Menu
▾
▴
[Linux-ima-devel] Query about evmctl and hash algo
|
From: Vivek G. <vg...@re...> - 2013-03-13 15:34:41
|
Hi Dmitry, I used evmctl to sign an executable. I used an x.509 cert. I generated cert and specified to use -sha256 algorithm. But I noticed that evmctl ignores x.509 values and by default calculates sha1 hash. I thought we should honor x.509 certificate and use the hashing algorithm as specified in the cert. What do you think? If kernel IMA does not support sha256, then signature verification will fail, but I think that's a different issue altogether. In fact I am not sure that kernel command line ima_hash is relevant in user space signing because it hard codes that all files should be signed using single hash algorithm. But the fact is that user should be able to sign different files using different algorithms. You already are passing hash algorithm information in header in V2. I think there is a disconnect here. Despite the fact that we are passing hash algo information in header, in kernel, we are not using that info to calculate file hash. Instead we are using sha1 or md5 as specified by ima_hash kernel parameter. I thought a user should have the flexbility to sign the file using supported hash algorithms and then kernel should provide mechanism to verify file using those algorithms. And we should not impose that all ima signed files will have single hash algorithm. Thanks Vivek |
