IMA protects files by storing a hash (or a signature thereof) of their content in the security.ima xattr. While the security.ima xattr itself is protected by EVM with either a HMAC or a digital signature, no mechanism is currently in place to ensure that the security.ima xattr was generated with a strong digest algorithm, as was outlined in https://lore.kernel.org/linux-integrity/10dde047d76b447f32ca91356599be679b8a76e5.camel@xxxxxxxxxxxxx/t/#m0f8127c6982ef94aa42f5cc13ea83b9f9000917e One important point is safeguarding users from mislabelling their files when using userland utilities to update their files, as this is the kind of behavior one can observe with evmctl (`evmctl ima_hash` defaults to sha1). Another group that may be interested is those that have deployed IMA years ago, possibly using algorithms that was then deemed sufficiently collision-resistant, but that proved to be weak with the passage of time (note that this could also happen in the future with algorithms considered safe today). This patch provides a migration path of sorts for these users. This patch series gives users the ability to restrict the algorithms accepted by their system, both when writing/updating xattrs, and when appraising files, while retaining a permissive behavior by default to preserve backward compatibility. To provide these features, alter the behavior of setxattr to only accept hashes built in the kernel, instead of any hash listed in the kernel (complete list crypto/hash_info.c). In addition, if secure boot is enabled, assume the system settings must be enforced (as IMA already does for the ima_appraise boot parameter) and only accept writes that uses the same digest the kernel uses (the 'ima_hash' kernel parameter). In addition, users may opt-in to whitelisting the accepted hash algorithms with the new "appraise_hash" IMA policy option. By default IMA will keep accepting any hash algorithm, but specifying that option will make appraisal of files hash with another algorithm fail. Even when using this option to restrict accepted hashes, migrations to a new algorithm are still possible. Suppose your policy states you must migrate from 'old_algo' (e.g. sha1) to 'new_algo' (e.g. one of sha256/384/512). You can upgrade without relaxing the hash requirements: alter your policy rules from 'appraise_hash=old_algo' to 'appraise_hash=old_algo,new_algo', update the "ima_hash" parameter to 'new_algo', reboot, relabel all your files with 'new_algo', alter your policy_rule from 'appraise_hash=old_algo,new_algo' to 'appraise_hash=new_algo', reboot again and you're done. Agreed, it's quite a lot of churn - I don't know if this can be reduced - but this is technically doable. Note that the secure boot restriction is not backward compatible, so maybe this cannot be merged as-is. Yet this only applies to new hash/signatures performed from userspace, and does not impact the appraisal of existing files, so this will probably not break systems on upgrade either. This series is based on the following repo/branch: repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git branch: master commit 2734d6c1b1a089fb593ef6a23d4b70903526fe0c ("Linux 5.14-rc2") Changelog since v1: - Remove the two boot parameters - filter out hash algorithms nto compiled in the kernel on xattr writes - add a special case when secure boot is enabled: only the ima_hash algorithm is accepted on userland writes - add a policy option to opt-in to restricting digest algorithms at a per-rule granularity Simon Thoby (3): IMA: block writes of the security.ima xattr with weak hash algorithms IMA: add policy support for restricting the accepted hash algorithms IMA: honor the appraise_hash policy option Documentation/ABI/testing/ima_policy | 6 +- security/integrity/ima/ima.h | 6 +- security/integrity/ima/ima_api.c | 6 +- security/integrity/ima/ima_appraise.c | 59 +++++++++++++++++- security/integrity/ima/ima_main.c | 22 ++++++- security/integrity/ima/ima_policy.c | 90 +++++++++++++++++++++++++-- 6 files changed, 173 insertions(+), 16 deletions(-) -- 2.31.1