[RFC PATCH v1 6/7] ima: invalidate unsupported PCR banks once at first use

[Nicolai Stange]

Mimi Zohar <zohar at linux.ibm.com> writes:
> On Tue, 2025-03-18 at 16:55 +0100, Nicolai Stange wrote:
>> Mimi Zohar <zohar at linux.ibm.com> writes:
>> > FYI, because the IMA Kconfig selects SHA1, we're guaranteed that SHA1 exists in
>> > the kernel and the subsequent kexec'ed kernel.  For this reason we're guaranteed
>> > that the measurement list is complete.  The simplest solution, not necessarily
>> > the best, would be to punt the problem for the time being by replacing the
>> > "select" with a different hash algorithm.
>> 
>> Yes, that would work as well. IIUC, it would mean that we would
>> e.g. extend truncated SHA-256 template hashes into a SHA-1 bank, right?
>> However, since no existing tool like 'ima_measurement' is expecting
>> that, and would fail a verification then, I'm currently struggling to
>> see the advantage over just doing a.) and invalidating the PCR banks
>> with a fixed value right away?
>
> Replacing the "Kconfig select" has more to do with having at least one
> guaranteed complete measurement list.  I'm fine with extending a TPM bank with
> an unknown kernel hash algorithm violation (either option a or b).

Ok, I think I got it now.

FWIW, a v2 can be found at
https://lore.kernel.org/r/20250323140911.226137-1-nstange@suse.de , including a
patch for selecting SHA256 now.

Thanks a lot for all your feedback!

Nicolai

-- 
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)