Hi,
I noticed that even when SHA-256 is selected as the digest algorithm for
IMA measurement, the PCR hash is still SHA-1.
A net search found the text given below in the following wiki:
https://wiki.strongswan.org/projects/strongswan/wiki/IMA
**********************************************************************
Since SHA-1 has been "shattered" we recommend to use SHA-256 for the
file measurement hashes.
IMA implementation does not support SHA-256 PCR banks yet, so the
SHA-256 file hashes are extended into SHA-1 PCR registers.
**********************************************************************
Is the above still true?
In ima_init_digests() the digest algorithm for PCR extend is set from
the digest algorithm set in the PCR banks.
Is there a way to configure IMA to use SHA-256 PCR banks?
int __init ima_init_digests(void)
{
...
for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++)
digests[i].alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
...
}
thanks,
-lakshmi
