[RFC PATCH v2 1/4] security: ima: call ima_init() again at late_initcall_sync for defered TPM
Mimi Zohar
zohar at linux.ibm.com
Fri Apr 24 22:49:26 UTC 2026
On Fri, 2026-04-24 at 18:10 -0400, Paul Moore wrote:
> (I'm assuming you meant initcall and not syscall above, but if you're
> talking about something else, please let me know.)
>
> Saying that you aren't comfortable moving IMA initialization to
> late-sync is inconsistent with allowing IMA initialization to be
> deferred to late-sync. Either it is okay to initialize IMA in
> late-sync or it isn't. You must pick one.
Yes, we're discussing late_initcall and late_initcall_sync.
I prefer to look at it as being pragmatic. I'd rather err on the side of caution
and not move the syscall to late_initcall_sync, than move it. However, others
have moved the syscall to address the TPM-bypass issue for their environment.
Mimi
More information about the Linux-security-module-archive
mailing list