New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the SHA1 requirement for IMA #803
Conversation
6820854
to
2f495c9
Compare
Changing this would make Keylime with SHA256 as default TPM hash algorithm only work on kernel versions starting with 5.10. If avoidable I would skip writing a workaround to support the older kernel versions. |
02a60d3
to
a312c80
Compare
I think this PR is now ready for testing, but there are still some questions that need to be discussed.
|
Yes. The latest releases of RHEL all use kernels older than 5.10 (RHEL 8 uses 4.18). It's not packaged for RHEL 8 and I believe RHEL 9 will use 5.11, but we still want it to be possible to monitor systems running RHEL 8. |
If someone tries to use an unsupported hash algo, what happens now? As long as there's a good error message in the log (agent at least, but also verifier if possible) that would be ok. |
I'm fine with that as long as the error messages are clear.
What special handling are you thinking about?
I don't think we need an API version increment for this change. It added something to the allowlist format, but I'm not sure that's enough to qualify for a new API version. I could be convinced otherwise though if people felt strongly about it. |
I wanted to test this and had to setup a new environment with Fedora 34 on the agent side and Fedora 35 on the server side. But now I cannot even get beyond the error message: keylime.tenant.UserError: TPM Quote from cloud agent is invalid for nonce: bpom... |
IMA verification will fail. I'll add a better error message if another hash algorithm then SHA1 is used on kernel versions <5.10.
Downgrading to SHA1 if it is allowed and we get only a SHA1 hash for PCR 10.
I agree. |
Signed-off-by: Thore Sommer <mail@thson.de>
I just ran a quick test with this PR, and it is breaking from me. Using an allowlist on the old format, I see the following error Will investigate further, but please hold the merge for now. Here is an example of my allowlist, (all
|
@maugustosilva If you only provide SHA1 hashes did you change your |
I was looking through the code. You're right, of course. Will let you know as soon as I finish the test. |
Now I see the error in the measured boot log
and on the
for reference, the command line used to add the
Evidently, removing |
@maugustosilva thanks for the report. The |
@maugustosilva on which kernel version are you? If you try to use sha256 with a kernel version lower than 5.10 you should get an warning that IMA might not work correctly. @mpeters should we change the default |
Kernel 5.4 (Ubuntu Focal)
Right, we need to ensure it is not gonna be broken for users out of the box. Focal, for instance, is LTS. |
@THS-on It now works properly with your latest commits, thanks. |
The hash algorithm used for PCR 10 and the one used for validating the IMA log can now be specified separately. Since version 5.10 the kernel extends PCR 10 also all other available hash algorithms by rehashing that data. Before 5.10 the SHA1 was just padded. Keylime supports only SHA1 for those older versions. Signed-off-by: Thore Sommer <mail@thson.de>
This option control which hash algorithm is used for comparing the hash given in an IMA log entry. Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
This is the case because kernels <5.10 did not extend PCRs by rehashing the data with the fitting algorithm, instead the SHA1 value was padded with 0s to fit. We do not support validation for that. Signed-off-by: Thore Sommer <mail@thson.de>
The original code assumed that the agent always uses SHA256 as tpm_hash_alg when used in combination with the measured boot feature. The hash algorithm is now configurable. Signed-off-by: Thore Sommer <mail@thson.de>
This ensures that Keylime works out of the box on older kernel versions. Signed-off-by: Thore Sommer <mail@thson.de>
I've now changed the default |
Yeah, I think we can go with |
IMA now works with all hash algorithms: keylime/keylime#803 Signed-off-by: Thore Sommer <mail@thson.de>
IMA now works with all hash algorithms: keylime/keylime#803 Signed-off-by: Thore Sommer <mail@thson.de>
Modern kernel versions (>= 5.10) hash the IMA entries with all available PCR bank algorithms, but the entry in the IMA log is still the SHA1 entry in most distributions.
This PR removes the special handling for PCR10 and IMA and just uses the default hash algorithm of the agent.
This also fixes an issue that the hash algorithm for the data PCR might not match between agent and verifier and introduces a new IMA emulator adapter that supports multiple hash algorithms.
Fixes #30, fixes #801