| Message ID | 20210728132112.258606-2-simon.thoby@viveris.fr (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | IMA: restrict the accepted digest algorithms for the security.ima xattr | expand |
Hi Simon, On 7/28/2021 6:21 AM, THOBY Simon wrote: > Remove the CRYPTO_MD5 dependency for IMA, as it is not necessary > and it hinders the efficiency of a patchset that limit the digests > allowed for the security.ima xattr. In the patch description state the problem first and then describe how it is addressed in the patch. Maybe, something like the following: MD5 is a weak digest algorithm. It hinders the efficiency of a patch set that aims to limit the digests allowed for the extended file attribute namely security.ima. MD5 should not be used for any crypto operations in IMA. Remove the CRYPTO_MD5 dependency for IMA. > > Signed-off-by: Simon Thoby <simon.thoby@viveris.fr> > --- > security/integrity/ima/Kconfig | 1 - > security/integrity/ima/ima_main.c | 2 +- > 2 files changed, 1 insertion(+), 2 deletions(-) > > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig > index d0ceada99243..f3a9cc201c8c 100644 > --- a/security/integrity/ima/Kconfig > +++ b/security/integrity/ima/Kconfig > @@ -6,7 +6,6 @@ config IMA > select SECURITYFS > select CRYPTO > select CRYPTO_HMAC > - select CRYPTO_MD5 > select CRYPTO_SHA1 > select CRYPTO_HASH_INFO > select TCG_TPM if HAS_IOMEM && !UML > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 287b90509006..7f2310f29789 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -53,7 +53,7 @@ static int __init hash_setup(char *str) > if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { > if (strncmp(str, "sha1", 4) == 0) { > ima_hash_algo = HASH_ALGO_SHA1; > - } else if (strncmp(str, "md5", 3) == 0) { > + } else if (IS_ENABLED(CONFIG_CRYPTO_MD5) && strncmp(str, "md5", 3) == 0) { > ima_hash_algo = HASH_ALGO_MD5; > } else { > pr_err("invalid hash algorithm \"%s\" for template \"%s\"", > Code change looks good. -lakshmi
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index d0ceada99243..f3a9cc201c8c 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -6,7 +6,6 @@ config IMA select SECURITYFS select CRYPTO select CRYPTO_HMAC - select CRYPTO_MD5 select CRYPTO_SHA1 select CRYPTO_HASH_INFO select TCG_TPM if HAS_IOMEM && !UML diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 287b90509006..7f2310f29789 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -53,7 +53,7 @@ static int __init hash_setup(char *str) if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { if (strncmp(str, "sha1", 4) == 0) { ima_hash_algo = HASH_ALGO_SHA1; - } else if (strncmp(str, "md5", 3) == 0) { + } else if (IS_ENABLED(CONFIG_CRYPTO_MD5) && strncmp(str, "md5", 3) == 0) { ima_hash_algo = HASH_ALGO_MD5; } else { pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
Remove the CRYPTO_MD5 dependency for IMA, as it is not necessary and it hinders the efficiency of a patchset that limit the digests allowed for the security.ima xattr. Signed-off-by: Simon Thoby <simon.thoby@viveris.fr> --- security/integrity/ima/Kconfig | 1 - security/integrity/ima/ima_main.c | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-)