Re: [PATCH V4] evm: Allow non-SHA1 digital signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, May 18, 2018 at 9:03 AM Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> On Thu, 2018-05-17 at 15:09 -0700, Matthew Garrett wrote:
> > Oh bother - I think I see what's wrong. Does this version work better?
> > I'm afraid I only tested against signatures rather than HMACs, and I was
> > generating a raw SHA1 rather than an HMAC :(

> That's a lot better!

> FYI, Wang Junwen reported a problem with enabling EVM with just the
> immutable and portable keys.  Without trusted keys enabled, SHA1 isn't
> being built into the kernel.  Loading the SHA1 kernel module fails.
>   Without knowing apriori which hash algorithms need to be builtin is a
> problem.

It looks like Kconfig is selecting CRYPTO_SHA1 when EVM is enabled, and
since that's a bool it should be forcing it to be built-in? I can't see a
good way of extending that generally, unfortunately. Is the problem with
loading the module that you're enforcing an IMA policy before loading it?



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux