Re: [RESEND][PATCH] Documentation: added order requirement for ima_hash=

From: Guozihua (Scott)
Date: Thu Jan 27 2022 - 01:35:53 EST

Next message: Mika Westerberg: "Re: [PATCH 1/2] PCI/AER: Disable AER when link is in L2/L3 ready, L2 and L3 state"
Previous message: Mika Westerberg: "Re: [PATCH v2 2/2] PCI/DPC: Disable DPC service when link is in L2/L3 ready, L2 and L3 state"
In reply to: Jonathan Corbet: "RE: [RESEND][PATCH] Documentation: added order requirement for ima_hash="
Next in thread: Mimi Zohar: "Re: [RESEND][PATCH] Documentation: added order requirement for ima_hash="
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2022/1/26 22:43, Roberto Sassu wrote:

From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx]
Sent: Wednesday, January 26, 2022 3:35 PM
On Wed, 2022-01-26 at 13:24 +0000, Roberto Sassu wrote:

From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx]
Sent: Wednesday, January 26, 2022 1:48 PM
On Wed, 2022-01-26 at 15:41 +0800, Guozihua (Scott) wrote:

The main issue lies in ima_template_desc_current called by hash_setup,
which does not just read ima_template global variable, but also tries to
set it if that hasn't been done already. Causing ima_template_setup to quit.

Right, which calls ima_init_template_list(). So part of the solution
could be to conditionally call ima_init_template_list()
in ima_template_setup().

- if (ima_template)
- return 1;
-
- ima_init_template_list();
+ if (!ima_template
+ ima_init_template_list();

Roberto, what do you think?

Hi Mimi

I think we wanted to prevent to set a digest algorithm
incompatible with the chosen template.

If we have in the kernel command line:

ima_template=ima ima_hash=sha256

ima_hash_algo would be set to HASH_ALGO_SHA1 despite
the user choice and the template would be set to 'ima'.

In the opposite case:

ima_hash=sha256 ima_template=ima

if the default template is 'ima', then ima_hash_algo would be
set to HASH_ALGO_SHA1. Otherwise, it would be
HASH_ALGO_SHA256. If we allow the template to be set after
the digest algorithm is evaluated, the template selection will
be rejected if the algorithm is incompatible with the template.

The only time that would occur is in the unlikely case that the
template is being set to "ima". That sounds reasonable. In fact we
should consider preventing the template format being set to "ima".

Ok.

I'm trying to remember why we still have the digest recalculation
in ima_eventdigest_init(). Maybe the only possibility is if we
set the template from the policy?

The recalculation was relatively recently added in commit 6cc7c266e5b4
("ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()").

There is also recalculation for the file digest:

hash.hdr.algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
ima_hash_algo : HASH_ALGO_SHA1;
result = ima_calc_file_hash(event_data->file, &hash.hdr);

I understood that Jonathan already applied the patch. If it is possible
to make a new patch according to your suggestion, I would ask Zihua
to do that.

Hi Mimi and Roberto,

I understand that the solution proposed here is to decommission template "ima" and potentially removing related algo checks altogether?

--
Best
GUO Zihua

Next message: Mika Westerberg: "Re: [PATCH 1/2] PCI/AER: Disable AER when link is in L2/L3 ready, L2 and L3 state"
Previous message: Mika Westerberg: "Re: [PATCH v2 2/2] PCI/DPC: Disable DPC service when link is in L2/L3 ready, L2 and L3 state"
In reply to: Jonathan Corbet: "RE: [RESEND][PATCH] Documentation: added order requirement for ima_hash="
Next in thread: Mimi Zohar: "Re: [RESEND][PATCH] Documentation: added order requirement for ima_hash="
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]