Hi Romain, Please limit the subject line to 70 - 75 characters. On Mon, 2024-07-01 at 16:58 +0200, Romain Naour wrote: > > > [1] > > > https://lore.kernel.org/linux-integrity/9b98d912-ba78-402c-a5c8-154bef8794f7@xxxxxxxx/ > > > [2] > > > https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1375425/tda4vm-ima-vs-tpm-builtin-driver-boot-order > > > > > > Signed-off-by: Romain Naour <romain.naour@xxxxxxx> > > > > Should this get a Fixes: tag and be also applied to the stable series? > > The current behavior can be reproduced on any released kernel (at least since > 6.1). But I'm not sure if it should be backported to stable kernels since it > delays the ima/evm initialization at runtime. With the IMA builtin measurement policy specified on the boot command line ("ima_policy=tcb"), moving init_ima from the late_initcall() to late_initcall_sync() affects the measurement list order. It's unlikely, but possible, that someone is sealing the TPM to PCR-10. It's probably not a good idea to backport the change. An alternative would be to continue using the late_initcall(), but retry on failure, instead of going directly into TPM-bypass mode. As far as I can tell, everything is still being measured and verified, but more testing is required. Mimi
