From: Bruno Meneguele <bmeneg@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Simon.THOBY@viveris.fr, kgold@linux.ibm.com,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH v4 ima-evm-utils 1/2] set default hash algorithm in configuration time
Date: Thu, 26 Aug 2021 10:35:52 -0300 [thread overview]
Message-ID: <YSeYuNglsE3XWBSA@glitch> (raw)
In-Reply-To: <3ea0519200137128c67556b9c627a4849ddfbd24.camel@linux.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 1537 bytes --]
On Wed, Aug 25, 2021 at 05:43:50PM -0400, Mimi Zohar wrote:
> Hi Bruno,
>
> On Fri, 2021-08-20 at 20:00 -0300, Bruno Meneguele wrote:
> > The default hash algorithm for evmctl is today hardcoded libimaevm.c file.
> > To facilitate different distributions and users to set their own default
> > hash algorithm this patch adds the --with-default-hash=<algo> option to the
> > configuration script.
> >
> > The algorithm chosen by the user will then be checked if is available in the
> > kernel, otherwise IMA won't be able to verify files hashed by the user. For
> > that, the file exposed by the kernel crypto API (/proc/crypto) is filtered
> > by an AWK script in order to check the algorithm's name and the module
> > providing it. Initally, only "module: kernel" is accepted, following IMA's
> > CONFIG_CRYPTO_SHA1/SHA256 dependency.
>
> There's a difference between preventing an evmctl user from
> unintentionally using an unsupported algorithm and the distro, or
> whoever is building the package, defining the wrong default hash
> algorithm.
>
> My preference would be to allow any hash algorithm defined in
> hash_info.h (kernel_headers package) as the default.
>
Good point. Considering we already depend on the kernel-headers pkg and
we also allow the user to specify a custom path for headers, it's indeed
better to keep the consistency.
I'll prepare a v5 using the kernel-headers instead of /proc/crypto.
> thanks,
>
> Mimi
>
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 484 bytes --]
next prev parent reply other threads:[~2021-08-26 13:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-20 22:59 [PATCH v4 ima-evm-utils 0/2] make default hash algorithm dynamic Bruno Meneguele
2021-08-20 23:00 ` [PATCH v4 ima-evm-utils 1/2] set default hash algorithm in configuration time Bruno Meneguele
2021-08-25 21:43 ` Mimi Zohar
2021-08-26 13:35 ` Bruno Meneguele [this message]
2021-08-20 23:00 ` [PATCH v4 ima-evm-utils 2/2] make SHA-256 the default hash algorithm Bruno Meneguele
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YSeYuNglsE3XWBSA@glitch \
--to=bmeneg@redhat.com \
--cc=Simon.THOBY@viveris.fr \
--cc=kgold@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.