Menu
▾
▴
Re: [Linux-ima-devel] Query about evmctl and hash algo
|
From: Vivek G. <vg...@re...> - 2013-03-13 17:27:10
|
On Wed, Mar 13, 2013 at 11:34:28AM -0400, Vivek Goyal wrote: > Hi Dmitry, > > I used evmctl to sign an executable. I used an x.509 cert. I generated > cert and specified to use -sha256 algorithm. > > But I noticed that evmctl ignores x.509 values and by default calculates > sha1 hash. > > I thought we should honor x.509 certificate and use the hashing algorithm > as specified in the cert. What do you think? > Or may be I have misunderstood it and x.509 does not impose the type of hash algorithm that should be used for signing. And user is free to use any hash algorithm. Thanks Vivek > If kernel IMA does not support sha256, then signature verification will > fail, but I think that's a different issue altogether. > > In fact I am not sure that kernel command line ima_hash is relevant > in user space signing because it hard codes that all files should > be signed using single hash algorithm. But the fact is that user should > be able to sign different files using different algorithms. You already > are passing hash algorithm information in header in V2. > > I think there is a disconnect here. Despite the fact that we are passing > hash algo information in header, in kernel, we are not using that info > to calculate file hash. Instead we are using sha1 or md5 as specified > by ima_hash kernel parameter. > > I thought a user should have the flexbility to sign the file using > supported hash algorithms and then kernel should provide mechanism to > verify file using those algorithms. And we should not impose that all > ima signed files will have single hash algorithm. > > Thanks > Vivek |
