| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 02 Mar 2020 12:33:01 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...wei.com>,
"James.Bottomley@...senPartnership.com"
<James.Bottomley@...senPartnership.com>,
"jarkko.sakkinen@...ux.intel.com" <jarkko.sakkinen@...ux.intel.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>
Cc: "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Silviu Vlasceanu <Silviu.Vlasceanu@...wei.com>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH v3 2/8] ima: Switch to ima_hash_algo for boot aggregate
On Mon, 2020-03-02 at 15:11 +0000, Roberto Sassu wrote:
> > Yes, preference is given to the IMA default algorithm, but it should
> > fall back to using SHA256 or SHA1, based on the TPM.
>
> Ok. The patch already does it even if the TPM version is not checked.
> For TPM 1.2, if the default algorithm is not SHA1 the patch will select
> the first PCR bank (SHA1).
>
> Should I send a new patch which explicitly checks the TPM version?
Checking the TPM version shouldn't be necessary. The code currently
sets bank_idx to the HASH_ALGO_SHA256. If instead of initializing
bank_idx to 0, initialize it to the nr_allocated_banks or -1. As long
as the bank_idx value is the same as the initialized value, set the
bank_idx to HASH_ALGO_SHA1.
The subsequent bank_idx would then be limited to testing for the
initialized value.
Mimi
Powered by blists - more mailing lists