lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <871punddzo.fsf@>
Date: Sun, 23 Mar 2025 15:21:31 +0100
From: Nicolai Stange <nstange@...e.de>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: Nicolai Stange <nstange@...e.de>,  Roberto Sassu
 <roberto.sassu@...wei.com>,  Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
  Eric Snowberg <eric.snowberg@...cle.com>,
  linux-integrity@...r.kernel.org,  linux-security-module@...r.kernel.org,
  linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v1 6/7] ima: invalidate unsupported PCR banks once
 at first use

Mimi Zohar <zohar@...ux.ibm.com> writes:
> On Tue, 2025-03-18 at 16:55 +0100, Nicolai Stange wrote:
>> Mimi Zohar <zohar@...ux.ibm.com> writes:
>> > FYI, because the IMA Kconfig selects SHA1, we're guaranteed that SHA1 exists in
>> > the kernel and the subsequent kexec'ed kernel.  For this reason we're guaranteed
>> > that the measurement list is complete.  The simplest solution, not necessarily
>> > the best, would be to punt the problem for the time being by replacing the
>> > "select" with a different hash algorithm.
>> 
>> Yes, that would work as well. IIUC, it would mean that we would
>> e.g. extend truncated SHA-256 template hashes into a SHA-1 bank, right?
>> However, since no existing tool like 'ima_measurement' is expecting
>> that, and would fail a verification then, I'm currently struggling to
>> see the advantage over just doing a.) and invalidating the PCR banks
>> with a fixed value right away?
>
> Replacing the "Kconfig select" has more to do with having at least one
> guaranteed complete measurement list.  I'm fine with extending a TPM bank with
> an unknown kernel hash algorithm violation (either option a or b).

Ok, I think I got it now.

FWIW, a v2 can be found at
https://lore.kernel.org/r/20250323140911.226137-1-nstange@suse.de , including a
patch for selecting SHA256 now.

Thanks a lot for all your feedback!

Nicolai

-- 
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ