linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stefan Berger <stefanb@linux.ibm.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: Eric Biggers <ebiggers@kernel.org>,
	linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v8 2/7] ima: use IMA default hash algorithm for integrity violations
Date: Fri, 29 Apr 2022 12:09:15 -0400	[thread overview]
Message-ID: <20697475-1b31-4db7-d1e7-afe2d50e2bca@linux.ibm.com> (raw)
In-Reply-To: <20220429112601.1421947-3-zohar@linux.ibm.com>



On 4/29/22 07:25, Mimi Zohar wrote:
> Integrity file violations - ToM/ToU, open writers - are recorded in the IMA
> measurement list, containing 0x00's in both the template data and file data
> hash fields, but 0xFF's are actually extended into TPM PCRs.  Although the
> original 'ima' template data field ('d') is limited to 20 bytes, the 'd-ng'
> template digest field is not.
> 
> The violation file data hash template field ('d-ng') is unnecessarily hard
> coded to SHA1.  Instead of simply replacing the hard coded SHA1 hash
> algorithm with a larger hash algorithm, use the hash algorithm as defined
> in "ima_hash_algo".  ima_hash_algo is set to either the Kconfig IMA default
> hash algorithm or as defined on the boot command line (ima_hash=).
> 
> Including a non-SHA1 file data hash algorithm in the 'd-ng' field of
> violations is a cosmetic change.  The template data hash field, which is
> extended into the TPM PCRs, is not affected by this change and should not
> affect attestation of the IMA measurement list.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

The effect seems to be that violations that have previously looked like 
this

10 0000000000000000000000000000000000000000 ima-ng 
sha1:0000000000000000000000000000000000000000 /var/log/audit/audit.log

now look like this:

10 0000000000000000000000000000000000000000 ima-ng 
sha256:0000000000000000000000000000000000000000 /var/log/audit/audit.log

evmctl [1.3.2] still works fine:

# evmctl ima_measurement --ignore-violations 
/sys/kernel/security/ima/binary_runtime_measurements
Matched per TPM bank calculated digest(s).


Tested-by: Stefan Berger <stefanb@linux.ibm.com>


> ---
>   security/integrity/ima/ima_template_lib.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
> index e9d65f6fe2ae..4b6706f864d4 100644
> --- a/security/integrity/ima/ima_template_lib.c
> +++ b/security/integrity/ima/ima_template_lib.c
> @@ -370,7 +370,7 @@ int ima_eventdigest_init(struct ima_event_data *event_data,
>   int ima_eventdigest_ng_init(struct ima_event_data *event_data,
>   			    struct ima_field_data *field_data)
>   {
> -	u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1;
> +	u8 *cur_digest = NULL, hash_algo = ima_hash_algo;
>   	u32 cur_digestsize = 0;
>   
>   	if (event_data->violation)	/* recording a violation. */

  reply	other threads:[~2022-04-29 16:09 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-29 11:25 [PATCH v8 0/7] ima: support fs-verity digests and signatures Mimi Zohar
2022-04-29 11:25 ` [PATCH v8 1/7] ima: fix 'd-ng' comments and documentation Mimi Zohar
2022-04-29 16:44   ` Stefan Berger
2022-05-02 12:14     ` Mimi Zohar
2022-04-29 11:25 ` [PATCH v8 2/7] ima: use IMA default hash algorithm for integrity violations Mimi Zohar
2022-04-29 16:09   ` Stefan Berger [this message]
2022-04-29 11:25 ` [PATCH v8 3/7] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2022-04-29 11:25 ` [PATCH v8 4/7] ima: define a new template field named 'd-ngv2' and templates Mimi Zohar
2022-04-29 15:09   ` Stefan Berger
2022-04-29 21:41     ` Mimi Zohar
2022-04-29 11:25 ` [PATCH v8 5/7] ima: permit fsverity's file digests in the IMA measurement list Mimi Zohar
2022-04-29 17:30   ` Stefan Berger
2022-04-29 11:26 ` [PATCH v8 6/7] ima: support fs-verity file digest based version 3 signatures Mimi Zohar
2022-04-29 21:51   ` Stefan Berger
2022-05-02 12:16     ` Mimi Zohar
2022-04-29 11:26 ` [PATCH v8 7/7] fsverity: update the documentation Mimi Zohar
2022-04-29 17:42   ` Stefan Berger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20697475-1b31-4db7-d1e7-afe2d50e2bca@linux.ibm.com \
    --to=stefanb@linux.ibm.com \
    --cc=ebiggers@kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).