From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: James Morris <jmorris@namei.org>
Cc: linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Hellwig <hch@infradead.org>,
Dave Hansen <dave@linux.vnet.ibm.com>,
"<David Safford" <safford@watson.ibm.com>,
Serge Hallyn <serue@us.ibm.com>, Mimi Zohar <zohar@us.ibm.com>
Subject: Re: [PATCH 2/6] integrity: IMA as an integrity service provider
Date: Fri, 30 Jan 2009 14:29:28 -0500 [thread overview]
Message-ID: <1233343768.8801.16.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.LRH.1.10.0901301032080.29870@tundra.namei.org>
On Fri, 2009-01-30 at 11:07 +1100, James Morris wrote:
> On Thu, 29 Jan 2009, Mimi Zohar wrote:
>
> > +++ b/security/integrity/ima/Kconfig
> > @@ -0,0 +1,49 @@
> > +# IBM Integrity Measurement Architecture
> > +#
> > +config IMA
> > + bool "Integrity Measurement Architecture(IMA)"
> > + depends on ACPI
> > + select SECURITYFS
> > + select CRYPTO
> > + select CRYPTO_HMAC
> > + select CRYPTO_MD5
> > + select CRYPTO_SHA1
> > + select TCG_TPM
> > + select TCG_TIS
> > + help
> > + The Trusted Computing Group(TCG) runtime Integrity
> > + Measurement Architecture(IMA) maintains a list of hash
> > + values of executables and other sensitive system files,
> > + as they are read or executed. If an attacker manages
> > + to change the contents of an important system file
> > + being measured, we can tell.
>
> Out of interest, do you know if the TCG has analyzed their use of SHA-1
> in light of various attacks on the algorithm over the last few years?
>
> The IETF has published analysis and recommendations relating to the use of
> SHA-1 (and other cryptographic hashes) with IP protocols:
>
> http://www.ietf.org/rfc/rfc4894.txt
> http://www.ietf.org/rfc/rfc4270.txt
>
> It would be useful to know if similar analysis has been performed for TPM.
>
>
> - James
Sorry, the TCG does not have a postion paper on this. We do not see
the current SHA-1 collision weakness being applicable to how the TPM
is currently being used by IMA. If, however, it does becomes an issue,
we could replace the SHA-1 template measurement with SHA-256.
Mimi
next prev parent reply other threads:[~2009-01-30 19:29 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-29 22:23 [PATCH 0/6] integrity Mimi Zohar
2009-01-29 22:23 ` [PATCH 1/6] integrity: IMA hooks Mimi Zohar
2009-01-29 22:23 ` [PATCH 2/6] integrity: IMA as an integrity service provider Mimi Zohar
2009-01-30 0:07 ` James Morris
2009-01-30 19:29 ` Mimi Zohar [this message]
2009-01-30 9:04 ` James Morris
2009-01-30 13:13 ` Mimi Zohar
2009-02-02 23:02 ` Serge E. Hallyn
2009-02-03 2:09 ` Mimi Zohar
2009-02-03 13:36 ` david safford
2009-02-03 14:03 ` Serge E. Hallyn
2009-01-29 22:23 ` [PATCH 3/6] integrity: IMA display Mimi Zohar
2009-01-30 9:18 ` James Morris
2009-01-30 13:14 ` Mimi Zohar
2009-02-02 23:14 ` Serge E. Hallyn
2009-02-03 0:03 ` James Morris
2009-01-29 22:23 ` [PATCH 4/6] integrity: IMA policy Mimi Zohar
2009-02-02 23:40 ` Serge E. Hallyn
2009-02-03 1:29 ` Mimi Zohar
2009-01-29 22:23 ` [PATCH 5/6] integrity: IMA policy open Mimi Zohar
2009-01-29 22:23 ` [PATCH 6/6] Integrity: IMA file free imbalance Mimi Zohar
2009-02-02 23:47 ` Serge E. Hallyn
2009-02-03 1:27 ` Mimi Zohar
2009-02-06 0:00 ` [PATCH 0/6] integrity James Morris
2009-02-06 2:29 ` Mimi Zohar
2009-02-06 8:14 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1233343768.8801.16.camel@localhost.localdomain \
--to=zohar@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=dave@linux.vnet.ibm.com \
--cc=hch@infradead.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=safford@watson.ibm.com \
--cc=serue@us.ibm.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox