Re: [PATCH v5] ima: add crypto agility support for template-hash algorithm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2024-04-08 at 17:43 +0200, Enrico Bravi wrote:
> On 08/04/24 13:35, Roberto Sassu wrote:
> > On Mon, 2024-04-08 at 13:17 +0200, Enrico Bravi wrote:
> > > The template hash showed by the ascii_runtime_measurements and
> > > binary_runtime_measurements is the one calculated using sha1 and there is
> > > no possibility to change this value, despite the fact that the template
> > > hash is calculated using the hash algorithms corresponding to all the PCR
> > > banks configured in the TPM.
> > > 
> > > Add the support to retrieve the ima log with the template data hash
> > > calculated with a specific hash algorithm.
> > > Add a new file in the securityfs ima directory for each hash algo
> > > configured in a PCR bank of the TPM. Each new file has the name with
> > > the following structure:
> > > 
> > >         {binary, ascii}_runtime_measurements_<hash_algo_name>
> > > 
> > > Legacy files are kept, to avoid breaking existing applications, but as
> > > symbolic links which point to {binary, ascii}_runtime_measurements_sha1
> > > files. These two files are created even if a TPM chip is not detected or
> > > the sha1 bank is not configured in the TPM.
> > > 
> > > As example, in the case a TPM chip is present and sha256 is the only
> > > configured PCR bank, the listing of the securityfs ima directory is the
> > > following:
> > > 
> > > lr--r--r-- [...] ascii_runtime_measurements ->
> > > ascii_runtime_measurements_sha1
> > > -r--r----- [...] ascii_runtime_measurements_sha1
> > > -r--r----- [...] ascii_runtime_measurements_sha256
> > > lr--r--r-- [...] binary_runtime_measurements ->
> > > binary_runtime_measurements_sha1
> > > -r--r----- [...] binary_runtime_measurements_sha1
> > > -r--r----- [...] binary_runtime_measurements_sha256
> > > --w------- [...] policy
> > > -r--r----- [...] runtime_measurements_count
> > > -r--r----- [...] violations
> > > 
> > > Signed-off-by: Enrico Bravi <enrico.bravi@xxxxxxxxx>
> > > Signed-off-by: Silvia Sisinni <silvia.sisinni@xxxxxxxxx>
> > 
> > Reviewed-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> 
> Thank you Roberto for the tag!
> 
> I noticed an error in the number of changed lines which produces a format
> error
> when applying the patch. I will send shortly a new version which fixes it.
> 
> I'm so sorry about that.
> 

Thanks, Enrico.  Please base it on the next-integrity branch.

Mimi
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux