linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Vitaly Chikunov <vt@altlinux.org>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	linux-integrity@vger.kernel.org,
	Roberto Sassu <roberto.sassu@huawei.com>,
	Petr Vorel <pvorel@suse.cz>,
	Thiago Jung Bauermann <bauerman@linux.ibm.com>,
	Prakhar Srivastava <prsriva02@gmail.com>
Subject: Re: [PATCH v1 0/5] ima-evm-utils: Assorted fixes and improvements
Date: Thu, 11 Jul 2019 15:25:40 -0400	[thread overview]
Message-ID: <1562873140.4014.90.camel@linux.ibm.com> (raw)
In-Reply-To: <20190709154333.33345iepccstscpv@altlinux.org>

On Tue, 2019-07-09 at 18:43 +0300, Vitaly Chikunov wrote:
> On Mon, Jul 08, 2019 at 11:30:50AM -0400, Mimi Zohar wrote:
> > [Cc'ing Roberto, Petr, Thiago, Prakhar]
> > Now that we're including ALL the kernel exported hash_info algorithms,
> > a colleague suggested defining a list of deprecated hash algorithms.
> >  Instead of preventing the usage of these deprecated hash algorithms,
> > initially I would start out with a warning.  It would be helpful to
> > indicate which standard deprecated the hash algorithm and year.  At
> > some point, we might want to prevent their usage in signing files, but
> > not verifying file signatures.
> 
> I think this is not a problem, because user explicitly states which hash
> algorithm he wants to use. Except for SHA1, which is also silent
> fallback algorithm. I think this fallback mechanism should be removed.

I don't see a problem with informing whoever is using ima-evm-utils,
that the requested hash algorithm has been deprecated.  Just as NIST
has deprecated the use of sha1 for most usecases, certain versions of
the gost standard have also been deprecated.

Someone verifying the measurement list or the filesystem signatures
should be informed that although the verification succeeded, or not,
some of the signatures verified were based on deprecated hash
algorithms.  Maybe something along the lines of "<algorithm> hash
algorithm was deprecated (<year> - <standard>)"?  In verbose mode, the
message could include the filename.

The EVM hmac is still sha1 based, but that shouldn't affect ima-evm-
utils.  So yes we should explicitly require a valid hash algorithm and
not fall back to using sha1.

> 
> Also, return values of sign_hash/ima_calc_hash/etc are not defined
> clearly and callers have weird checks such as `if (len <= 1)`. I think
> this should be conceptually simplified and made them `return -1` on any
> error.

Agreed.  Mostly these functions are returning "-1" on error.  There
are a few places returning 1 instead.

> 
> 
> > evmctl "ima_measurement" doesn't support custom template definitions.
> > Also missing is support for verifying the "ima-buf" kexec command boot
> > command line and the "ima-modsig" template appended signature.
> > 
> > David Jacobson started writing a regression framework and posted a v2
> > version.  I'd really appreciate help with cleaning up that code. 
> 
> Maybe tests should be integrated into ima-evm-utils too.

Including regression tests in ima-evm-utils is the plan. :)

Mimi


  reply	other threads:[~2019-07-11 19:26 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-07 23:48 [PATCH v1 0/5] ima-evm-utils: Assorted fixes and improvements Vitaly Chikunov
2019-07-07 23:48 ` [PATCH v1 1/5] ima-evm-utils: Fix EVP_MD_CTX leak in ima_calc_hash Vitaly Chikunov
2019-07-07 23:48 ` [PATCH v1 2/5] ima-evm-utils: Fix memory leak in init_public_keys Vitaly Chikunov
2019-07-07 23:48 ` [PATCH v1 3/5] ima-evm-utils: Preload public keys for ima_verify Vitaly Chikunov
2019-07-07 23:48 ` [PATCH v1 4/5] ima-evm-utils: Allow multiple files in ima_verify Vitaly Chikunov
2019-07-27  2:49   ` Vitaly Chikunov
2019-07-07 23:48 ` [PATCH v1 5/5] ima-evm-utils: Fix clang warning about possible unaligned pointer for hdr->keyid Vitaly Chikunov
2019-07-08 15:30 ` [PATCH v1 0/5] ima-evm-utils: Assorted fixes and improvements Mimi Zohar
2019-07-09 15:43   ` Vitaly Chikunov
2019-07-11 19:25     ` Mimi Zohar [this message]
2019-07-17 16:38     ` Petr Vorel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1562873140.4014.90.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=bauerman@linux.ibm.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=prsriva02@gmail.com \
    --cc=pvorel@suse.cz \
    --cc=roberto.sassu@huawei.com \
    --cc=vt@altlinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).