On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote: > Since recently, IMA would not record measurement list entries into PCR > banks for which it doesn't have a corresponding in-kernel hash algorithm > implementation available anymore (for > CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND=n).
Not necessary info. > > With TPM 2.0, the only hash algorithms guaranteed to be implemented on a > TPM are SHA-256/384, c.f. "TCG PC Client Platform TPM Profile > Specification for TPM 2.0", sec. 4.6 "PCR Requirements". Ok > In particular, sha1 is not mandatory, and thus, the CRYPTO_SHA1 dependency > of IMA is not sufficient anymore for ensuring that IMA would find at least > one usable PCR bank. No necessary info. > > So, in order to make sure that IMA has access to at least one usable bank > on platforms featuring a TPM 2.0 device, make it depend on CRYPTO_SHA256. -> Make sure that ... > > Keep the dependency on CRYPTO_SHA1 for the TPM 1 case. Wondering if the "select CRYPTO_SHA1" could be dependent on TPM 1.2 being configured as builtin. > > Signed-off-by: Nicolai Stange <nsta...@suse.de> > --- > security/integrity/ima/Kconfig | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig > index c8f12a4a4edf..8a7e74dc1477 100644 > --- a/security/integrity/ima/Kconfig > +++ b/security/integrity/ima/Kconfig > @@ -7,6 +7,7 @@ config IMA > select CRYPTO > select CRYPTO_HMAC > select CRYPTO_SHA1 > + select CRYPTO_SHA256 > select CRYPTO_HASH_INFO > select SECURITY_PATH > select TCG_TPM if HAS_IOMEM It's not enough to "select CRYPTO_SHA256". As mentioned on "[RFC PATCH v2 02/13] ima: always create runtime_measurements sysfs file for ima_hash", don't assume "ima_hash" will be SHA256. Include SHA256 as an "extra" hash algorithm, even if it isn't an enabled TPM bank. Mimi
