Hi Bruno, On Fri, 2021-08-20 at 20:00 -0300, Bruno Meneguele wrote: > The default hash algorithm for evmctl is today hardcoded libimaevm.c file. > To facilitate different distributions and users to set their own default > hash algorithm this patch adds the --with-default-hash=<algo> option to the > configuration script. > > The algorithm chosen by the user will then be checked if is available in the > kernel, otherwise IMA won't be able to verify files hashed by the user. For > that, the file exposed by the kernel crypto API (/proc/crypto) is filtered > by an AWK script in order to check the algorithm's name and the module > providing it. Initally, only "module: kernel" is accepted, following IMA's > CONFIG_CRYPTO_SHA1/SHA256 dependency. There's a difference between preventing an evmctl user from unintentionally using an unsupported algorithm and the distro, or whoever is building the package, defining the wrong default hash algorithm. My preference would be to allow any hash algorithm defined in hash_info.h (kernel_headers package) as the default. thanks, Mimi
