Mimi Zohar <zo...@linux.ibm.com> writes: > On Tue, 2025-03-18 at 16:55 +0100, Nicolai Stange wrote: >> Mimi Zohar <zo...@linux.ibm.com> writes: >> > FYI, because the IMA Kconfig selects SHA1, we're guaranteed that SHA1 >> > exists in >> > the kernel and the subsequent kexec'ed kernel. For this reason we're >> > guaranteed >> > that the measurement list is complete. The simplest solution, not >> > necessarily >> > the best, would be to punt the problem for the time being by replacing the >> > "select" with a different hash algorithm. >> >> Yes, that would work as well. IIUC, it would mean that we would >> e.g. extend truncated SHA-256 template hashes into a SHA-1 bank, right? >> However, since no existing tool like 'ima_measurement' is expecting >> that, and would fail a verification then, I'm currently struggling to >> see the advantage over just doing a.) and invalidating the PCR banks >> with a fixed value right away? > > Replacing the "Kconfig select" has more to do with having at least one > guaranteed complete measurement list. I'm fine with extending a TPM bank with > an unknown kernel hash algorithm violation (either option a or b).
Ok, I think I got it now. FWIW, a v2 can be found at https://lore.kernel.org/r/20250323140911.226137-1-nsta...@suse.de , including a patch for selecting SHA256 now. Thanks a lot for all your feedback! Nicolai -- SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany GF: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
