lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4efc3cd7521eb1aef435af2b02a9a112f049c0f2.camel@linux.ibm.com>
Date: Wed, 26 Mar 2025 10:48:01 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Nicolai Stange <nstange@...e.de>
Cc: Roberto Sassu <roberto.sassu@...wei.com>,
        Dmitry Kasatkin
 <dmitry.kasatkin@...il.com>,
        Eric Snowberg <eric.snowberg@...cle.com>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        James Bottomley
 <James.Bottomley@...senPartnership.com>,
        linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v2 02/13] ima: always create runtime_measurements
 sysfs file for ima_hash

On Wed, 2025-03-26 at 14:46 +0100, Nicolai Stange wrote:
> Mimi Zohar <zohar@...ux.ibm.com> writes:
> 
> > On Wed, 2025-03-26 at 09:21 +0100, Nicolai Stange wrote:
> > > Mimi Zohar <zohar@...ux.ibm.com> writes:
> > > 
> > > > On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
> 
> > > > "ima_hash" is the default file hash algorithm.  Re-using it as the default
> > > > complete measurement list assumes that the subsequent kexec'ed kernels configure
> > > > and define it as the default file hash algorithm as well, which might not be the
> > > > case.
> > > 
> > > I don't really see why the ima_hashes would have to match between kexecs
> > > for this to work -- all events' template hashes are getting recreated
> > > from scratch anyway after kexec (ima_restore_measurement_list() ->
> > > ima_calc_field_array_hash()).
> > > 
> > > That is, if ima_hash=sha256 first, and ima_hash=sha384 after kexec, one
> > > would have *runtime_measurements_sha256 first and
> > > *runtime_measurements_sha384 after kexec. And both had exclusively
> > > template hashes of their respective algo in them each.
> > > 
> > > What am I missing?
> > 
> > Your solution would work nicely, if the "ima_hash" algorithm could be guaranteed
> > to be built into the kernel.  It's highly unlikely someone would choose a hash
> > algorithm not built into kernel, but it is possible.  hash_setup() only verifies
> > that the hash algorithm is a valid name.
> 
> But ima_init_ima_crypto(), hence the whole IMA __init, would fail if
> ima_hash was unavailable at __init time?

Thanks for pointing that out!  Now I understand why just selecting SHA256 is
sufficient.

Mimi

> 
> > Either fix hash_setup() to guarantee that the chosen hash algorithm is built
> > into the kernel or use the CONFIG_IMA_DEFAULT_HASH and add a Kconfig to select
> > the hash algorithm.  This would be in lieu of v2 05/13.
> > 
> > > > Drop this patch.
> > > 
> > > Fine by me, but just to confirm, in case there's no TPM attached and
> > > SHA1 was disabled, there would be no /sys/*/*runtime_measurement* at all
> > > then. Is that Ok?
> > 
> > Of course not.  :)
> > 
> > > ima_hash was chosen here only, because after this series, it will be the
> > > only single algorithm guaranteed to be available.
> > 
> > With the proposed changes to "[RFC PATCH v2 05/13] ima: select CRYPTO_SHA256
> > from Kconfig', SHA256 would be added to the "extra" measurements if the TPM
> > SHA256 bank is disabled.
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ