Re: [PATCH v6 1/5] IMA: remove the dependency on CRYPTO_MD5

[Mimi Zohar <zohar@linux.ibm.com>]

On Wed, 2021-08-04 at 09:20 +0000, THOBY Simon wrote:
> MD5 is a weak digest algorithm that shouldn't be used for cryptographic
> operation. It hinders the efficiency of a patch set that aims to limit
> the digests allowed for the extended file attribute namely security.ima.
> MD5 is no longer a requirement for IMA, nor should it be used there.
> 
> Remove the CRYPTO_MD5 dependency for IMA.
> 
> Signed-off-by: Simon Thoby <simon.thoby@viveris.fr>
> ---
>  security/integrity/ima/Kconfig    | 1 -
>  security/integrity/ima/ima_main.c | 3 ++-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index d0ceada99243..f3a9cc201c8c 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -6,7 +6,6 @@ config IMA
>  	select SECURITYFS
>  	select CRYPTO
>  	select CRYPTO_HMAC
> -	select CRYPTO_MD5
>  	select CRYPTO_SHA1
>  	select CRYPTO_HASH_INFO
>  	select TCG_TPM if HAS_IOMEM && !UML
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 1cba6beb5a60..b70ee0125168 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -53,7 +53,8 @@ static int __init hash_setup(char *str)
>  	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
>  		if (strncmp(str, "sha1", 4) == 0) {
>  			ima_hash_algo = HASH_ALGO_SHA1;
> -		} else if (strncmp(str, "md5", 3) == 0) {
> +		} else if (IS_ENABLED(CONFIG_CRYPTO_MD5)
> +			   && strncmp(str, "md5", 3) == 0) {
>  			ima_hash_algo = HASH_ALGO_MD5;
>  		} else {
>  			pr_err("invalid hash algorithm \"%s\" for template \"%s\"",

FYI, with the non "ima" template formats and MD5 is not configured, it
fails with the following messages:

ima: Can not allocate md5 (reason: -2)
ima: Allocating md5 failed, going to use default hash algorithm sha256

thanks,

Mimi