lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 07 Apr 2022 10:43:35 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     GUO Zihua <guozihua@...wei.com>, linux-integrity@...r.kernel.org
Cc:     dmitry.kasatkin@...il.com, roberto.sassu@...wei.com,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 1/1] ima: remove the IMA_TEMPLATE Kconfig option

On Thu, 2022-04-07 at 10:16 +0800, GUO Zihua wrote:
> The original 'ima' measurement list template contains a hash, defined
> as 20 bytes, and a null terminated pathname, limited to 255
> characters.  Other measurement list templates permit both larger hashes
> and longer pathnames.  When the "ima" template is configured as the
> default, a new measurement list template (ima_template=) must be
> specified before specifying a larger hash algorithm (ima_hash=) on the
> boot command line.
> 
> To avoid this boot command line ordering issue, remove the legacy "ima"
> template configuration option, allowing it to still be specified on the
> boot command line.
> 
> The root cause of this issue is that during the processing of ima_hash,
> we would try to check whether the hash algorithm is compatible with the
> template. If the template is not set at the moment we do the check, we
> check the algorithm against the configured default template. If the
> default template is "ima", then we reject any hash algorithm other than
> sha1 and md5.
> 
> For example, if the compiled default template is "ima", and the default
> algorithm is sha1 (which is the current default). In the cmdline, we put
> in "ima_hash=sha256 ima_template=ima-ng". The expected behavior would be
> that ima starts with ima-ng as the template and sha256 as the hash
> algorithm. However, during the processing of "ima_hash=",
> "ima_template=" has not been processed yet, and hash_setup would check
> the configured hash algorithm against the compiled default: ima, and
> reject sha256. So at the end, the hash algorithm that is actually used
> will be sha1.
> 
> With template "ima" removed from the configured default, we ensure that
> the default tempalte would at least be "ima-ng" which allows for
> basically any hash algorithm.
> 
> This change would not break the algorithm compatibility checks for IMA.
> 
> Fixes: 4286587dccd43 ("ima: add Kconfig default measurement list template")
> Signed-off-by: GUO Zihua <guozihua@...wei.com>

thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ