| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Jan 2022 14:35:48 +0800
From: "Guozihua (Scott)" <guozihua@...wei.com>
To: Roberto Sassu <roberto.sassu@...wei.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Jonathan Corbet <corbet@....net>
CC: "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
wangweiyang <wangweiyang2@...wei.com>,
Xiujianfeng <xiujianfeng@...wei.com>,
"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>
Subject: Re: [RESEND][PATCH] Documentation: added order requirement for
ima_hash=
On 2022/1/26 22:43, Roberto Sassu wrote:
>> From: Mimi Zohar [mailto:zohar@...ux.ibm.com]
>> Sent: Wednesday, January 26, 2022 3:35 PM
>> On Wed, 2022-01-26 at 13:24 +0000, Roberto Sassu wrote:
>>>> From: Mimi Zohar [mailto:zohar@...ux.ibm.com]
>>>> Sent: Wednesday, January 26, 2022 1:48 PM
>>>> On Wed, 2022-01-26 at 15:41 +0800, Guozihua (Scott) wrote:
>>>>>
>>>>>
>>>>> The main issue lies in ima_template_desc_current called by hash_setup,
>>>>> which does not just read ima_template global variable, but also tries to
>>>>> set it if that hasn't been done already. Causing ima_template_setup to quit.
>>>>
>>>> Right, which calls ima_init_template_list(). So part of the solution
>>>> could be to conditionally call ima_init_template_list()
>>>> in ima_template_setup().
>>>>
>>>> - if (ima_template)
>>>> - return 1;
>>>> -
>>>> - ima_init_template_list();
>>>> + if (!ima_template
>>>> + ima_init_template_list();
>>>>
>>>> Roberto, what do you think?
>>>
>>> Hi Mimi
>>>
>>> I think we wanted to prevent to set a digest algorithm
>>> incompatible with the chosen template.
>>>
>>> If we have in the kernel command line:
>>>
>>> ima_template=ima ima_hash=sha256
>>>
>>> ima_hash_algo would be set to HASH_ALGO_SHA1 despite
>>> the user choice and the template would be set to 'ima'.
>>>
>>> In the opposite case:
>>>
>>> ima_hash=sha256 ima_template=ima
>>>
>>> if the default template is 'ima', then ima_hash_algo would be
>>> set to HASH_ALGO_SHA1. Otherwise, it would be
>>> HASH_ALGO_SHA256. If we allow the template to be set after
>>> the digest algorithm is evaluated, the template selection will
>>> be rejected if the algorithm is incompatible with the template.
>>
>> The only time that would occur is in the unlikely case that the
>> template is being set to "ima". That sounds reasonable. In fact we
>> should consider preventing the template format being set to "ima".
>
> Ok.
>
>>> I'm trying to remember why we still have the digest recalculation
>>> in ima_eventdigest_init(). Maybe the only possibility is if we
>>> set the template from the policy?
>>
>> The recalculation was relatively recently added in commit 6cc7c266e5b4
>> ("ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()").
>
> There is also recalculation for the file digest:
>
> hash.hdr.algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
> ima_hash_algo : HASH_ALGO_SHA1;
> result = ima_calc_file_hash(event_data->file, &hash.hdr);
>
> I understood that Jonathan already applied the patch. If it is possible
> to make a new patch according to your suggestion, I would ask Zihua
> to do that.
Hi Mimi and Roberto,
I understand that the solution proposed here is to decommission template
"ima" and potentially removing related algo checks altogether?
--
Best
GUO Zihua
Powered by blists - more mailing lists