[RFC PATCH v3 2/4] security: ima: call ima_init() again at late_initcall_sync for defered TPM
Jonathan McDowell
noodles at earth.li
Sat Apr 25 09:10:56 UTC 2026
On Fri, Apr 24, 2026 at 04:25:31PM -0400, Mimi Zohar wrote:
>Thanks, Jonathan!
>
>On Fri, 2026-04-24 at 14:24 +0100, Jonathan McDowell wrote:
>> -static int __init init_ima(void)
>> +static int __init init_ima(bool late)
>> {
>> int error;
>>
>> @@ -1247,10 +1247,26 @@ static int __init init_ima(void)
>> return 0;
>> }
>>
>> + /*
>> + * If we found the TPM during our first attempt, or we know there's no
>> + * TPM, nothing further to do
>> + */
>
>Perhaps it's just me, but the comment wording is a bit off. Could I change it
>to: If we either found the TPM or knew there's no TPM during our first attempt,
>nothing futher to do.
No objections to that updated wording from me.
>Otherwise the patch looks good.
>
>Mimi
>
>
>> + if (late && (ima_tpm_chip || !IS_ENABLED(CONFIG_TCG_TPM)))
>> + return 0;
>> +
>> + ima_tpm_chip = tpm_default_chip();
>> + if (!ima_tpm_chip && !late && IS_ENABLED(CONFIG_TCG_TPM)) {
>> + pr_debug("TPM not available, will try later\n");
>> + return -EPROBE_DEFER;
>> + }
>> +
>> + if (!ima_tpm_chip)
>> + pr_info("No TPM chip found, activating TPM-bypass!\n");
>> +
J.
--
Revd Jonathan McDowell, ULC | Run like hell!
More information about the Linux-security-module-archive
mailing list