load system certificates earlier

pKVM is initialized at the device_initcall priority and requires loading a module so the built-in certificates need to be available first.
GrapheneOS · Mar 26, 2024 · 7f5d5ec · 7f5d5ec
1 parent 77e7478
commit 7f5d5ec
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
@@ -173,7 +173,7 @@ static __init int system_trusted_keyring_init(void)
 /*
  * Must be initialised before we try and load the keys into the keyring.
  */
-device_initcall(system_trusted_keyring_init);
+core_initcall(system_trusted_keyring_init);
 
 __init int load_module_cert(struct key *keyring)
 {
@@ -206,7 +206,7 @@ static __init int load_system_certificate_list(void)
 
 	return x509_load_certificate_list(p, size, builtin_trusted_keys);
 }
-late_initcall(load_system_certificate_list);
+postcore_initcall(load_system_certificate_list);
 
 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION