On Mon, 2020-01-27 at 18:04 +0100, Roberto Sassu wrote:
> Before calculating a digest for each PCR bank, collisions were detected
> with a SHA1 digest. This patch includes ima_hash_algo among the algorithms
> used to calculate the template digest and checks collisions on that digest.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Definitely needed to protect against a sha1 collision attack.
<snip>
>
> diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> index ebaf0056735c..a9bb45de6db9 100644
> --- a/security/integrity/ima/ima_api.c
> +++ b/security/integrity/ima/ima_api.c
> @@ -51,7 +51,7 @@ int ima_alloc_init_template(struct ima_event_data *event_data,
> if (!*entry)
> return -ENOMEM;
>
> - (*entry)->digests = kcalloc(ima_tpm_chip->nr_allocated_banks + 1,
> + (*entry)->digests = kcalloc(ima_tpm_chip->nr_allocated_banks + 2,
> sizeof(*(*entry)->digests), GFP_NOFS);
> if (!(*entry)->digests) {
> result = -ENOMEM;
I would prefer not having to allocate and use "nr_allocated_banks + 1"
everywhere, but I understand the need for it. I'm not sure this patch
warrants allocating +2. Perhaps, if a TPM bank doesn't exist for the
IMA default hash algorithm, use a different algorithm or, worst case,
continue using the ima_sha1_idx.
Mimi
