Re: [PATCH v1 0/5] ima-evm-utils: Assorted fixes and improvements

[Mimi Zohar <zohar@linux.ibm.com>]

[Cc'ing Roberto, Petr, Thiago, Prakhar]

Hi Vitaly,

On Mon, 2019-07-08 at 02:48 +0300, Vitaly Chikunov wrote:
> There is small fixes and improvements to ima-evm-utils.
> Tested on x86_64.
> 
> Vitaly Chikunov (5):
>   ima-evm-utils: Fix EVP_MD_CTX leak in ima_calc_hash
>   ima-evm-utils: Fix memory leak in init_public_keys
>   ima-evm-utils: Preload public keys for ima_verify
>   ima-evm-utils: Allow multiple files in ima_verify
>   ima-evm-utils: Fix clang warning about possible unaligned pointer for
>     hdr->keyid
> 
>  src/evmctl.c    | 11 ++++++++---
>  src/libimaevm.c | 38 ++++++++++++++++++++++++++------------
>  2 files changed, 34 insertions(+), 15 deletions(-)

Thanks, this patch set looks good.  These patches, the "ima-evm-utils: 
Convert v2 signatures from RSA to EVP_PKEY AP", and the two patches I
posted today are now in #next, but I'd really appreciate some
additional Review's/Tested's on these patches.

Now that we're including ALL the kernel exported hash_info algorithms,
a colleague suggested defining a list of deprecated hash algorithms.
 Instead of preventing the usage of these deprecated hash algorithms,
initially I would start out with a warning.  It would be helpful to
indicate which standard deprecated the hash algorithm and year.  At
some point, we might want to prevent their usage in signing files, but
not verifying file signatures.

evmctl "ima_measurement" doesn't support custom template definitions.
Also missing is support for verifying the "ima-buf" kexec command boot
command line and the "ima-modsig" template appended signature.

David Jacobson started writing a regression framework and posted a v2
version.  I'd really appreciate help with cleaning up that code. 

Any other comments/suggestions/ideas?

thanks,

Mimi