The Linux IMA (Integrity Measurement Architecture) subsystem used for secure
boot, file integrity, or remote attestation cannot be a loadable module
for few reasons listed below:
o Boot-Time Integrity: IMA’s main role is to measure and appraise files
before they are used. This includes measuring critical system files during
early boot (e.g., init, init scripts, login binaries). If IMA were a module,
it would be loaded too late to cover those.
o TPM Dependency: IMA integrates tightly with the TPM to record measurements
into PCRs. The TPM must be initialized early (ideally before init_ima()),
which aligns with IMA being built-in.
o Security Model: IMA is part of a Trusted Computing Base (TCB). Making it a
module would weaken the security model, as a potentially compromised system
could delay or tamper with its initialization.
IMA must be built-in to ensure it starts measuring from the earliest possible
point in boot which inturn implies TPM must be initialised and ready to use
before IMA.
To enable integration of tpm_event_log with the IMA subsystem, the TPM drivers
(tpm_crb and tpm_crb_ffa) also needs to be built-in. However with FF-A driver
also being initialised at device initcall level, it can lead to an
initialization order issue where:
- crb_acpi_driver_init() may run before tpm_crb_ffa_driver()_init and ffa_init()
- As a result, probing the TPM device via CRB over FFA is deferred
- ima_init() (called as a late initcall) runs before deferred probe completes,
IMA fails to find the TPM and logs the below error:
| ima: No TPM chip found, activating TPM-bypass!
Eventually it fails to generate boot_aggregate with PCR values.
Because of the above stated dependency, the ffa driver needs to initialised
before tpm_crb_ffa module to ensure IMA finds the TPM successfully when
present.
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
---
drivers/firmware/arm_ffa/driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index fe55613a8ea9..1a690b8186df 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -2058,7 +2058,7 @@ static int __init ffa_init(void)
kfree(drv_info);
return ret;
}
-module_init(ffa_init);
+rootfs_initcall(ffa_init);
static void __exit ffa_exit(void)
{
--
LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}
On Wed, Jun 18, 2025 at 11:23:01AM +0100, Yeoreum Yun wrote:
> The Linux IMA (Integrity Measurement Architecture) subsystem used for secure
> boot, file integrity, or remote attestation cannot be a loadable module
> for few reasons listed below:
>
> o Boot-Time Integrity: IMA’s main role is to measure and appraise files
> before they are used. This includes measuring critical system files during
> early boot (e.g., init, init scripts, login binaries). If IMA were a module,
> it would be loaded too late to cover those.
>
> o TPM Dependency: IMA integrates tightly with the TPM to record measurements
> into PCRs. The TPM must be initialized early (ideally before init_ima()),
> which aligns with IMA being built-in.
>
> o Security Model: IMA is part of a Trusted Computing Base (TCB). Making it a
> module would weaken the security model, as a potentially compromised system
> could delay or tamper with its initialization.
>
> IMA must be built-in to ensure it starts measuring from the earliest possible
> point in boot which inturn implies TPM must be initialised and ready to use
> before IMA.
>
> To enable integration of tpm_event_log with the IMA subsystem, the TPM drivers
> (tpm_crb and tpm_crb_ffa) also needs to be built-in. However with FF-A driver
> also being initialised at device initcall level, it can lead to an
> initialization order issue where:
> - crb_acpi_driver_init() may run before tpm_crb_ffa_driver()_init and ffa_init()
> - As a result, probing the TPM device via CRB over FFA is deferred
> - ima_init() (called as a late initcall) runs before deferred probe completes,
> IMA fails to find the TPM and logs the below error:
>
> | ima: No TPM chip found, activating TPM-bypass!
>
> Eventually it fails to generate boot_aggregate with PCR values.
>
> Because of the above stated dependency, the ffa driver needs to initialised
> before tpm_crb_ffa module to ensure IMA finds the TPM successfully when
> present.
>
> Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
> ---
> drivers/firmware/arm_ffa/driver.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
> index fe55613a8ea9..1a690b8186df 100644
> --- a/drivers/firmware/arm_ffa/driver.c
> +++ b/drivers/firmware/arm_ffa/driver.c
> @@ -2058,7 +2058,7 @@ static int __init ffa_init(void)
> kfree(drv_info);
> return ret;
> }
> -module_init(ffa_init);
> +rootfs_initcall(ffa_init);
>
> static void __exit ffa_exit(void)
> {
> --
> LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}
>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
On Wed, 2025-06-18 at 11:23 +0100, Yeoreum Yun wrote:
> The Linux IMA (Integrity Measurement Architecture) subsystem used for secure
> boot, file integrity, or remote attestation cannot be a loadable module
> for few reasons listed below:
>
> o Boot-Time Integrity: IMA’s main role is to measure and appraise files
> before they are used. This includes measuring critical system files during
> early boot (e.g., init, init scripts, login binaries). If IMA were a module,
> it would be loaded too late to cover those.
>
> o TPM Dependency: IMA integrates tightly with the TPM to record measurements
> into PCRs. The TPM must be initialized early (ideally before init_ima()),
> which aligns with IMA being built-in.
>
> o Security Model: IMA is part of a Trusted Computing Base (TCB). Making it a
> module would weaken the security model, as a potentially compromised system
> could delay or tamper with its initialization.
>
> IMA must be built-in to ensure it starts measuring from the earliest possible
> point in boot which inturn implies TPM must be initialised and ready to use
> before IMA.
>
> To enable integration of tpm_event_log with the IMA subsystem, the TPM drivers
> (tpm_crb and tpm_crb_ffa) also needs to be built-in. However with FF-A driver
> also being initialised at device initcall level, it can lead to an
> initialization order issue where:
> - crb_acpi_driver_init() may run before tpm_crb_ffa_driver()_init and ffa_init()
> - As a result, probing the TPM device via CRB over FFA is deferred
> - ima_init() (called as a late initcall) runs before deferred probe completes,
> IMA fails to find the TPM and logs the below error:
>
> | ima: No TPM chip found, activating TPM-bypass!
>
> Eventually it fails to generate boot_aggregate with PCR values.
>
> Because of the above stated dependency, the ffa driver needs to initialised
> before tpm_crb_ffa module to ensure IMA finds the TPM successfully when
> present.
>
> Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Thank you for the well written patch description.
> ---
> drivers/firmware/arm_ffa/driver.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
> index fe55613a8ea9..1a690b8186df 100644
> --- a/drivers/firmware/arm_ffa/driver.c
> +++ b/drivers/firmware/arm_ffa/driver.c
> @@ -2058,7 +2058,7 @@ static int __init ffa_init(void)
> kfree(drv_info);
> return ret;
> }
> -module_init(ffa_init);
> +rootfs_initcall(ffa_init);
LGTM as the driver is always builtin.
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>
> static void __exit ffa_exit(void)
> {
© 2016 - 2025 Red Hat, Inc.