New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When a "version 1" IMA allowlist (plain) is used, it is not possible for the tenant to specify a hash algorithm (other than sha1
)
#849
Comments
maugustosilva
pushed a commit
to maugustosilva/keylime
that referenced
this issue
Jan 25, 2022
A new parameter, `ima_hash_alg` is introduced under `[tenant]` section on keylime.conf. This parameter can be overriden by the command-line option `--allowlist_hash_alg` in `keylime_tenant`. In addition to that, fixed the WARNING message on the `agent`, which will alert an user about attempts to use SHA256 as the hash algorithm in kernels older than 5.10.X
maugustosilva
pushed a commit
to maugustosilva/keylime
that referenced
this issue
Jan 26, 2022
A new parameter, `ima_hash_alg` is introduced under the `[tenant]` section in `keylime.conf`. This parameter can be overriden by the CLI option `--allowlist_hash_alg` on `keylime_tenant`. All this is, of course, only applicable to "version 1" IMA allowlists. In addition to that we fix the WARNING message on the agent. If the IMA hash algorithm is other than SHA1, and the kernel is older 5.10, communicate that there is potential problem.
maugustosilva
pushed a commit
to maugustosilva/keylime
that referenced
this issue
Jan 26, 2022
A new parameter, `ima_hash_alg` is introduced under the `[tenant]` section in `keylime.conf`. This parameter can be overriden by the CLI option `--allowlist_hash_alg` on `keylime_tenant`. All this is, of course, only applicable to "version 1" IMA allowlists. In addition to that we fix the WARNING message on the agent. If the IMA hash algorithm is other than SHA1, and the kernel is older 5.10, communicate that there is potential problem. Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>
maugustosilva
pushed a commit
to maugustosilva/keylime
that referenced
this issue
Jan 26, 2022
A new parameter, `ima_hash_alg` is introduced under the `[tenant]` section in `keylime.conf`. This parameter can be overriden by the CLI option `--allowlist_hash_alg` on `keylime_tenant`. All this is, of course, only applicable to "version 1" IMA allowlists. In addition to that we fix the WARNING message on the agent. If the IMA hash algorithm is other than SHA1, and the kernel is older 5.10, communicate that there is potential problem. Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On newer linux kernels (> 5.10) it is possible to specify, via kernel command line, the IMA hash algorithm to be used (via
ima_hash=
option).However, when a "version 1" IMA allowlist (versions are loosely defined in the function
update_allowlist
onima.py
) is supplied by thetenant
, there is no way to communicate which hash algorithm was used in its generation, defaulting internally tosha1
.I do not believe we can simply deprecate "version 1" allowlists at this point, and thus we need a way to specify the IMA hash algorithm used on a per-agent basis.
The text was updated successfully, but these errors were encountered: