[PATCH v3 1/1] ima: remove the IMA_TEMPLATE Kconfig option

Guozihua (Scott) guozihua at huawei.com
Thu May 5 01:35:40 UTC 2022


On 2022/4/7 22:43, Mimi Zohar wrote:
> On Thu, 2022-04-07 at 10:16 +0800, GUO Zihua wrote:
>> The original 'ima' measurement list template contains a hash, defined
>> as 20 bytes, and a null terminated pathname, limited to 255
>> characters.  Other measurement list templates permit both larger hashes
>> and longer pathnames.  When the "ima" template is configured as the
>> default, a new measurement list template (ima_template=) must be
>> specified before specifying a larger hash algorithm (ima_hash=) on the
>> boot command line.
>>
>> To avoid this boot command line ordering issue, remove the legacy "ima"
>> template configuration option, allowing it to still be specified on the
>> boot command line.
>>
>> The root cause of this issue is that during the processing of ima_hash,
>> we would try to check whether the hash algorithm is compatible with the
>> template. If the template is not set at the moment we do the check, we
>> check the algorithm against the configured default template. If the
>> default template is "ima", then we reject any hash algorithm other than
>> sha1 and md5.
>>
>> For example, if the compiled default template is "ima", and the default
>> algorithm is sha1 (which is the current default). In the cmdline, we put
>> in "ima_hash=sha256 ima_template=ima-ng". The expected behavior would be
>> that ima starts with ima-ng as the template and sha256 as the hash
>> algorithm. However, during the processing of "ima_hash=",
>> "ima_template=" has not been processed yet, and hash_setup would check
>> the configured hash algorithm against the compiled default: ima, and
>> reject sha256. So at the end, the hash algorithm that is actually used
>> will be sha1.
>>
>> With template "ima" removed from the configured default, we ensure that
>> the default tempalte would at least be "ima-ng" which allows for
>> basically any hash algorithm.
>>
>> This change would not break the algorithm compatibility checks for IMA.
>>
>> Fixes: 4286587dccd43 ("ima: add Kconfig default measurement list template")
>> Signed-off-by: GUO Zihua <guozihua at huawei.com>
> 
> thanks,
> 
> Mimi
> 
> 
> .

Hi,

Is this patch picked?

Thanks
GUO Zihua



More information about the Linux-security-module-archive mailing list