lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200604191207.GR2970@glitch>
Date:   Thu, 4 Jun 2020 16:12:07 -0300
From:   Bruno Meneguele <bmeneg@...hat.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>
Cc:     Roberto Sassu <roberto.sassu@...wei.com>, tiwai@...e.de,
        linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, silviu.vlasceanu@...wei.com,
        stable@...r.kernel.org
Subject: Re: [PATCH 2/2] ima: Call ima_calc_boot_aggregate() in
 ima_eventdigest_init()

On Wed, Jun 03, 2020 at 06:03:35PM -0400, Mimi Zohar wrote:
> Hi Roberto,
> 
> On Wed, 2020-06-03 at 17:08 +0200, Roberto Sassu wrote:
> > If the template field 'd' is chosen and the digest to be added to the
> > measurement entry was not calculated with SHA1 or MD5, it is
> > recalculated with SHA1, by using the passed file descriptor. However, this
> > cannot be done for boot_aggregate, because there is no file descriptor.
> > 
> > This patch adds a call to ima_calc_boot_aggregate() in
> > ima_eventdigest_init(), so that the digest can be recalculated also for the
> > boot_aggregate entry.
> > 
> > Cc: stable@...r.kernel.org # 3.13.x
> > Fixes: 3ce1217d6cd5d ("ima: define template fields library and new helpers")
> > Reported-by: Takashi Iwai <tiwai@...e.de>
> > Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> 
> Thanks, Roberto.
> 
> I've pushed both patches out to the next-integrity branch and would
> appreciate some additional testing.
> 
> thanks,
> 
> Mimi
> 

Hi Mimi and Roberto,

FWIW, I've tested this patch manually and things went fine, with no
unexpected behavior or results. 

However, wouldn't it be worth add a note in kmsg about the
ima_calc_boot_aggregate() being called with an algo different from the
system's default? Just to let the user know he won't find a sha256 when
check the measurement. But that's something we can add later too.

Thanks.

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ