> From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > Sent: Wednesday, January 26, 2022 1:48 PM > On Wed, 2022-01-26 at 15:41 +0800, Guozihua (Scott) wrote: > > > > > > The main issue lies in ima_template_desc_current called by hash_setup, > > which does not just read ima_template global variable, but also tries to > > set it if that hasn't been done already. Causing ima_template_setup to quit. > > Right, which calls ima_init_template_list(). So part of the solution > could be to conditionally call ima_init_template_list() > in ima_template_setup(). > > - if (ima_template) > - return 1; > - > - ima_init_template_list(); > + if (!ima_template > + ima_init_template_list(); > > Roberto, what do you think? Hi Mimi I think we wanted to prevent to set a digest algorithm incompatible with the chosen template. If we have in the kernel command line: ima_template=ima ima_hash=sha256 ima_hash_algo would be set to HASH_ALGO_SHA1 despite the user choice and the template would be set to 'ima'. In the opposite case: ima_hash=sha256 ima_template=ima if the default template is 'ima', then ima_hash_algo would be set to HASH_ALGO_SHA1. Otherwise, it would be HASH_ALGO_SHA256. If we allow the template to be set after the digest algorithm is evaluated, the template selection will be rejected if the algorithm is incompatible with the template. I'm trying to remember why we still have the digest recalculation in ima_eventdigest_init(). Maybe the only possibility is if we set the template from the policy? Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua > thanks, > > Mimi