lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200604195744.GS2970@glitch>
Date:   Thu, 4 Jun 2020 16:57:44 -0300
From:   Bruno Meneguele <bmeneg@...hat.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>
Cc:     Roberto Sassu <roberto.sassu@...wei.com>, tiwai@...e.de,
        linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, silviu.vlasceanu@...wei.com,
        stable@...r.kernel.org
Subject: Re: [PATCH 2/2] ima: Call ima_calc_boot_aggregate() in
 ima_eventdigest_init()

On Thu, Jun 04, 2020 at 03:35:20PM -0400, Mimi Zohar wrote:
> On Thu, 2020-06-04 at 16:12 -0300, Bruno Meneguele wrote:
> > On Wed, Jun 03, 2020 at 06:03:35PM -0400, Mimi Zohar wrote:
> > > Hi Roberto,
> > > 
> > > On Wed, 2020-06-03 at 17:08 +0200, Roberto Sassu wrote:
> > > > If the template field 'd' is chosen and the digest to be added to the
> > > > measurement entry was not calculated with SHA1 or MD5, it is
> > > > recalculated with SHA1, by using the passed file descriptor. However, this
> > > > cannot be done for boot_aggregate, because there is no file descriptor.
> > > > 
> > > > This patch adds a call to ima_calc_boot_aggregate() in
> > > > ima_eventdigest_init(), so that the digest can be recalculated also for the
> > > > boot_aggregate entry.
> > > > 
> > > > Cc: stable@...r.kernel.org # 3.13.x
> > > > Fixes: 3ce1217d6cd5d ("ima: define template fields library and new helpers")
> > > > Reported-by: Takashi Iwai <tiwai@...e.de>
> > > > Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> > > 
> > > Thanks, Roberto.
> > > 
> > > I've pushed both patches out to the next-integrity branch and would
> > > appreciate some additional testing.
> > > 
> > > thanks,
> > > 
> > > Mimi
> > > 
> > 
> > Hi Mimi and Roberto,
> > 
> > FWIW, I've tested this patch manually and things went fine, with no
> > unexpected behavior or results. 
> 
> Thanks, Bruno!
> 
> > However, wouldn't it be worth add a note in kmsg about the
> > ima_calc_boot_aggregate() being called with an algo different from the
> > system's default? Just to let the user know he won't find a sha256 when
> > check the measurement. But that's something we can add later too.
> 
> There's no guarantees that the IMA default crypto algorithm will be
> used for calculating the boot_aggregate.  The algorithm is dependent
> on the TPM.  For example, the default IMA algorithm could be sha256,
> but on a system with TPM 1.2, the boot_aggregate would have to be
> sha1.

Ah Indeed.. it makes sense.

> 
> This patch addresses a mismatch between the template format field ('d'
> field) and the larger digest.  We could require the "ima_template_fmt"
> specified on the boot command line define an appropriate format, but
> Roberto decided to support the situation where both "d" and "d-ng" are
> defined.

Yes, personally I also prefer to "fail earlier" or to be more stricter
on user definitions, but I also understand going the other way allowing
both d & d-ng.

> 
> Mimi
> 

thanks Mimi.

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ