lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <caebe20b5f30cb76ba8021443ba50ad06a2ef570.camel@huaweicloud.com>
Date: Tue, 27 Jan 2026 11:02:05 +0100
From: Roberto Sassu <roberto.sassu@...weicloud.com>
To: Dmitry Safonov <dima@...sta.com>
Cc: Mimi Zohar <zohar@...ux.ibm.com>, Roberto Sassu
 <roberto.sassu@...wei.com>,  Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
 Eric Snowberg <eric.snowberg@...cle.com>, Paul Moore <paul@...l-moore.com>,
 James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>,
 Silvia Sisinni <silvia.sisinni@...ito.it>, Enrico Bravi
 <enrico.bravi@...ito.it>, linux-integrity@...r.kernel.org, 
 linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, Dmitry
 Safonov <0x7f454c46@...il.com>
Subject: Re: [PATCH] ima_fs: Avoid creating measurement lists for
 unsupported hash algos

On Tue, 2026-01-27 at 09:55 +0000, Dmitry Safonov wrote:
> On Tue, Jan 27, 2026 at 9:15 AM Roberto Sassu
> <roberto.sassu@...weicloud.com> wrote:
> > 
> > On Tue, 2026-01-27 at 03:05 +0000, Dmitry Safonov via B4 Relay wrote:
> > > From: Dmitry Safonov <dima@...sta.com>
> > > 
> > > ima_init_crypto() skips initializing ima_algo_array[i] if the alogorithm
> > 
> > Algorithm.
> 
> Thanks.
> 
> [..]
> > > --- a/security/integrity/ima/ima_fs.c
> > > +++ b/security/integrity/ima/ima_fs.c
> > > @@ -404,6 +404,9 @@ static int __init create_securityfs_measurement_lists(void)
> > >               char file_name[NAME_MAX + 1];
> > >               struct dentry *dentry;
> > > 
> > > +             if (algo == HASH_ALGO__LAST)
> > > +                     continue;
> > > +
> > >               sprintf(file_name, "ascii_runtime_measurements_%s",
> > >                       hash_algo_name[algo]);
> > 
> > Thanks, but I think we can also print the unsupported digests, since
> > they are there. Since we don't have the algorithm name, we can make
> > ours like tpm_<algo hex>.
> 
> I'm not quite sure what you mean. `algo` here is HASH_ALGO__LAST as
> you see by the check added. As it's initialized by
> ima_tpm_chip->allocated_banks[i].crypto_id, I presume it's
> HASH_ALGO__LAST there as well (didn't check this assumption though).
> Do you mean to print hex value of HASH_ALGO__LAST?

Even if you don't have the crypto ID because the TPM ID is not mapped,
you can still use the TPM ID (ima_tpm_chip->allocated_banks[i].alg_id).

I wanted to have a file name that includes the TPM ID.

Roberto

> > Once this is fixed, you can try to make SHA3_256 supported. Add the
> > TPM_ALG_SHA3_256 definition in tpm.h and the mapping in tpm2-cmd.c
> > (array tpm2_hash_map).
> 
> Yeah, I thought of doing this, asked the related folks and they said
> it might be worth if it's a simple/trivial patch. Will try if time
> permits, somewhat busy with bug fixes at this moment. This one is just
> a fix for read out-of-bounds for -stable (and I managed to forget to
> Cc them! hehe).
> 
> Going to send v2 with the typo fix and -stable Cc'ed if that sounds good to you.
> 
> > 
> > Thanks
> > 
> > Roberto
> [..]
> 
> Thanks,
>             Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ