From: Mimi Zohar <zohar@linux.ibm.com>
To: THOBY Simon <Simon.THOBY@viveris.fr>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>
Subject: Re: Weak hash algorithms allowed with DIGEST_NG
Date: Wed, 07 Jul 2021 10:37:24 -0400 [thread overview]
Message-ID: <96afb16f1f9ac6a476b8fb7be988f90267837c6c.camel@linux.ibm.com> (raw)
In-Reply-To: <AM4PR0902MB1748D83387C6F3D39C98992F941A9@AM4PR0902MB1748.eurprd09.prod.outlook.com>
Hi Simon,
On Wed, 2021-07-07 at 09:54 +0000, THOBY Simon wrote:
<snip>
> When using evmctl and IMA-EVM in hash+HMAC mode (no digital
> signatures involved), I was suprised to see that IMA didn't complain
> if a file was hashed with an algorithm "weaker" than the one
> specified on the command line.
> Of course I suppose EVM should stop downgrade attacks (by that I mean
> an offline attacker changing the hash of a legitimate file from
> sha256 to sha1 or md5). However, if files were already hashed as md5
> - or more probably sha1 because that is still the default value for
> evmctl - then the attacker could potentially perform collision
> attacks against the weakly hashed file. The user may believe himself
> protected against collision attacks because of the 'ima_hash=sha256'
> command line parameter (with or without 'ima_template=ima-ng').
Before allowing the EVM HMAC to be updated, EVM verifies the existing
HMAC to protect against an offline attack. It doesn't prevent online
changes. Additional support to prevent crypto downgrade would need to
be added.
<snip>
> Is there any way to enforce the use of the hash specified in the
> 'ima_hash' cmdline parameter ?
The cmdline parameter overrides the compile time default hash algorithm
used for (re-)calculating the file hash.
> I couldn't find any glancing at the code, but I didn't read all of it
> and I understood even less, so I secretly hope to have missed a small
> yet critical check/option.
> And if there is no such way, would you be opposed to a patch adding
> an option (something like 'ima_enforce_hash_alg') that only allows
> digest hashed with the values supplied in the 'ima_hash' parameter ?
Please keep in mind that:
- depending on which file is not properly signed with the required
hash, the system might not boot.
- limiting the hash algorithm to a single algorithm would prevent
migrating to a stronger algorithm.
For embedded/IoT, these concerns might not be a problem.
thanks,
Mimi
next prev parent reply other threads:[~2021-07-07 14:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-07 9:54 Weak hash algorithms allowed with DIGEST_NG THOBY Simon
2021-07-07 14:37 ` Mimi Zohar [this message]
2021-07-07 15:10 ` THOBY Simon
2021-07-07 16:18 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=96afb16f1f9ac6a476b8fb7be988f90267837c6c.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=Simon.THOBY@viveris.fr \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.