Re: [PATCH 7/8] ima: use ima_hash_algo for collision detection in the measurement list

From: Mimi Zohar
Date: Fri Jan 31 2020 - 09:50:44 EST


On Fri, 2020-01-31 at 14:41 +0000, Roberto Sassu wrote:
> I thought that using a stronger algorithm for hash collision detection but
> doing remote attestation with the weaker would not bring additional value.
>
> If there is a hash collision on SHA1, an attacker can still replace the data of
> one of the two entries in the measurement list with the data of the other
> without being detected (without additional countermeasures).
>
> If the verifier additionally checks for duplicate template digests, he could
> detect the attack (IMA would not add a new measurement entry with the
> same template digest of previous entries).
>
> Ok, I will use ima_hash_algo for hash collision detection.

Thanks!

Mimi