From: Yeoreum Yun <yeoreum.yun@arm.com>
To: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org
Cc: zohar@linux.ibm.com, roberto.sassu@huawei.com, ardb@kernel.org,
jarkko@kernel.org, dhowells@redhat.com, dwmw2@infradead.org,
serge@hallyn.com, jmorris@namei.org, paul@paul-moore.com,
sami.mujawar@arm.com, pierre.gondois@arm.com
Subject: [QUESTION] move load_uefi_certs() and keyring initcall to earlier initcall
Date: Thu, 14 May 2026 14:36:29 +0100 [thread overview]
Message-ID: <agXP3ZyE18pAiy77@e129823.arm.com> (raw)
Hi all,
Recently, I've found possible module load failure via
request_module() in device_initcall() for absent of certificate loaded by
load_uefi_certs() in below exemplary case:
- MokListTrustedRT is created.
- one module is signed with trust-chain with one cert of MokListRT and
contained in initramfs.
- loading the above module in device_initcall() get failure since
relavent certs didn't loaded yet -- load_uefi_certs() is called at
late_inicall()
I don't think calling request_module() in the initcall is not a problem
if it's after root_initcall (from device_initcall) where initrd
population is requested when I see the commit e7cb072eb988
("init/initramfs.c: do unpacking asynchronously").
IOW, to address this -- signature verification failure for late loading
of certificates, It seems to movce load_uefi_certs() or other relevant
init functions requires to move to "rootfs_initcall()".
Unfortunately, Moving the load_uefi_certs() doesn't seems easy because
keyring infrastructure is initailised at device_initcall() via
relevant init functions.
So, I would like to introduce two initcalls macro which using pre-exist
initcall macro to address above situation --
- keyring_initcall() (which is wrapper of subsys_initcall()).
- cert_initcall() (which is wrapper of rootfs_initcall()).
so that for init functions which initalise keyring infrastructure,
for example, the function where calls keyring_alloc() like:
- system_trusted_keyring_init()
- blacklist_init()
- machine_keyring_init()
- platform_keyring_init()
- ima_mok_init()
to be replaced from device_initcall() to subsys_initcall() with keyring_initcall()
and for functions which load certificates or late init relevant keyring
like:
- load_system_certificate_list()
- load_uefi_certs()
- load_powerpc_certs()
- load_ipl_certs()
- big_key_init()
- init_root_keyring()
- init_trusted()
- init_encrypted()
to be called from late_initcall() to rootfs_initcall() with cert_initcall().
Am I missing something, or is there perhaps a better idea?
Thanks.
--
Sincerely,
Yeoreum Yun
reply other threads:[~2026-05-14 13:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agXP3ZyE18pAiy77@e129823.arm.com \
--to=yeoreum.yun@arm.com \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=pierre.gondois@arm.com \
--cc=roberto.sassu@huawei.com \
--cc=sami.mujawar@arm.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox