[RFC PATCH 25/29] ima,evm: move initcalls to the LSM framework

Mimi Zohar zohar at linux.ibm.com
Fri May 30 22:03:35 UTC 2025


On Wed, 2025-04-09 at 14:50 -0400, Paul Moore wrote:
> This patch converts IMA and EVM to use the LSM frameworks's initcall
> mechanism.  There were two challenges to doing this conversion: the
> first simply being the number of initcalls across IMA and EVM, and the
> second was the number of resources shared between the two related,
> yet independent LSMs.

There are a number of the initcalls under integrity/platform/, which load arch
specific keys onto the platform and machine keyrings, which shouldn't be
included in this patch.

> 
> The first problem was resolved by the creation of two new functions,
> integrity_device_init() and integrity_late_init(), with each focused on
> calling all of the various IMA/EVM initcalls for a single initcall type.
> The second problem was resolved by registering both of these new
> functions as initcalls for each LSM and including code in each
> registered initcall to ensure it only executes once.

With the above change, there obviously will be a lot fewer initcalls, but it
might still make sense to keep the common ima/evm function.

Mimi



More information about the Linux-security-module-archive mailing list