From: Yeoreum Yun <yeoreum.yun@arm.com>
To: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org
Cc: zohar@linux.ibm.com, roberto.sassu@huawei.com, ardb@kernel.org,
jarkko@kernel.org, dhowells@redhat.com, dwmw2@infradead.org,
serge@hallyn.com, jmorris@namei.org, paul@paul-moore.com,
sami.mujawar@arm.com, pierre.gondois@arm.com
Subject: [QUESTION] move load_uefi_certs() and keyring initcall to earlier initcall
Date: Thu, 14 May 2026 14:36:29 +0100 [thread overview]
Message-ID: <agXP3ZyE18pAiy77@e129823.arm.com> (raw)
Hi all,
Recently, I've found possible module load failure via
request_module() in device_initcall() for absent of certificate loaded by
load_uefi_certs() in below exemplary case:
- MokListTrustedRT is created.
- one module is signed with trust-chain with one cert of MokListRT and
contained in initramfs.
- loading the above module in device_initcall() get failure since
relavent certs didn't loaded yet -- load_uefi_certs() is called at
late_inicall()
I don't think calling request_module() in the initcall is not a problem
if it's after root_initcall (from device_initcall) where initrd
population is requested when I see the commit e7cb072eb988
("init/initramfs.c: do unpacking asynchronously").
IOW, to address this -- signature verification failure for late loading
of certificates, It seems to movce load_uefi_certs() or other relevant
init functions requires to move to "rootfs_initcall()".
Unfortunately, Moving the load_uefi_certs() doesn't seems easy because
keyring infrastructure is initailised at device_initcall() via
relevant init functions.
So, I would like to introduce two initcalls macro which using pre-exist
initcall macro to address above situation --
- keyring_initcall() (which is wrapper of subsys_initcall()).
- cert_initcall() (which is wrapper of rootfs_initcall()).
so that for init functions which initalise keyring infrastructure,
for example, the function where calls keyring_alloc() like:
- system_trusted_keyring_init()
- blacklist_init()
- machine_keyring_init()
- platform_keyring_init()
- ima_mok_init()
to be replaced from device_initcall() to subsys_initcall() with keyring_initcall()
and for functions which load certificates or late init relevant keyring
like:
- load_system_certificate_list()
- load_uefi_certs()
- load_powerpc_certs()
- load_ipl_certs()
- big_key_init()
- init_root_keyring()
- init_trusted()
- init_encrypted()
to be called from late_initcall() to rootfs_initcall() with cert_initcall().
Am I missing something, or is there perhaps a better idea?
Thanks.
--
Sincerely,
Yeoreum Yun
reply other threads:[~2026-05-14 13:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agXP3ZyE18pAiy77@e129823.arm.com \
--to=yeoreum.yun@arm.com \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=pierre.gondois@arm.com \
--cc=roberto.sassu@huawei.com \
--cc=sami.mujawar@arm.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.