Hi Simon,
On 7/28/2021 6:21 AM, THOBY Simon wrote:
Remove the CRYPTO_MD5 dependency for IMA, as it is not necessary
and it hinders the efficiency of a patchset that limit the digests
allowed for the security.ima xattr.
In the patch description state the problem first and then describe how
it is addressed in the patch. Maybe, something like the following:
MD5 is a weak digest algorithm. It hinders the efficiency of a patch set
that aims to limit the digests allowed for the extended file attribute
namely security.ima. MD5 should not be used for any crypto operations in
IMA.
Remove the CRYPTO_MD5 dependency for IMA.
Signed-off-by: Simon Thoby <simon.thoby@xxxxxxxxxx>
---
security/integrity/ima/Kconfig | 1 -
security/integrity/ima/ima_main.c | 2 +-
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index d0ceada99243..f3a9cc201c8c 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -6,7 +6,6 @@ config IMA
select SECURITYFS
select CRYPTO
select CRYPTO_HMAC
- select CRYPTO_MD5
select CRYPTO_SHA1
select CRYPTO_HASH_INFO
select TCG_TPM if HAS_IOMEM && !UML
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 287b90509006..7f2310f29789 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -53,7 +53,7 @@ static int __init hash_setup(char *str)
if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
if (strncmp(str, "sha1", 4) == 0) {
ima_hash_algo = HASH_ALGO_SHA1;
- } else if (strncmp(str, "md5", 3) == 0) {
+ } else if (IS_ENABLED(CONFIG_CRYPTO_MD5) && strncmp(str, "md5", 3) == 0) {
ima_hash_algo = HASH_ALGO_MD5;
} else {
pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
Code change looks good.
-lakshmi
