[PATCH 0/6] ima-evm-utils: miscellanous code clean up and bug fixes

[PATCH 0/6] ima-evm-utils: miscellanous code clean up and bug fixes

[Mimi Zohar]

The IMA LTP and standalone tests supported a number of features
properly, but were not carried forward in ima-evm-utils.  For example,
hard coding "fixing" file time of measure, time of use (ToMToU)
violations, rather than requiring the "--validate" command option.
Similarly, verifying the template data digest against the template data
should be optional ("--verify").

On some older systems, the Linux kernel header package does not include
"hash_info.h", which results in the crypto algorithm strings not being
defined.  To address this problem, hash_info.gen defines a "heredoc" to
generate the "hash_info.h" file.

The remaining changes are simple bug fixes.

Mimi

Mimi Zohar (6):
  ima-evm-utils: fix PCRAggr error message
  ima-evm-utils: fix measurement violation checking
  ima-evm-utils: don't hardcode validating the IMA measurement list
  ima-evm-utils: calculate and verify the template data digest
  ima-evm-utils: use uint32_t for template length
  ima-evm-utils: define a basic hash_info.h file

 src/Makefile.am   |  2 +-
 src/evmctl.c      | 38 ++++++++++++++++++++++++++++----------
 src/hash_info.gen | 43 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+), 11 deletions(-)

-- 
2.7.5

[PATCH 1/6] ima-evm-utils: fix PCRAggr error message

[Mimi Zohar]

Display the correct TPM PCR value.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 46b7092b469d..1a5f3545d844 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1635,7 +1635,7 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
 					 bank[i].algo_name, j);
 			else
 				log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
-					 bank[i].algo_name, i, i);
+					 bank[i].algo_name, j, j);
 		}
 	}
 	return ret;
-- 
2.7.5

[PATCH 2/6] ima-evm-utils: fix measurement violation checking

[Mimi Zohar]

The template data digest for file measurement time of measure, time of
use (ToMToU) violations is zero.  Don't calculate the template data
digest for the different banks.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 1a5f3545d844..71712d91703a 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1736,10 +1736,19 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
 			continue;
 		}
 
-		err = calculate_template_digest(pctx, md, entry, &bank[i]);
-		if (!err) {
-			bank[i].supported = 0;
-			continue;
+		/*
+		 * Measurement violations are 0x00 digests.  No need to
+		 * calculate the per TPM bank template digests.
+		 */
+		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0)
+			memset(bank[i].digest, 0x00, bank[i].digest_size);
+		else {
+			err = calculate_template_digest(pctx, md, entry,
+							&bank[i]);
+			if (!err) {
+				bank[i].supported = 0;
+				continue;
+			}
 		}
 
 		/* extend TPM BANK with template digest */
-- 
2.7.5

[PATCH 3/6] ima-evm-utils: don't hardcode validating the IMA measurement list

[Mimi Zohar]

File time of measure, time of use (ToMToU) violations are annotated in
the measurement list by including a template data digest of zeroes, but
extending the TPM with 0xFF's.  This causes validating the measurement
against the TPM PCRs to fail.  To validate the measurement list against
the PCRs requires replacing the zero template data digest with OxFF's.

The default behavior, unless specifically requested, should be to fail
the measurement list verification.  Support validating the measurement
list based on a "--validate" option.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 71712d91703a..3c4483ef2b0e 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1412,7 +1412,7 @@ struct template_entry {
 static uint8_t zero[MAX_DIGEST_SIZE];
 static uint8_t fox[MAX_DIGEST_SIZE];
 
-int validate = 1;
+static int validate = 0;
 
 static int ima_verify_template_hash(struct template_entry *entry)
 {
@@ -2156,7 +2156,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2195,6 +2195,7 @@ static struct option opts[] = {
 	{"list", 0, 0, 138},
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
+	{"validate", 0, 0, 141},
 	{}
 
 };
@@ -2373,6 +2374,9 @@ int main(int argc, char *argv[])
 			xattr_ima = "user.ima";
 			xattr_evm = "user.evm";
 			break;
+		case 141: /* --validate */
+			validate = 1;
+			break;
 		case '?':
 			exit(1);
 			break;
-- 
2.7.5

[PATCH 4/6] ima-evm-utils: calculate and verify the template data digest

[Mimi Zohar]

Validating a TPM quote of PCR-10, the default IMA PCR, requires not only
sending the quote to the verifier, but the IMA measurement list as well.
The attestation server can verify the IMA measurement list simply by
walking the measurement list and re-calculating the PCRs based on the
template data digest.  In addition, the attestation server could verify
the template data digest based on the template data.

The LTP and standalone "ima_measure" test optionally verify the template
data digest.  Similarly add "--verify" support to conditionally verify
the template data digest against the template data.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 3c4483ef2b0e..eda7dd845930 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1413,6 +1413,7 @@ static uint8_t zero[MAX_DIGEST_SIZE];
 static uint8_t fox[MAX_DIGEST_SIZE];
 
 static int validate = 0;
+static int verify = 0;
 
 static int ima_verify_template_hash(struct template_entry *entry)
 {
@@ -1875,7 +1876,7 @@ static int ima_measurement(const char *file)
 
 		extend_tpm_banks(&entry, num_banks, pseudo_banks);
 
-		if (validate)
+		if (verify)
 			ima_verify_template_hash(&entry);
 
 		if (!strcmp(entry.name, "ima"))
@@ -2156,7 +2157,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2196,6 +2197,7 @@ static struct option opts[] = {
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
 	{"validate", 0, 0, 141},
+	{"verify", 0, 0, 142},
 	{}
 
 };
@@ -2377,6 +2379,9 @@ int main(int argc, char *argv[])
 		case 141: /* --validate */
 			validate = 1;
 			break;
+		case 142: /* --verify */
+			verify = 1;
+			break;
 		case '?':
 			exit(1);
 			break;
-- 
2.7.5

[PATCH 5/6] ima-evm-utils: use uint32_t for template length

[Mimi Zohar]

The template length should never be less than zero.  Replace "int" with
"uint32_t".

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index eda7dd845930..9162de2a5aeb 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1404,9 +1404,9 @@ struct template_entry {
 		uint32_t name_len;
 	} header  __packed;
 	char name[TCG_EVENT_NAME_LEN_MAX + 1];
-	int template_len;
+	uint32_t template_buf_len;
+	uint32_t template_len;
 	uint8_t *template;
-	int template_buf_len;
 };
 
 static uint8_t zero[MAX_DIGEST_SIZE];
-- 
2.7.5

[PATCH 6/6] ima-evm-utils: define a basic hash_info.h file

[Mimi Zohar]

Some older system kernel header packages don't necessarily include
hash_info.h.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/Makefile.am   |  2 +-
 src/hash_info.gen | 43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 36652427a8ec..9bbff5034ef4 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -34,5 +34,5 @@ endif
 
 AM_CPPFLAGS = -I$(top_srcdir) -include config.h
 
-CLEANFILES = hash_info.h
+CLEANFILES = hash_info.h tmp_hash_info.h
 DISTCLEANFILES = @DISTCLEANFILES@
diff --git a/src/hash_info.gen b/src/hash_info.gen
index 54532ca5b847..5f7a97fb3117 100755
--- a/src/hash_info.gen
+++ b/src/hash_info.gen
@@ -18,11 +18,54 @@ KERNEL_HEADERS=$1
 HASH_INFO_H=uapi/linux/hash_info.h
 HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
 
+TMPHASHINFO="./tmp_hash_info.h"
+gen_hashinfo() {
+cat << __EOF__ >$TMPHASHINFO
+/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
+/*
+ * Hash Info: Hash algorithms information
+ *
+ * Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+
+enum hash_algo {
+	HASH_ALGO_MD4,
+	HASH_ALGO_MD5,
+	HASH_ALGO_SHA1,
+	HASH_ALGO_RIPE_MD_160,
+	HASH_ALGO_SHA256,
+	HASH_ALGO_SHA384,
+	HASH_ALGO_SHA512,
+	HASH_ALGO_SHA224,
+	HASH_ALGO_RIPE_MD_128,
+	HASH_ALGO_RIPE_MD_256,
+	HASH_ALGO_RIPE_MD_320,
+	HASH_ALGO_WP_256,
+	HASH_ALGO_WP_384,
+	HASH_ALGO_WP_512,
+	HASH_ALGO_TGR_128,
+	HASH_ALGO_TGR_160,
+	HASH_ALGO_TGR_192,
+	HASH_ALGO_SM3_256,
+	HASH_ALGO__LAST
+};
+__EOF__
+}
+
 # Allow to specify kernel-headers past include/
 if [ ! -e $HASH_INFO ]; then
   HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H
   if [ -e $HASH_INFO2 ]; then
     HASH_INFO=$HASH_INFO2
+  else
+    gen_hashinfo
+    HASH_INFO="$TMPHASHINFO"
   fi
 fi
 
-- 
2.7.5

Re: [PATCH 6/6] ima-evm-utils: define a basic hash_info.h file

[Bruno Meneguele]

[-- Attachment #1: Type: text/plain, Size: 2507 bytes --]

Hi Mimi,

On Mon, Jul 06, 2020 at 10:26:31PM -0400, Mimi Zohar wrote:
> Some older system kernel header packages don't necessarily include
> hash_info.h.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  src/Makefile.am   |  2 +-
>  src/hash_info.gen | 43 +++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 44 insertions(+), 1 deletion(-)
> 
> diff --git a/src/Makefile.am b/src/Makefile.am
> index 36652427a8ec..9bbff5034ef4 100644
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -34,5 +34,5 @@ endif
>  
>  AM_CPPFLAGS = -I$(top_srcdir) -include config.h
>  
> -CLEANFILES = hash_info.h
> +CLEANFILES = hash_info.h tmp_hash_info.h
>  DISTCLEANFILES = @DISTCLEANFILES@
> diff --git a/src/hash_info.gen b/src/hash_info.gen
> index 54532ca5b847..5f7a97fb3117 100755
> --- a/src/hash_info.gen
> +++ b/src/hash_info.gen
> @@ -18,11 +18,54 @@ KERNEL_HEADERS=$1
>  HASH_INFO_H=uapi/linux/hash_info.h
>  HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
>  
> +TMPHASHINFO="./tmp_hash_info.h"
> +gen_hashinfo() {
> +cat << __EOF__ >$TMPHASHINFO
> +/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
> +/*
> + * Hash Info: Hash algorithms information
> + *
> + * Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms of the GNU General Public License as published by the Free
> + * Software Foundation; either version 2 of the License, or (at your option)
> + * any later version.
> + *
> + */
> +
> +enum hash_algo {
> +	HASH_ALGO_MD4,
> +	HASH_ALGO_MD5,
> +	HASH_ALGO_SHA1,
> +	HASH_ALGO_RIPE_MD_160,
> +	HASH_ALGO_SHA256,
> +	HASH_ALGO_SHA384,
> +	HASH_ALGO_SHA512,
> +	HASH_ALGO_SHA224,
> +	HASH_ALGO_RIPE_MD_128,
> +	HASH_ALGO_RIPE_MD_256,
> +	HASH_ALGO_RIPE_MD_320,
> +	HASH_ALGO_WP_256,
> +	HASH_ALGO_WP_384,
> +	HASH_ALGO_WP_512,
> +	HASH_ALGO_TGR_128,
> +	HASH_ALGO_TGR_160,
> +	HASH_ALGO_TGR_192,
> +	HASH_ALGO_SM3_256,
> +	HASH_ALGO__LAST
> +};
> +__EOF__

Just a minor point on HASH_ALGO_SM3_256:

The old kernels that didn't export hash_info.h uapi didn't support
HASH_ALGO_SM3_256 as well. Wouldn't it be better to also not include it
in the tmp_hash_info considering it'll be used only by those running
older kernels without SM3 support?

Keeping it won't cause any issues though. So I'm fine with it either
way.

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH 6/6] ima-evm-utils: define a basic hash_info.h file

[Mimi Zohar]

On Wed, 2020-07-15 at 14:58 -0300, Bruno Meneguele wrote:
> Hi Mimi,
> 
> On Mon, Jul 06, 2020 at 10:26:31PM -0400, Mimi Zohar wrote:
> > Some older system kernel header packages don't necessarily include
> > hash_info.h.
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> >  src/Makefile.am   |  2 +-
> >  src/hash_info.gen | 43 +++++++++++++++++++++++++++++++++++++++++++
> >  2 files changed, 44 insertions(+), 1 deletion(-)
> > 
> > diff --git a/src/Makefile.am b/src/Makefile.am
> > index 36652427a8ec..9bbff5034ef4 100644
> > --- a/src/Makefile.am
> > +++ b/src/Makefile.am
> > @@ -34,5 +34,5 @@ endif
> >  
> >  AM_CPPFLAGS = -I$(top_srcdir) -include config.h
> >  
> > -CLEANFILES = hash_info.h
> > +CLEANFILES = hash_info.h tmp_hash_info.h
> >  DISTCLEANFILES = @DISTCLEANFILES@
> > diff --git a/src/hash_info.gen b/src/hash_info.gen
> > index 54532ca5b847..5f7a97fb3117 100755
> > --- a/src/hash_info.gen
> > +++ b/src/hash_info.gen
> > @@ -18,11 +18,54 @@ KERNEL_HEADERS=$1
> >  HASH_INFO_H=uapi/linux/hash_info.h
> >  HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
> >  
> > +TMPHASHINFO="./tmp_hash_info.h"
> > +gen_hashinfo() {
> > +cat << __EOF__ >$TMPHASHINFO
> > +/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
> > +/*
> > + * Hash Info: Hash algorithms information
> > + *
> > + * Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
> > + *
> > + * This program is free software; you can redistribute it and/or modify it
> > + * under the terms of the GNU General Public License as published by the Free
> > + * Software Foundation; either version 2 of the License, or (at your option)
> > + * any later version.
> > + *
> > + */
> > +
> > +enum hash_algo {
> > +	HASH_ALGO_MD4,
> > +	HASH_ALGO_MD5,
> > +	HASH_ALGO_SHA1,
> > +	HASH_ALGO_RIPE_MD_160,
> > +	HASH_ALGO_SHA256,
> > +	HASH_ALGO_SHA384,
> > +	HASH_ALGO_SHA512,
> > +	HASH_ALGO_SHA224,
> > +	HASH_ALGO_RIPE_MD_128,
> > +	HASH_ALGO_RIPE_MD_256,
> > +	HASH_ALGO_RIPE_MD_320,
> > +	HASH_ALGO_WP_256,
> > +	HASH_ALGO_WP_384,
> > +	HASH_ALGO_WP_512,
> > +	HASH_ALGO_TGR_128,
> > +	HASH_ALGO_TGR_160,
> > +	HASH_ALGO_TGR_192,
> > +	HASH_ALGO_SM3_256,
> > +	HASH_ALGO__LAST
> > +};
> > +__EOF__
> 
> Just a minor point on HASH_ALGO_SM3_256:
> 
> The old kernels that didn't export hash_info.h uapi didn't support
> HASH_ALGO_SM3_256 as well. Wouldn't it be better to also not include it
> in the tmp_hash_info considering it'll be used only by those running
> older kernels without SM3 support?
> 
> Keeping it won't cause any issues though. So I'm fine with it either
> way.

I was debating which version to use, but couldn't decide.

For distros that probably is true, but I'm not sure about embedded.
 Commit ceecb28d3b52 ("ima-evm-utils: add SM3 to pkey_hash_algo
algorithm list") updated pkey_hash_algo[].

As it doesn't hurt, let's just keep it.

Mimi

Re: [PATCH 6/6] ima-evm-utils: define a basic hash_info.h file

[Bruno Meneguele]

[-- Attachment #1: Type: text/plain, Size: 3284 bytes --]

On Wed, Jul 15, 2020 at 03:28:58PM -0400, Mimi Zohar wrote:
> On Wed, 2020-07-15 at 14:58 -0300, Bruno Meneguele wrote:
> > Hi Mimi,
> > 
> > On Mon, Jul 06, 2020 at 10:26:31PM -0400, Mimi Zohar wrote:
> > > Some older system kernel header packages don't necessarily include
> > > hash_info.h.
> > > 
> > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > > ---
> > >  src/Makefile.am   |  2 +-
> > >  src/hash_info.gen | 43 +++++++++++++++++++++++++++++++++++++++++++
> > >  2 files changed, 44 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/src/Makefile.am b/src/Makefile.am
> > > index 36652427a8ec..9bbff5034ef4 100644
> > > --- a/src/Makefile.am
> > > +++ b/src/Makefile.am
> > > @@ -34,5 +34,5 @@ endif
> > >  
> > >  AM_CPPFLAGS = -I$(top_srcdir) -include config.h
> > >  
> > > -CLEANFILES = hash_info.h
> > > +CLEANFILES = hash_info.h tmp_hash_info.h
> > >  DISTCLEANFILES = @DISTCLEANFILES@
> > > diff --git a/src/hash_info.gen b/src/hash_info.gen
> > > index 54532ca5b847..5f7a97fb3117 100755
> > > --- a/src/hash_info.gen
> > > +++ b/src/hash_info.gen
> > > @@ -18,11 +18,54 @@ KERNEL_HEADERS=$1
> > >  HASH_INFO_H=uapi/linux/hash_info.h
> > >  HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
> > >  
> > > +TMPHASHINFO="./tmp_hash_info.h"
> > > +gen_hashinfo() {
> > > +cat << __EOF__ >$TMPHASHINFO
> > > +/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
> > > +/*
> > > + * Hash Info: Hash algorithms information
> > > + *
> > > + * Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
> > > + *
> > > + * This program is free software; you can redistribute it and/or modify it
> > > + * under the terms of the GNU General Public License as published by the Free
> > > + * Software Foundation; either version 2 of the License, or (at your option)
> > > + * any later version.
> > > + *
> > > + */
> > > +
> > > +enum hash_algo {
> > > +	HASH_ALGO_MD4,
> > > +	HASH_ALGO_MD5,
> > > +	HASH_ALGO_SHA1,
> > > +	HASH_ALGO_RIPE_MD_160,
> > > +	HASH_ALGO_SHA256,
> > > +	HASH_ALGO_SHA384,
> > > +	HASH_ALGO_SHA512,
> > > +	HASH_ALGO_SHA224,
> > > +	HASH_ALGO_RIPE_MD_128,
> > > +	HASH_ALGO_RIPE_MD_256,
> > > +	HASH_ALGO_RIPE_MD_320,
> > > +	HASH_ALGO_WP_256,
> > > +	HASH_ALGO_WP_384,
> > > +	HASH_ALGO_WP_512,
> > > +	HASH_ALGO_TGR_128,
> > > +	HASH_ALGO_TGR_160,
> > > +	HASH_ALGO_TGR_192,
> > > +	HASH_ALGO_SM3_256,
> > > +	HASH_ALGO__LAST
> > > +};
> > > +__EOF__
> > 
> > Just a minor point on HASH_ALGO_SM3_256:
> > 
> > The old kernels that didn't export hash_info.h uapi didn't support
> > HASH_ALGO_SM3_256 as well. Wouldn't it be better to also not include it
> > in the tmp_hash_info considering it'll be used only by those running
> > older kernels without SM3 support?
> > 
> > Keeping it won't cause any issues though. So I'm fine with it either
> > way.
> 
> I was debating which version to use, but couldn't decide.
> 
> For distros that probably is true, but I'm not sure about embedded.
>  Commit ceecb28d3b52 ("ima-evm-utils: add SM3 to pkey_hash_algo
> algorithm list") updated pkey_hash_algo[].
> 
> As it doesn't hurt, let's just keep it.
> 

That's fine with me.

Thanks.

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]