From: Mimi Zohar <zohar@linux.ibm.com>
To: Paul Moore <paul@paul-moore.com>,
Yeoreum Yun <yeoreum.yun@arm.com>,
roberto.sassu@huawei.com
Cc: Jonathan McDowell <noodles@earth.li>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
jmorris@namei.org, serge@hallyn.com, dmitry.kasatkin@gmail.com,
eric.snowberg@oracle.com, jarkko@kernel.org, jgg@ziepe.ca,
sudeep.holla@kernel.org, maz@kernel.org, oupton@kernel.org,
joey.gouly@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com,
catalin.marinas@arm.com, will@kernel.org, noodles@meta.com,
sebastianene@google.com
Subject: Re: [RFC PATCH v2 1/4] security: ima: call ima_init() again at late_initcall_sync for defered TPM
Date: Fri, 24 Apr 2026 16:57:33 -0400 [thread overview]
Message-ID: <014cf39aa8d6a0bcfa1a95c069675977ac67b843.camel@linux.ibm.com> (raw)
In-Reply-To: <CAHC9VhSaT_quKYnpFjAfqvL07JNbWMgM6c4pB9F46NHawX3DCA@mail.gmail.com>
On Fri, 2026-04-24 at 16:15 -0400, Paul Moore wrote:
> On Fri, Apr 24, 2026 at 1:57 AM Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > > On Thu, Apr 23, 2026 at 2:13 PM Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > > >
> > > > Sounds good. Once the patch is posted, I’ll review it as well.
> > > > Sorry again for the noise, and thanks for your patience ;)
> > >
> > > My apologies for not getting a chance to look at this patchset sooner.
> > >
> > > This seems like an obvious, perhaps even stupid, question, but I have
> > > to ask: if IMA can be properly initialized via late_initcall_sync(),
> > > why not simply do the initialization in late_initcall_sync() and drop
> > > the late_initcall() initialization?
> > >
> > > Does any IMA functionality suffer if initialization waits until
> > > late_initcall_sync()? If so, it seems non-critical if waiting until
> > > _sync() is acceptable, as it appears in these patches/comments.
> >
> > This is the way first patch did, and here is some discussion for this
> > (Might you have seen, but in case of you missed):
> > - https://lore.kernel.org/all/a6a0e15286c983d720de227c6827adbe976c5b9b.camel@linux.ibm.com/
>
> Thanks for the pointer.
>
> Unfortunately, my concern remains the same: it's either "safe" to
> initialize IMA at late_initcall_sync() or it isn't. Attempting to
> initialize IMA twice seems both odd and wrong.
Agreed. However, IMA should be initialized as soon as the TPM becomes
available, not delayed.
In patch 2/4 patch description, Jonathan describes the reasoning:
Unfortunately some TPM drivers (such as Arm FF-A, or SPI attached TPM
devices) are not reliably available during the initcall_late stage,
resulting in a log error:
ima: No TPM chip found, activating TPM-bypass!
and no measurements into the TPM by IMA. We can avoid this by doing IMA
init in the initcall_late_sync stage, after the drivers have completed
their init + registration.
Rather than do this everywhere, and needlessly delay the initialisation
of IMA when there is no need to do so, we continue to try to initialise
at the earlier stage, only deferring to the later point if the TPM is
not available yet.
>
> I understand the need to ensure that the TPM is available, but if it
> isn't safe to wait to initialize IMA at late_initcall_sync() then it
> would seem like this is a bad option and we need another mechanism to
> synchronize IMA with TPM devices. If it is safe to initalize IMA in
> late_initcall_sync(), just do that and be done with it.
Within the same initcall level there is no way of ordering the initialization.
Yeorum attempted to address the ordering issue in commit 0e0546eabcd6
("firmware: arm_ffa: Change initcall level of ffa_init() to rootfs_initcall"),
which is being reverted in this patch set.
Ordering within an initcall level needs to be fixed, but for now retrying at
late_initcall_sync works for some, hopefully most, cases.
>
> I'm also guessing a two stage init process, e.g. some in
> late_initcall() and some in late_initcall_sync(), doesn't make much
> sense here, but that could be one other thing to consider if some IMA
> tasks must be done in late_initcall().
Perhaps something to think about for the future.
Mimi
next prev parent reply other threads:[~2026-04-24 20:58 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-22 16:24 [RFC PATCH v2 0/4] fix FF-A call failed with pKVM when ff-a driver is built-in Yeoreum Yun
2026-04-22 16:24 ` [RFC PATCH v2 1/4] security: ima: call ima_init() again at late_initcall_sync for defered TPM Yeoreum Yun
2026-04-22 17:20 ` Mimi Zohar
2026-04-22 18:46 ` Yeoreum Yun
2026-04-22 19:41 ` Yeoreum Yun
2026-04-22 21:20 ` Mimi Zohar
2026-04-23 5:55 ` Yeoreum Yun
2026-04-23 11:01 ` Mimi Zohar
2026-04-23 11:20 ` Yeoreum Yun
2026-04-23 12:34 ` Yeoreum Yun
2026-04-23 12:53 ` Jonathan McDowell
2026-04-23 13:07 ` Yeoreum Yun
2026-04-23 13:43 ` Mimi Zohar
2026-04-23 13:55 ` Yeoreum Yun
2026-04-23 14:03 ` Jonathan McDowell
2026-04-23 14:33 ` Yeoreum Yun
2026-04-23 18:01 ` Mimi Zohar
2026-04-23 18:13 ` Yeoreum Yun
2026-04-24 1:27 ` Paul Moore
2026-04-24 5:57 ` Yeoreum Yun
2026-04-24 20:15 ` Paul Moore
2026-04-24 20:57 ` Mimi Zohar [this message]
2026-04-24 21:08 ` Paul Moore
2026-04-24 22:00 ` Mimi Zohar
2026-04-24 22:10 ` Paul Moore
2026-04-24 22:49 ` Mimi Zohar
2026-04-28 1:31 ` Paul Moore
2026-04-28 13:21 ` Yeoreum Yun
2026-04-25 4:53 ` Yeoreum Yun
2026-04-28 1:31 ` Paul Moore
2026-04-23 14:48 ` Mimi Zohar
2026-04-23 17:02 ` Jonathan McDowell
2026-04-23 17:13 ` Mimi Zohar
2026-04-22 16:24 ` [RFC PATCH v2 2/4] tpm: tpm_crb_ffa: revert defered_probed when tpm_crb_ffa is built-in Yeoreum Yun
2026-04-23 10:17 ` Jarkko Sakkinen
2026-04-22 16:24 ` [RFC PATCH v2 3/4] firmware: arm_ffa: revert ffa_init() initcall level to device_initcall Yeoreum Yun
2026-04-23 9:13 ` Sudeep Holla
2026-04-22 16:24 ` [RFC PATCH v2 4/4] firmware: arm_ffa: check pkvm initailised when initailise ffa driver Yeoreum Yun
2026-04-23 8:34 ` Marc Zyngier
2026-04-23 10:29 ` Yeoreum Yun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=014cf39aa8d6a0bcfa1a95c069675977ac67b843.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=catalin.marinas@arm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=jmorris@namei.org \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=maz@kernel.org \
--cc=noodles@earth.li \
--cc=noodles@meta.com \
--cc=oupton@kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=sebastianene@google.com \
--cc=serge@hallyn.com \
--cc=sudeep.holla@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=yeoreum.yun@arm.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox