From: Roberto Sassu <roberto.sassu@huawei.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Krzysztof Struczynski <krzysztof.struczynski@huawei.com>,
Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: RE: [PATCH 3/5] ima: Fix ima digest hash table key calculation
Date: Thu, 23 Apr 2020 10:21:03 +0000 [thread overview]
Message-ID: <11984a05a5624f64aed1ec6b0d0b75ff@huawei.com> (raw)
In-Reply-To: <1587588987.5165.20.camel@linux.ibm.com>
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli
> -----Original Message-----
> From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> Sent: Wednesday, April 22, 2020 10:56 PM
> To: Roberto Sassu <roberto.sassu@huawei.com>
> Cc: linux-integrity@vger.kernel.org; linux-security-module@vger.kernel.org;
> linux-kernel@vger.kernel.org; Krzysztof Struczynski
> <krzysztof.struczynski@huawei.com>; Silviu Vlasceanu
> <Silviu.Vlasceanu@huawei.com>; stable@vger.kernel.org
> Subject: Re: [PATCH 3/5] ima: Fix ima digest hash table key calculation
>
> Hi Roberto, Krsysztof,
>
> On Wed, 2020-03-25 at 17:11 +0100, Roberto Sassu wrote:
> > From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
> >
> > Function hash_long() accepts unsigned long, while currently only one byte
> > is passed from ima_hash_key(), which calculates a key for ima_htable.
> Use
> > more bytes to avoid frequent collisions.
> >
> > Length of the buffer is not explicitly passed as a function parameter,
> > because this function expects a digest whose length is greater than the
> > size of unsigned long.
>
> Somehow I missed the original report of this problem https://lore.kern
> el.org/patchwork/patch/674684/. This patch is definitely better, but
> how many unique keys are actually being used? Is it anywhere near
> IMA_MEASURE_HTABLE_SIZE(512)?
I did a small test (with 1043 measurements):
slots: 250, max depth: 9 (without the patch)
slots: 448, max depth: 7 (with the patch)
Then, I increased the number of bits to 10:
slots: 251, max depth: 9 (without the patch)
slots: 660, max depth: 4 (with the patch)
> Do we need a new securityfs entry to display the number used?
Probably it is useful only if the administrator can decide the number of slots.
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli
> > Cc: stable@vger.kernel.org
> > Fixes: 3323eec921ef ("integrity: IMA as an integrity service provider")
> > Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
> > ---
> > security/integrity/ima/ima.h | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index 64317d95363e..cf0022c2bc14 100644
> > --- a/security/integrity/ima/ima.h
> > +++ b/security/integrity/ima/ima.h
> > @@ -177,7 +177,7 @@ extern struct ima_h_table ima_htable;
> >
> > static inline unsigned long ima_hash_key(u8 *digest)
> > {
> > - return hash_long(*digest, IMA_HASH_BITS);
> > + return hash_long(*((unsigned long *)digest), IMA_HASH_BITS);
> > }
> >
> > #define __ima_hooks(hook) \
next prev parent reply other threads:[~2020-04-23 10:21 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-25 16:11 [PATCH 1/5] ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() Roberto Sassu
2020-03-25 16:11 ` [PATCH 2/5] evm: Check also if *tfm is an error pointer in init_desc() Roberto Sassu
2020-04-22 13:45 ` Mimi Zohar
2020-04-22 15:37 ` Roberto Sassu
2020-03-25 16:11 ` [PATCH 3/5] ima: Fix ima digest hash table key calculation Roberto Sassu
2020-04-22 20:56 ` Mimi Zohar
2020-04-23 10:21 ` Roberto Sassu [this message]
2020-04-23 16:53 ` Mimi Zohar
2020-04-24 12:18 ` Roberto Sassu
2020-04-24 14:45 ` Mimi Zohar
2020-03-25 16:14 ` [PATCH 4/5] ima: Remove redundant policy rule set in add_rules() Roberto Sassu
2020-03-25 16:14 ` [PATCH 5/5] ima: Remove unused build_ima_appraise variable Roberto Sassu
2020-04-22 22:59 ` Mimi Zohar
2020-04-22 12:03 ` [PATCH 1/5] ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() Mimi Zohar
2020-04-22 15:39 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11984a05a5624f64aed1ec6b0d0b75ff@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=Silviu.Vlasceanu@huawei.com \
--cc=krzysztof.struczynski@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).