lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <875xjwrymf.fsf@>
Date: Wed, 26 Mar 2025 09:21:12 +0100
From: Nicolai Stange <nstange@...e.de>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: Nicolai Stange <nstange@...e.de>,  Roberto Sassu
 <roberto.sassu@...wei.com>,  Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
  Eric Snowberg <eric.snowberg@...cle.com>,  Jarkko Sakkinen
 <jarkko@...nel.org>,  James Bottomley
 <James.Bottomley@...senPartnership.com>,  linux-integrity@...r.kernel.org,
  linux-security-module@...r.kernel.org,  linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v2 02/13] ima: always create runtime_measurements
 sysfs file for ima_hash

Mimi Zohar <zohar@...ux.ibm.com> writes:

> On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
>> runtime_measurements_<hash-algo> sysfs files are getting created for
>> each PCR bank + for SHA-1.
>> 
>> Now that runtime_measurements_<hash-algo> sysfs file creation is being
>> skipped for unsupported hash algorithms, it will become possible that no
>> such file would be provided at all once SHA-1 is made optional in a
>> later patch.
>> 
>> Always create the file for the 'ima_hash' algorithm, even if it's not
>> associated with any of the PCR banks. As IMA initialization will
>> continue to fail if the ima_hash algorithm is not available to the
>> kernel, this guarantees that at least one such file will always be
>> there.
>> 
>> Signed-off-by: Nicolai Stange <nstange@...e.de>
>> ---
>>  security/integrity/ima/ima_fs.c | 6 ++----
>>  1 file changed, 2 insertions(+), 4 deletions(-)
>> 
>> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
>> index a8df2fe5f4cb..f030ff7f56da 100644
>> --- a/security/integrity/ima/ima_fs.c
>> +++ b/security/integrity/ima/ima_fs.c
>> @@ -436,10 +436,8 @@ static int __init create_securityfs_measurement_lists(void)
>>  	u16 algo;
>>  	int i;
>>  
>> -	securityfs_measurement_list_count = NR_BANKS(ima_tpm_chip);
>> -
>> -	if (ima_sha1_idx >= NR_BANKS(ima_tpm_chip))
>> -		securityfs_measurement_list_count++;
>> +	securityfs_measurement_list_count =
>> +		NR_BANKS(ima_tpm_chip) + ima_extra_slots;
>>  
>>  	ascii_securityfs_measurement_lists =
>>  	    kcalloc(securityfs_measurement_list_count, sizeof(struct dentry *),
>
> "ima_hash" is the default file hash algorithm.  Re-using it as the default
> complete measurement list assumes that the subsequent kexec'ed kernels configure
> and define it as the default file hash algorithm as well, which might not be the
> case.

I don't really see why the ima_hashes would have to match between kexecs
for this to work -- all events' template hashes are getting recreated
from scratch anyway after kexec (ima_restore_measurement_list() ->
ima_calc_field_array_hash()).

That is, if ima_hash=sha256 first, and ima_hash=sha384 after kexec, one
would have *runtime_measurements_sha256 first and
*runtime_measurements_sha384 after kexec. And both had exclusively
template hashes of their respective algo in them each.

What am I missing?


> Drop this patch.

Fine by me, but just to confirm, in case there's no TPM attached and
SHA1 was disabled, there would be no /sys/*/*runtime_measurement* at all
then. Is that Ok?

ima_hash was chosen here only, because after this series, it will be the
only single algorithm guaranteed to be available.

Thanks!

Nicolai


> Defer allocating the "extra" non-sha1 bank.  A subsequent patch will select
> SHA256.  Based on the chosen algorithm, define the "extra" non-sha1 bank.
>
-- 
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ