Hi Mimi, > On Mon, 2026-06-01 at 15:27 +0100, Yeoreum Yun wrote: > > From: Jonathan McDowell <[email protected]> > > > > The Linux IMA (Integrity Measurement Architecture) subsystem used for > > secure boot, file integrity, or remote attestation cannot be a loadable > > module for few reasons listed below: > > > > o Boot-Time Integrity: IMA’s main role is to measure and appraise files > > before they are used. This includes measuring critical system files > > during early boot (e.g., init, init scripts, login binaries). If IMA > > were a module, it would be loaded too late to cover those. > > > > o TPM Dependency: IMA integrates tightly with the TPM to record > > measurements into PCRs. The TPM must be initialized early (ideally > > before init_ima()), which aligns with IMA being built-in. > > > > o Security Model: IMA is part of a Trusted Computing Base (TCB). Making > > it a module would weaken the security model, as a potentially > > compromised system could delay or tamper with its initialization. > > > > IMA must be built-in to ensure it starts measuring from the earliest > > possible point in boot which inturn implies TPM must be initialised and > > ready to use before IMA. > > > > Unfortunately some TPM drivers (such as Arm FF-A, or SPI attached TPM > > devices) are not reliably available during the initcall_late stage, > > resulting in a log error: > > > > ima: No TPM chip found, activating TPM-bypass! > > > > To address this issue, IMA_INIT_LATE_SYNC is introduced. > > However, a remote attestation service cannot determine when IMA has been > > initialized because the boot_aggregate measurement name remains unchanged, > > even though IMA is initialized later at late_initcall_sync when > > IMA_INIT_LATE_SYNC is enabled. > > > > Therefore, use a distinct boot_aggregate name when IMA_INIT_LATE_SYNC > > is enabled, allowing the remote attestation service to identify > > when IMA has been initialized. > > > > Signed-off-by: Jonathan McDowell <[email protected]> > > [[email protected]: modified to align with the IMA_INIT_LATE_SYNC change] > > Thanks, Yeoreum. This version requires your Signed-off-by tag as well as > Jonathan's. Otherwise the patch looks good.
Thanks! I'll resend with my SOB again! -- Sincerely, Yeoreum Yun
