[PATCH v5 3/4] security: ima: rename boot_aggregate when ima is initialised at late_sync

Yeoreum Yun yeoreum.yun at arm.com
Tue Jun 2 12:58:33 UTC 2026 

Hi Mimi,

> On Mon, 2026-06-01 at 15:27 +0100, Yeoreum Yun wrote:
> > From: Jonathan McDowell <noodles at meta.com>
> > 
> > The Linux IMA (Integrity Measurement Architecture) subsystem used for
> > secure boot, file integrity, or remote attestation cannot be a loadable
> > module for few reasons listed below:
> > 
> >  o Boot-Time Integrity: IMA’s main role is to measure and appraise files
> >    before they are used. This includes measuring critical system files
> >    during early boot (e.g., init, init scripts, login binaries). If IMA
> >    were a module, it would be loaded too late to cover those.
> > 
> >  o TPM Dependency: IMA integrates tightly with the TPM to record
> >    measurements into PCRs. The TPM must be initialized early (ideally
> >    before init_ima()), which aligns with IMA being built-in.
> > 
> >  o Security Model: IMA is part of a Trusted Computing Base (TCB). Making
> >    it a module would weaken the security model, as a potentially
> >    compromised system could delay or tamper with its initialization.
> > 
> > IMA must be built-in to ensure it starts measuring from the earliest
> > possible point in boot which inturn implies TPM must be initialised and
> > ready to use before IMA.
> > 
> > Unfortunately some TPM drivers (such as Arm FF-A, or SPI attached TPM
> > devices) are not reliably available during the initcall_late stage,
> > resulting in a log error:
> > 
> >   ima: No TPM chip found, activating TPM-bypass!
> > 
> > To address this issue, IMA_INIT_LATE_SYNC is introduced.
> > However, a remote attestation service cannot determine when IMA has been
> > initialized because the boot_aggregate measurement name remains unchanged,
> > even though IMA is initialized later at late_initcall_sync when
> > IMA_INIT_LATE_SYNC is enabled.
> > 
> > Therefore, use a distinct boot_aggregate name when IMA_INIT_LATE_SYNC
> > is enabled, allowing the remote attestation service to identify
> > when IMA has been initialized.
> > 
> > Signed-off-by: Jonathan McDowell <noodles at meta.com>
> > [yeoreum.yun at arm.com: modified to align with the IMA_INIT_LATE_SYNC change]
> 
> Thanks, Yeoreum. This version requires your Signed-off-by tag as well as
> Jonathan's.  Otherwise the patch looks good.

Thanks! I'll resend with my SOB again!

-- 
Sincerely,
Yeoreum Yun

More information about the Linux-security-module-archive mailing list