| Message ID | 20220701201325.396766-1-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: fix violation measurement list record | expand |
On Fri, Jul 01, 2022 at 04:13:25PM -0400, Mimi Zohar wrote: > Although the violation digest in the IMA measurement list is always > zeroes, the size of the digest should be based on the hash algorithm. > Until recently the hash algorithm was hard coded to sha1. Fix the > violation digest size included in the IMA measurement list. > > This is just a cosmetic which should not affect attestation. > > Reported-by: Stefan Berger <stefanb@linux.ibm.com> > Fixes: 09091c44cb73 ("ima: use IMA default hash algorithm for integrity violations") > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima_template_lib.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c > index c877f01a5471..67359845c975 100644 > --- a/security/integrity/ima/ima_template_lib.c > +++ b/security/integrity/ima/ima_template_lib.c > @@ -326,7 +326,7 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize, > * Make room for the digest by increasing the offset of > * IMA_DIGEST_SIZE. > */ > - offset += IMA_DIGEST_SIZE; > + offset += hash_digest_size[hash_algo]; Update the comment as well? > return ima_write_template_field_data(buffer, offset + digestsize, > fmt, field_data); > -- > 2.27.0 > J.
On Fri, 2022-07-01 at 23:41 +0100, Jonathan McDowell wrote: > On Fri, Jul 01, 2022 at 04:13:25PM -0400, Mimi Zohar wrote: > > Although the violation digest in the IMA measurement list is always > > zeroes, the size of the digest should be based on the hash algorithm. > > Until recently the hash algorithm was hard coded to sha1. Fix the > > violation digest size included in the IMA measurement list. > > > > This is just a cosmetic which should not affect attestation. > > > > Reported-by: Stefan Berger <stefanb@linux.ibm.com> > > Fixes: 09091c44cb73 ("ima: use IMA default hash algorithm for integrity violations") > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > --- > > security/integrity/ima/ima_template_lib.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c > > index c877f01a5471..67359845c975 100644 > > --- a/security/integrity/ima/ima_template_lib.c > > +++ b/security/integrity/ima/ima_template_lib.c > > @@ -326,7 +326,7 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize, > > * Make room for the digest by increasing the offset of > > * IMA_DIGEST_SIZE. > > */ > > - offset += IMA_DIGEST_SIZE; > > + offset += hash_digest_size[hash_algo]; > > Update the comment as well? Yes, of course. Thank you for catching it! Mimi > > > return ima_write_template_field_data(buffer, offset + digestsize, > > fmt, field_data); > > -- > > 2.27.0 > > > > J. >
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index c877f01a5471..67359845c975 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -326,7 +326,7 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize, * Make room for the digest by increasing the offset of * IMA_DIGEST_SIZE. */ - offset += IMA_DIGEST_SIZE; + offset += hash_digest_size[hash_algo]; return ima_write_template_field_data(buffer, offset + digestsize, fmt, field_data);
Although the violation digest in the IMA measurement list is always zeroes, the size of the digest should be based on the hash algorithm. Until recently the hash algorithm was hard coded to sha1. Fix the violation digest size included in the IMA measurement list. This is just a cosmetic which should not affect attestation. Reported-by: Stefan Berger <stefanb@linux.ibm.com> Fixes: 09091c44cb73 ("ima: use IMA default hash algorithm for integrity violations") Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/ima/ima_template_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)