From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: THOBY Simon <Simon.THOBY@viveris.fr>,
"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
BARVAUX Didier <Didier.BARVAUX@viveris.fr>
Subject: Re: [PATCH v6 1/5] IMA: remove the dependency on CRYPTO_MD5
Date: Wed, 4 Aug 2021 10:41:37 -0700 [thread overview]
Message-ID: <ace93099-79c2-f8ca-910f-00ebaf9f624e@linux.microsoft.com> (raw)
In-Reply-To: <20210804092010.350372-2-simon.thoby@viveris.fr>
On 8/4/2021 2:20 AM, THOBY Simon wrote:
> MD5 is a weak digest algorithm that shouldn't be used for cryptographic
> operation. It hinders the efficiency of a patch set that aims to limit
> the digests allowed for the extended file attribute namely security.ima.
> MD5 is no longer a requirement for IMA, nor should it be used there.
>
> Remove the CRYPTO_MD5 dependency for IMA.
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>
> Signed-off-by: Simon Thoby <simon.thoby@viveris.fr>
> ---
> security/integrity/ima/Kconfig | 1 -
> security/integrity/ima/ima_main.c | 3 ++-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index d0ceada99243..f3a9cc201c8c 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -6,7 +6,6 @@ config IMA
> select SECURITYFS
> select CRYPTO
> select CRYPTO_HMAC
> - select CRYPTO_MD5
> select CRYPTO_SHA1
> select CRYPTO_HASH_INFO
> select TCG_TPM if HAS_IOMEM && !UML
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 1cba6beb5a60..b70ee0125168 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -53,7 +53,8 @@ static int __init hash_setup(char *str)
> if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
> if (strncmp(str, "sha1", 4) == 0) {
> ima_hash_algo = HASH_ALGO_SHA1;
> - } else if (strncmp(str, "md5", 3) == 0) {
> + } else if (IS_ENABLED(CONFIG_CRYPTO_MD5)
> + && strncmp(str, "md5", 3) == 0) {
> ima_hash_algo = HASH_ALGO_MD5;
> } else {
> pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
>
next prev parent reply other threads:[~2021-08-04 17:39 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-04 9:20 [PATCH v6 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr THOBY Simon
2021-08-04 9:20 ` [PATCH v6 2/5] IMA: block writes of the security.ima xattr with unsupported algorithms THOBY Simon
2021-08-04 17:40 ` Lakshmi Ramasubramanian
2021-08-09 13:32 ` Mimi Zohar
2021-08-09 23:34 ` Mimi Zohar
2021-08-10 6:44 ` THOBY Simon
2021-08-04 9:20 ` [PATCH v6 1/5] IMA: remove the dependency on CRYPTO_MD5 THOBY Simon
2021-08-04 17:41 ` Lakshmi Ramasubramanian [this message]
2021-08-09 20:59 ` Mimi Zohar
2021-08-04 9:20 ` [PATCH v6 3/5] IMA: add support to restrict the hash algorithms used for file appraisal THOBY Simon
2021-08-04 17:44 ` Lakshmi Ramasubramanian
2021-08-09 17:43 ` Mimi Zohar
2021-08-10 6:45 ` THOBY Simon
2021-08-04 9:20 ` [PATCH v6 5/5] IMA: introduce a new policy option func=SETXATTR_CHECK THOBY Simon
2021-08-04 18:49 ` Lakshmi Ramasubramanian
2021-08-09 18:12 ` Mimi Zohar
2021-08-04 9:20 ` [PATCH v6 4/5] IMA: add a policy option to restrict xattr hash algorithms on appraisal THOBY Simon
2021-08-04 20:53 ` Lakshmi Ramasubramanian
2021-08-05 7:42 ` THOBY Simon
2021-08-09 18:05 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ace93099-79c2-f8ca-910f-00ebaf9f624e@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=Didier.BARVAUX@viveris.fr \
--cc=Simon.THOBY@viveris.fr \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox