For IMA support on modern kernels:
1) We need load (or reload) IMA policy at early stage of boot from initramfs, before real root will be mounted.
2) On modern kernels, with CONFIG_IMA_X509_PATH, no need load cert any more "manually", kernel will do this for us, but we still need store cert in initramfs.
Just in case if you will be interesting, here is the patch for basic IMA support what I am using now (don't include EVM support): ima-support-patch.txt
For IMA support on modern kernels: 1) We need load (or reload) IMA policy at early stage of boot from initramfs, before real root will be mounted. 2) On modern kernels, with CONFIG_IMA_X509_PATH, no need load cert any more "manually", kernel will do this for us, but we still need store cert in initramfs.
Just in case if you will be interesting, here is the patch for basic IMA support what I am using now (don't include EVM support): ima-support-patch.txt