Work is ongoing to support PCIe device attestation and authentication.
As part of this a PCIe device will provide a certificate chain via the
SPDM protocol to the kernel.
Linux should verify the chain before enabling the device, which means we
need the certificate store ready before arch initilisation (where PCIe
init happens). Move the certificate and keyring init to postcore to
ensure it's loaded before PCIe devices.
This allows us to verify the certificate chain provided by a PCIe device
via SPDM before we enable it.
Signed-off-by: Alistair Francis <alistair@xxxxxxxxxxxxx>
---
certs/system_keyring.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 9de610bf1f4b..f3d8ea4f70b4 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -260,7 +260,7 @@ static __init int system_trusted_keyring_init(void)
/*
* Must be initialised before we try and load the keys into the keyring.
*/
-device_initcall(system_trusted_keyring_init);
+postcore_initcall(system_trusted_keyring_init);
__init int load_module_cert(struct key *keyring)
{
@@ -293,7 +293,7 @@ static __init int load_system_certificate_list(void)
return x509_load_certificate_list(p, size, builtin_trusted_keys);
}
-late_initcall(load_system_certificate_list);
+postcore_initcall(load_system_certificate_list);
#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
--
2.48.1
