> From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > Sent: Wednesday, January 26, 2022 3:35 PM > On Wed, 2022-01-26 at 13:24 +0000, Roberto Sassu wrote: > > > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > > > Sent: Wednesday, January 26, 2022 1:48 PM > > > On Wed, 2022-01-26 at 15:41 +0800, Guozihua (Scott) wrote: > > > > > > > > > > > > The main issue lies in ima_template_desc_current called by hash_setup, > > > > which does not just read ima_template global variable, but also tries to > > > > set it if that hasn't been done already. Causing ima_template_setup to quit. > > > > > > Right, which calls ima_init_template_list(). So part of the solution > > > could be to conditionally call ima_init_template_list() > > > in ima_template_setup(). > > > > > > - if (ima_template) > > > - return 1; > > > - > > > - ima_init_template_list(); > > > + if (!ima_template > > > + ima_init_template_list(); > > > > > > Roberto, what do you think? > > > > Hi Mimi > > > > I think we wanted to prevent to set a digest algorithm > > incompatible with the chosen template. > > > > If we have in the kernel command line: > > > > ima_template=ima ima_hash=sha256 > > > > ima_hash_algo would be set to HASH_ALGO_SHA1 despite > > the user choice and the template would be set to 'ima'. > > > > In the opposite case: > > > > ima_hash=sha256 ima_template=ima > > > > if the default template is 'ima', then ima_hash_algo would be > > set to HASH_ALGO_SHA1. Otherwise, it would be > > HASH_ALGO_SHA256. If we allow the template to be set after > > the digest algorithm is evaluated, the template selection will > > be rejected if the algorithm is incompatible with the template. > > The only time that would occur is in the unlikely case that the > template is being set to "ima". That sounds reasonable. In fact we > should consider preventing the template format being set to "ima". Ok. > > I'm trying to remember why we still have the digest recalculation > > in ima_eventdigest_init(). Maybe the only possibility is if we > > set the template from the policy? > > The recalculation was relatively recently added in commit 6cc7c266e5b4 > ("ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()"). There is also recalculation for the file digest: hash.hdr.algo = ima_template_hash_algo_allowed(ima_hash_algo) ? ima_hash_algo : HASH_ALGO_SHA1; result = ima_calc_file_hash(event_data->file, &hash.hdr); I understood that Jonathan already applied the patch. If it is possible to make a new patch according to your suggestion, I would ask Zihua to do that. Jonathan, would it be fine for you to discard this patch? Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua > thanks, > > Mimi
