On Wed, Aug 25, 2021 at 05:43:50PM -0400, Mimi Zohar wrote: > Hi Bruno, > > On Fri, 2021-08-20 at 20:00 -0300, Bruno Meneguele wrote: > > The default hash algorithm for evmctl is today hardcoded libimaevm.c file. > > To facilitate different distributions and users to set their own default > > hash algorithm this patch adds the --with-default-hash=<algo> option to the > > configuration script. > > > > The algorithm chosen by the user will then be checked if is available in the > > kernel, otherwise IMA won't be able to verify files hashed by the user. For > > that, the file exposed by the kernel crypto API (/proc/crypto) is filtered > > by an AWK script in order to check the algorithm's name and the module > > providing it. Initally, only "module: kernel" is accepted, following IMA's > > CONFIG_CRYPTO_SHA1/SHA256 dependency. > > There's a difference between preventing an evmctl user from > unintentionally using an unsupported algorithm and the distro, or > whoever is building the package, defining the wrong default hash > algorithm. > > My preference would be to allow any hash algorithm defined in > hash_info.h (kernel_headers package) as the default. > Good point. Considering we already depend on the kernel-headers pkg and we also allow the user to specify a custom path for headers, it's indeed better to keep the consistency. I'll prepare a v5 using the kernel-headers instead of /proc/crypto. > thanks, > > Mimi > -- bmeneg PGP Key: http://bmeneg.com/pubkey.txt
Attachment:
signature.asc
Description: PGP signature
