[PATCH 7/8] ima: use ima_hash_algo for collision detection in the measurement list
Mimi Zohar
zohar at linux.ibm.com
Fri Jan 31 14:50:34 UTC 2020
On Fri, 2020-01-31 at 14:41 +0000, Roberto Sassu wrote:
> I thought that using a stronger algorithm for hash collision detection but
> doing remote attestation with the weaker would not bring additional value.
>
> If there is a hash collision on SHA1, an attacker can still replace the data of
> one of the two entries in the measurement list with the data of the other
> without being detected (without additional countermeasures).
>
> If the verifier additionally checks for duplicate template digests, he could
> detect the attack (IMA would not add a new measurement entry with the
> same template digest of previous entries).
>
> Ok, I will use ima_hash_algo for hash collision detection.
Thanks!
Mimi
More information about the Linux-security-module-archive
mailing list