On Wed, Aug 25, 2021 at 05:43:50PM -0400, Mimi Zohar wrote:
> Hi Bruno,
> 
> On Fri, 2021-08-20 at 20:00 -0300, Bruno Meneguele wrote:
> > The default hash algorithm for evmctl is today hardcoded libimaevm.c file.
> > To facilitate different distributions and users to set their own default
> > hash algorithm this patch adds the --with-default-hash=<algo> option to the
> > configuration script.
> > 
> > The algorithm chosen by the user will then be checked if is available in the
> > kernel, otherwise IMA won't be able to verify files hashed by the user. For
> > that, the file exposed by the kernel crypto API (/proc/crypto) is filtered
> > by an AWK script in order to check the algorithm's name and the module
> > providing it. Initally, only "module: kernel" is accepted, following IMA's
> > CONFIG_CRYPTO_SHA1/SHA256 dependency.
> 
> There's a difference between preventing an evmctl user from
> unintentionally using an unsupported algorithm and the distro, or
> whoever is building the package, defining the wrong default hash
> algorithm.
> 
> My preference would be to allow any hash algorithm defined in
> hash_info.h (kernel_headers package) as the default.
> 

Good point. Considering we already depend on the kernel-headers pkg and
we also allow the user to specify a custom path for headers, it's indeed
better to keep the consistency.

I'll prepare a v5 using the kernel-headers instead of /proc/crypto.

> thanks,
> 
> Mimi
> 

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt