Hi,

I've started to add integrity interfaces descriptions to syzkaller
(https://github.com/google/syzkaller/pull/1970).

I've got a question, if you don't mind:

If I write 2 to /sys/kernel/security/integrity/evm/evm before loading keys,
subsequent fs operations will fail with -ENOKEY.

$ echo 2 > /sys/kernel/security/integrity/evm/evm
$ touch test.txt
[  526.976855][ T5771] evm: HMAC key is not set
[  526.977892][ T5771] evm: init_desc failed
touch: cannot touch 'test.txt': Required key not available

Is this a desired behavior? Should there be a check in evm_write_key()
for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings) before
changing the evm_initialized bit? Is it correct to set second bit without
first bit?

Thanks,
Denis