Menu
▾
▴
Re: [Linux-ima-devel] Query regarding digital signature hash algorithm
|
From: Mimi Z. <zo...@li...> - 2013-05-31 03:01:01
|
On Thu, 2013-05-30 at 14:50 -0400, Vivek Goyal wrote: > Hi Dmitry, > > I have more queries about evmctl. This time hash algorithm used for digital > signing by evmctl. Will be great if you can help out. > > IIUC, following seems to be the case. > > - We always use SHA1 for v1 of digital signature. Even if one specifies > -a option, we ignore that for v1? > > - hash algo into is put in digital signature header. Looks like we put > this info differently for v1 and v2. For v1, we always seem to use > DIGEST_ALGO_SHA1 that is value 0. For V2, we seem to map algo to > enum pkey_hash_algo. That means even if we sign v2 header using sha1, > value will be 2. > > IOW, sha1 is mapped to different values in v1 and v2. v2 seems to > map to kernel defined hash algo enum while v1 does not. So if I decide > to parse signatures in kernel and extract hash algorithm in kernel, I > need to do it differently based on version of signature? Hi Vivek, we're working on an IMA patch set that supports larger hash digests. The ima-evm-utils package has already been updated to support these larger digests. Unfortunately, the change isn't isolated to just signature verification, but requires major changes to the measurement list architecture. One version of the changes are in the #next-multiple-templates-experimental branch. thanks, Mimi |
