Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When a "version 1" IMA allowlist (plain) is used, it is not possible for the tenant to specify a hash algorithm (other than sha1) #849

Closed
maugustosilva opened this issue Jan 25, 2022 · 0 comments
Closed

When a "version 1" IMA allowlist (plain) is used, it is not possible for the tenant to specify a hash algorithm (other than sha1) #849

maugustosilva opened this issue Jan 25, 2022 · 0 comments

Comments

@maugustosilva
Copy link
Contributor

On newer linux kernels (> 5.10) it is possible to specify, via kernel command line, the IMA hash algorithm to be used (via ima_hash= option).

However, when a "version 1" IMA allowlist (versions are loosely defined in the function update_allowlist on ima.py) is supplied by the tenant, there is no way to communicate which hash algorithm was used in its generation, defaulting internally to sha1.

I do not believe we can simply deprecate "version 1" allowlists at this point, and thus we need a way to specify the IMA hash algorithm used on a per-agent basis.
maugustosilva pushed a commit to maugustosilva/keylime that referenced this issue Jan 25, 2022
Fix for keylime#849
9f87641 
A new parameter, `ima_hash_alg` is introduced under `[tenant]` section
on keylime.conf. This parameter can be overriden by the command-line
option `--allowlist_hash_alg` in `keylime_tenant`.

In addition to that, fixed the WARNING message on the `agent`, which
will alert an user about attempts to use SHA256 as the hash algorithm in
kernels older than 5.10.X
maugustosilva pushed a commit to maugustosilva/keylime that referenced this issue Jan 26, 2022
Fix for keylime#849
ce19a55 
A new parameter, `ima_hash_alg` is introduced under the `[tenant]`
section in `keylime.conf`. This parameter can be overriden by the CLI
option `--allowlist_hash_alg` on `keylime_tenant`. All this is, of
course, only applicable to "version 1" IMA allowlists.

In addition to that we fix the WARNING message on the agent. If the IMA
hash algorithm is other than SHA1, and the kernel is older 5.10,
communicate that there is potential problem.
maugustosilva pushed a commit to maugustosilva/keylime that referenced this issue Jan 26, 2022
Fix for keylime#849
35df646 
A new parameter, `ima_hash_alg` is introduced under the `[tenant]`
section in `keylime.conf`. This parameter can be overriden by the CLI
option `--allowlist_hash_alg` on `keylime_tenant`. All this is, of
course, only applicable to "version 1" IMA allowlists.

In addition to that we fix the WARNING message on the agent. If the IMA
hash algorithm is other than SHA1, and the kernel is older 5.10,
communicate that there is potential problem.

Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>
maugustosilva pushed a commit to maugustosilva/keylime that referenced this issue Jan 26, 2022
Fix for keylime#849
c90f5c1 
A new parameter, `ima_hash_alg` is introduced under the `[tenant]`
section in `keylime.conf`. This parameter can be overriden by the CLI
option `--allowlist_hash_alg` on `keylime_tenant`. All this is, of
course, only applicable to "version 1" IMA allowlists.

In addition to that we fix the WARNING message on the agent. If the IMA
hash algorithm is other than SHA1, and the kernel is older 5.10,
communicate that there is potential problem.

Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maugustosilva