On Fri, May 18, 2018 at 9:03 AM Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > On Thu, 2018-05-17 at 15:09 -0700, Matthew Garrett wrote: > > Oh bother - I think I see what's wrong. Does this version work better? > > I'm afraid I only tested against signatures rather than HMACs, and I was > > generating a raw SHA1 rather than an HMAC :( > That's a lot better! > FYI, Wang Junwen reported a problem with enabling EVM with just the > immutable and portable keys. Without trusted keys enabled, SHA1 isn't > being built into the kernel. Loading the SHA1 kernel module fails. > Without knowing apriori which hash algorithms need to be builtin is a > problem. It looks like Kconfig is selecting CRYPTO_SHA1 when EVM is enabled, and since that's a bool it should be forcing it to be built-in? I can't see a good way of extending that generally, unfortunately. Is the problem with loading the module that you're enforcing an IMA policy before loading it?