
>
> With the above change, there obviously will be a lot fewer initcalls, but it
> might still make sense to keep the common ima/evm function.

I'm not sure I understand, what do you mean by "common ima/evm
function"?  This patch doesn't remove any IMA/EVM functions, it adds
the integrity_device_init() and integrity_late_init() functions to
setup and populate some keyrings.

It's also worth mentioning that the goal of this patchset is not
necessarily to reduce initcalls, but rather to ensure that LSM
initcalls are only executed when the LSM is enabled, and to provide a
mechanism to notify kernel users when all of the LSMs have initialized
themselves.

-- 
paul-moore.com

More information about the Linux-security-module-archive mailing list