From: Bruno Meneguele <bmeneg@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Roberto Sassu <roberto.sassu@huawei.com>,
tiwai@suse.de, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, silviu.vlasceanu@huawei.com,
stable@vger.kernel.org
Subject: Re: [PATCH 2/2] ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()
Date: Thu, 4 Jun 2020 16:12:07 -0300 [thread overview]
Message-ID: <20200604191207.GR2970@glitch> (raw)
In-Reply-To: <1591221815.5146.31.camel@linux.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 1486 bytes --]
On Wed, Jun 03, 2020 at 06:03:35PM -0400, Mimi Zohar wrote:
> Hi Roberto,
>
> On Wed, 2020-06-03 at 17:08 +0200, Roberto Sassu wrote:
> > If the template field 'd' is chosen and the digest to be added to the
> > measurement entry was not calculated with SHA1 or MD5, it is
> > recalculated with SHA1, by using the passed file descriptor. However, this
> > cannot be done for boot_aggregate, because there is no file descriptor.
> >
> > This patch adds a call to ima_calc_boot_aggregate() in
> > ima_eventdigest_init(), so that the digest can be recalculated also for the
> > boot_aggregate entry.
> >
> > Cc: stable@vger.kernel.org # 3.13.x
> > Fixes: 3ce1217d6cd5d ("ima: define template fields library and new helpers")
> > Reported-by: Takashi Iwai <tiwai@suse.de>
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
>
> Thanks, Roberto.
>
> I've pushed both patches out to the next-integrity branch and would
> appreciate some additional testing.
>
> thanks,
>
> Mimi
>
Hi Mimi and Roberto,
FWIW, I've tested this patch manually and things went fine, with no
unexpected behavior or results.
However, wouldn't it be worth add a note in kmsg about the
ima_calc_boot_aggregate() being called with an algo different from the
system's default? Just to let the user know he won't find a sha256 when
check the measurement. But that's something we can add later too.
Thanks.
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2020-06-04 19:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-03 15:08 [PATCH 1/2] ima: Directly assign the ima_default_policy pointer to ima_rules Roberto Sassu
2020-06-03 15:08 ` [PATCH 2/2] ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init() Roberto Sassu
2020-06-03 22:03 ` Mimi Zohar
2020-06-04 19:12 ` Bruno Meneguele [this message]
2020-06-04 19:35 ` Mimi Zohar
2020-06-04 19:57 ` Bruno Meneguele
2020-06-03 21:30 ` [PATCH 1/2] ima: Directly assign the ima_default_policy pointer to ima_rules Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200604191207.GR2970@glitch \
--to=bmeneg@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).