On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
> Normally IMA would extend a template hash of each bank's associated
> algorithm into a PCR. However, if a bank's hash algorithm is
> unavailable to the kernel at IMA init time, it would fallback to
> extending padded SHA1 hashes instead.
>
Mimi Zohar writes:
> On Wed, 2025-03-26 at 10:01 +0100, Nicolai Stange wrote:
>> Mimi Zohar writes:
>>
>> > > diff --git a/security/integrity/ima/ima_crypto.c
>> > > b/security/integrity/ima/ima_crypto.c
>> > > index 6f5696d999d0..a43080fb8edc 100644
>> > > --- a/security/integrity/ima/ima_cry
On Wed, 2025-03-26 at 10:01 +0100, Nicolai Stange wrote:
> Mimi Zohar writes:
>
> > > diff --git a/security/integrity/ima/ima_crypto.c
> > > b/security/integrity/ima/ima_crypto.c
> > > index 6f5696d999d0..a43080fb8edc 100644
> > > --- a/security/integrity/ima/ima_crypto.c
> > > +++ b/security/in
Mimi Zohar writes:
>> diff --git a/security/integrity/ima/ima_crypto.c
>> b/security/integrity/ima/ima_crypto.c
>> index 6f5696d999d0..a43080fb8edc 100644
>> --- a/security/integrity/ima/ima_crypto.c
>> +++ b/security/integrity/ima/ima_crypto.c
>> @@ -625,26 +625,43 @@ int ima_calc_field_array_h
James Bottomley writes:
> On Mon, 2025-03-24 at 21:03 -0400, Mimi Zohar wrote:
>> On Sun, 2025-03-23 at 17:18 -0400, James Bottomley wrote:
> [...]
>> > Instead of any of that, why not do what the TCG tells us to do for
>> > unsupported banks and simply cap them with 0x record
>> > EV_SEP
On Mon, 2025-03-24 at 21:03 -0400, Mimi Zohar wrote:
> On Sun, 2025-03-23 at 17:18 -0400, James Bottomley wrote:
[...]
> > Instead of any of that, why not do what the TCG tells us to do for
> > unsupported banks and simply cap them with 0x record
> > EV_SEPARATOR and stop extending to them?
On Sun, 2025-03-23 at 17:18 -0400, James Bottomley wrote:
> On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
> > Normally IMA would extend a template hash of each bank's associated
> > algorithm into a PCR. However, if a bank's hash algorithm is
> > unavailable to the kernel at IMA init tim
> diff --git a/security/integrity/ima/ima_crypto.c
> b/security/integrity/ima/ima_crypto.c
> index 6f5696d999d0..a43080fb8edc 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -625,26 +625,43 @@ int ima_calc_field_array_hash(struct ima_field_data
