| Message ID | 20210727163330.790010-2-simon.thoby@viveris.fr (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | IMA: restrict the accepted digest algorithms for | expand |
Hi Simon, On Tue, 2021-07-27 at 16:33 +0000, THOBY Simon wrote: <snip> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 287b90509006..d171764230b7 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -53,8 +53,10 @@ static int __init hash_setup(char *str) > if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { > if (strncmp(str, "sha1", 4) == 0) { > ima_hash_algo = HASH_ALGO_SHA1; > +#ifdef CONFIG_CRYPTO_MD5 As much as possible ifdef's should be avoided in C code. If necessary, using the IS_ENABLED macro is preferred. > } else if (strncmp(str, "md5", 3) == 0) { > ima_hash_algo = HASH_ALGO_MD5; > +#endif > } else { > pr_err("invalid hash algorithm \"%s\" for template \"%s\"", > str, IMA_TEMPLATE_IMA_NAME); thanks, Mimi
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index d0ceada99243..f3a9cc201c8c 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -6,7 +6,6 @@ config IMA select SECURITYFS select CRYPTO select CRYPTO_HMAC - select CRYPTO_MD5 select CRYPTO_SHA1 select CRYPTO_HASH_INFO select TCG_TPM if HAS_IOMEM && !UML diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 287b90509006..d171764230b7 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -53,8 +53,10 @@ static int __init hash_setup(char *str) if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { if (strncmp(str, "sha1", 4) == 0) { ima_hash_algo = HASH_ALGO_SHA1; +#ifdef CONFIG_CRYPTO_MD5 } else if (strncmp(str, "md5", 3) == 0) { ima_hash_algo = HASH_ALGO_MD5; +#endif } else { pr_err("invalid hash algorithm \"%s\" for template \"%s\"", str, IMA_TEMPLATE_IMA_NAME);
Remove the CRYPTO_MD5 dependency for IMA, as it is not necessary and it hinders the efficiency of a patchset that limit the digests allowed for the security.ima xattr. Signed-off-by: Simon Thoby <simon.thoby@viveris.fr> --- security/integrity/ima/Kconfig | 1 - security/integrity/ima/ima_main.c | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-)