Hi Simon, On Wed, 2021-07-07 at 09:54 +0000, THOBY Simon wrote: <snip> > When using evmctl and IMA-EVM in hash+HMAC mode (no digital > signatures involved), I was suprised to see that IMA didn't complain > if a file was hashed with an algorithm "weaker" than the one > specified on the command line. > Of course I suppose EVM should stop downgrade attacks (by that I mean > an offline attacker changing the hash of a legitimate file from > sha256 to sha1 or md5). However, if files were already hashed as md5 > - or more probably sha1 because that is still the default value for > evmctl - then the attacker could potentially perform collision > attacks against the weakly hashed file. The user may believe himself > protected against collision attacks because of the 'ima_hash=sha256' > command line parameter (with or without 'ima_template=ima-ng'). Before allowing the EVM HMAC to be updated, EVM verifies the existing HMAC to protect against an offline attack. It doesn't prevent online changes. Additional support to prevent crypto downgrade would need to be added. <snip> > Is there any way to enforce the use of the hash specified in the > 'ima_hash' cmdline parameter ? The cmdline parameter overrides the compile time default hash algorithm used for (re-)calculating the file hash. > I couldn't find any glancing at the code, but I didn't read all of it > and I understood even less, so I secretly hope to have missed a small > yet critical check/option. > And if there is no such way, would you be opposed to a patch adding > an option (something like 'ima_enforce_hash_alg') that only allows > digest hashed with the values supplied in the 'ima_hash' parameter ? Please keep in mind that: - depending on which file is not properly signed with the required hash, the system might not boot. - limiting the hash algorithm to a single algorithm would prevent migrating to a stronger algorithm. For embedded/IoT, these concerns might not be a problem. thanks, Mimi
