[RFC PATCH v2 05/13] ima: select CRYPTO_SHA256 from Kconfig
Nicolai Stange
nstange at suse.de
Sun Mar 23 14:09:03 UTC 2025
Since recently, IMA would not record measurement list entries into PCR
banks for which it doesn't have a corresponding in-kernel hash algorithm
implementation available anymore (for
CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND=n).
With TPM 2.0, the only hash algorithms guaranteed to be implemented on a
TPM are SHA-256/384, c.f. "TCG PC Client Platform TPM Profile
Specification for TPM 2.0", sec. 4.6 "PCR Requirements".
In particular, sha1 is not mandatory, and thus, the CRYPTO_SHA1 dependency
of IMA is not sufficient anymore for ensuring that IMA would find at least
one usable PCR bank.
So, in order to make sure that IMA has access to at least one usable bank
on platforms featuring a TPM 2.0 device, make it depend on CRYPTO_SHA256.
Keep the dependency on CRYPTO_SHA1 for the TPM 1 case.
Signed-off-by: Nicolai Stange <nstange at suse.de>
---
security/integrity/ima/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index c8f12a4a4edf..8a7e74dc1477 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -7,6 +7,7 @@ config IMA
select CRYPTO
select CRYPTO_HMAC
select CRYPTO_SHA1
+ select CRYPTO_SHA256
select CRYPTO_HASH_INFO
select SECURITY_PATH
select TCG_TPM if HAS_IOMEM
--
2.49.0
More information about the Linux-security-module-archive
mailing list