On Tue, 2019-07-09 at 18:43 +0300, Vitaly Chikunov wrote: > On Mon, Jul 08, 2019 at 11:30:50AM -0400, Mimi Zohar wrote: > > [Cc'ing Roberto, Petr, Thiago, Prakhar] > > Now that we're including ALL the kernel exported hash_info algorithms, > > a colleague suggested defining a list of deprecated hash algorithms. > > Instead of preventing the usage of these deprecated hash algorithms, > > initially I would start out with a warning. It would be helpful to > > indicate which standard deprecated the hash algorithm and year. At > > some point, we might want to prevent their usage in signing files, but > > not verifying file signatures. > > I think this is not a problem, because user explicitly states which hash > algorithm he wants to use. Except for SHA1, which is also silent > fallback algorithm. I think this fallback mechanism should be removed. I don't see a problem with informing whoever is using ima-evm-utils, that the requested hash algorithm has been deprecated. Just as NIST has deprecated the use of sha1 for most usecases, certain versions of the gost standard have also been deprecated. Someone verifying the measurement list or the filesystem signatures should be informed that although the verification succeeded, or not, some of the signatures verified were based on deprecated hash algorithms. Maybe something along the lines of "<algorithm> hash algorithm was deprecated (<year> - <standard>)"? In verbose mode, the message could include the filename. The EVM hmac is still sha1 based, but that shouldn't affect ima-evm- utils. So yes we should explicitly require a valid hash algorithm and not fall back to using sha1. > > Also, return values of sign_hash/ima_calc_hash/etc are not defined > clearly and callers have weird checks such as `if (len <= 1)`. I think > this should be conceptually simplified and made them `return -1` on any > error. Agreed. Mostly these functions are returning "-1" on error. There are a few places returning 1 instead. > > > > evmctl "ima_measurement" doesn't support custom template definitions. > > Also missing is support for verifying the "ima-buf" kexec command boot > > command line and the "ima-modsig" template appended signature. > > > > David Jacobson started writing a regression framework and posted a v2 > > version. I'd really appreciate help with cleaning up that code. > > Maybe tests should be integrated into ima-evm-utils too. Including regression tests in ima-evm-utils is the plan. :) Mimi
