On Wed, 2025-04-09 at 14:50 -0400, Paul Moore wrote: > This patch converts IMA and EVM to use the LSM frameworks's initcall > mechanism. There were two challenges to doing this conversion: the > first simply being the number of initcalls across IMA and EVM, and the > second was the number of resources shared between the two related, > yet independent LSMs.
There are a number of the initcalls under integrity/platform/, which load arch specific keys onto the platform and machine keyrings, which shouldn't be included in this patch. > > The first problem was resolved by the creation of two new functions, > integrity_device_init() and integrity_late_init(), with each focused on > calling all of the various IMA/EVM initcalls for a single initcall type. > The second problem was resolved by registering both of these new > functions as initcalls for each LSM and including code in each > registered initcall to ensure it only executes once. With the above change, there obviously will be a lot fewer initcalls, but it might still make sense to keep the common ima/evm function. Mimi
