Re: [Linux-ima-devel] Query about evmctl and hash algo

[Kasatkin, D. <dmi...@in...>]

On Wed, Mar 13, 2013 at 5:34 PM, Vivek Goyal <vg...@re...> wrote:
> Hi Dmitry,
>
> I used evmctl to sign an executable. I used an x.509 cert. I generated
> cert and specified to use -sha256 algorithm.
>
> But I noticed that evmctl ignores x.509 values and by default calculates
> sha1 hash.
>
> I thought we should honor x.509 certificate and use the hashing algorithm
> as specified in the cert. What do you think?
>
> If kernel IMA does not support sha256, then signature verification will
> fail, but I think that's a different issue altogether.
>
> In fact I am not sure that kernel command line ima_hash is relevant
> in user space signing because it hard codes that all files should
> be signed using single hash algorithm. But the fact is that user should
> be able to sign different files using different algorithms. You already
> are passing hash algorithm information in header in V2.
>
> I think there is a disconnect here. Despite the fact that we are passing
> hash algo information in header, in kernel, we are not using that info
> to calculate file hash. Instead we are using sha1 or md5 as specified
> by ima_hash kernel parameter.
>
> I thought a user should have the flexbility to sign the file using
> supported hash algorithms and then kernel should provide mechanism to
> verify file using those algorithms. And we should not impose that all
> ima signed files will have single hash algorithm.
>
> Thanks
> Vivek

Hello Vivek,

As Mimi responded we will support different hashes and work is going on.

Regarding evmctl, it supports different hash algorithms using '-a' or
'--hashalgo' command line parameter.
Latest patch to support asymmetric keys also honors those parameters.

Signing is obviously done using private keys and that does not have
any hash algo in it.
If certificate has a property for a hash algorithm it could be used
instead of default or from command line.

Please suggest a patch for ima-evm-utils

thanks.

- Dmitry