On Thu, 2022-04-07 at 10:16 +0800, GUO Zihua wrote:
> The original 'ima' measurement list template contains a hash, defined
> as 20 bytes, and a null terminated pathname, limited to 255
> characters. Other measurement list templates permit both larger hashes
> and longer pathnames. When the "ima" template is configured as the
> default, a new measurement list template (ima_template=) must be
> specified before specifying a larger hash algorithm (ima_hash=) on the
> boot command line.
>
> To avoid this boot command line ordering issue, remove the legacy "ima"
> template configuration option, allowing it to still be specified on the
> boot command line.
>
> The root cause of this issue is that during the processing of ima_hash,
> we would try to check whether the hash algorithm is compatible with the
> template. If the template is not set at the moment we do the check, we
> check the algorithm against the configured default template. If the
> default template is "ima", then we reject any hash algorithm other than
> sha1 and md5.
>
> For example, if the compiled default template is "ima", and the default
> algorithm is sha1 (which is the current default). In the cmdline, we put
> in "ima_hash=sha256 ima_template=ima-ng". The expected behavior would be
> that ima starts with ima-ng as the template and sha256 as the hash
> algorithm. However, during the processing of "ima_hash=",
> "ima_template=" has not been processed yet, and hash_setup would check
> the configured hash algorithm against the compiled default: ima, and
> reject sha256. So at the end, the hash algorithm that is actually used
> will be sha1.
>
> With template "ima" removed from the configured default, we ensure that
> the default tempalte would at least be "ima-ng" which allows for
> basically any hash algorithm.
>
> This change would not break the algorithm compatibility checks for IMA.
>
> Fixes: 4286587dccd43 ("ima: add Kconfig default measurement list template")
> Signed-off-by: GUO Zihua <guozihua@xxxxxxxxxx>
thanks,
Mimi
