[RFC PATCH v2 02/13] ima: always create runtime_measurements sysfs file for ima_hash
Nicolai Stange
nstange at suse.de
Wed Mar 26 13:46:03 UTC 2025
Mimi Zohar <zohar at linux.ibm.com> writes:
> On Wed, 2025-03-26 at 09:21 +0100, Nicolai Stange wrote:
>> Mimi Zohar <zohar at linux.ibm.com> writes:
>>
>> > On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
>> > "ima_hash" is the default file hash algorithm. Re-using it as the default
>> > complete measurement list assumes that the subsequent kexec'ed kernels configure
>> > and define it as the default file hash algorithm as well, which might not be the
>> > case.
>>
>> I don't really see why the ima_hashes would have to match between kexecs
>> for this to work -- all events' template hashes are getting recreated
>> from scratch anyway after kexec (ima_restore_measurement_list() ->
>> ima_calc_field_array_hash()).
>>
>> That is, if ima_hash=sha256 first, and ima_hash=sha384 after kexec, one
>> would have *runtime_measurements_sha256 first and
>> *runtime_measurements_sha384 after kexec. And both had exclusively
>> template hashes of their respective algo in them each.
>>
>> What am I missing?
>
> Your solution would work nicely, if the "ima_hash" algorithm could be guaranteed
> to be built into the kernel. It's highly unlikely someone would choose a hash
> algorithm not built into kernel, but it is possible. hash_setup() only verifies
> that the hash algorithm is a valid name.
But ima_init_ima_crypto(), hence the whole IMA __init, would fail if
ima_hash was unavailable at __init time?
Thanks,
Nicolai
> Either fix hash_setup() to guarantee that the chosen hash algorithm is built
> into the kernel or use the CONFIG_IMA_DEFAULT_HASH and add a Kconfig to select
> the hash algorithm. This would be in lieu of v2 05/13.
>
>> > Drop this patch.
>>
>> Fine by me, but just to confirm, in case there's no TPM attached and
>> SHA1 was disabled, there would be no /sys/*/*runtime_measurement* at all
>> then. Is that Ok?
>
> Of course not. :)
>
>> ima_hash was chosen here only, because after this series, it will be the
>> only single algorithm guaranteed to be available.
>
> With the proposed changes to "[RFC PATCH v2 05/13] ima: select CRYPTO_SHA256
> from Kconfig', SHA256 would be added to the "extra" measurements if the TPM
> SHA256 bank is disabled.
--
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)
More information about the Linux-security-module-archive
mailing list