keylime · mpeters · Jan 26, 2022 · Jan 26, 2022 · Jan 26, 2022 · Jan 26, 2022
diff --git a/keylime/ima.py b/keylime/ima.py
@@ -373,6 +373,13 @@ def process_allowlists(allowlist, exclude):
 
     return{'allowlist': allowlist, 'exclude': exclude}
 
+# IMA allowlists of versions older than 5 will not have the "log_hash_alg"
+# parameter. Hard-coding it to "sha1" is perfectly fine, and the fact one
+# specifies a different algorithm on the kernel command line (e.g., ima_hash=sha256)
+# does not affect normal operation of Keylime, since it does not validate the
+# hash algorithm received from agent's IMA runtime measurements.
+# The only situation where this hard-coding would become a problem is if and when
+# the kernel maintainers decide to use a different algorithm for template-hash.
 empty_allowlist = {
     "meta": {
         "version": ALLOWLIST_CURRENT_VERSION,

diff --git a/keylime/ima_ast.py b/keylime/ima_ast.py
@@ -367,8 +367,8 @@ def invalid(self):
             return failure
         if self.ima_template_hash != self._ima_hash_alg.hash(self._bytes):
             failure.add_event("ima_hash",
-                              {"message": "IMA hash does not match the calculated hash.",
-                               "expected": self.ima_template_hash, "got": self.mode.bytes()}, True)
+                              {"message": "IMA template hash does not match the calculated hash.",
+                               "expected": str(self.ima_template_hash), "got": str(self.mode.bytes())}, True)
             return failure
         if self._validator is None:
             failure.add_event("no_validator", "No validator specified", True)

diff --git a/keylime/keylime_agent.py b/keylime/keylime_agent.py
@@ -609,9 +609,10 @@ def main():
     # Warn if kernel version is <5.10 and another algorithm than SHA1 is used,
     # because otherwise IMA will not work
     kernel_version = tuple(platform.release().split("-")[0].split("."))
-    if kernel_version < ("5", "10", "0") and instance_tpm.defaults["hash"] != algorithms.Hash.SHA1:
-        logger.warning("IMA attestation only works on kernel versions <5.10 with SHA1 as tpm_hash_alg. "
-                       "Current algorithm is: %s", instance_tpm.defaults["hash"])
+    if tuple(map(int,kernel_version)) < (5, 10, 0) and instance_tpm.defaults["hash"] != algorithms.Hash.SHA1:
+        logger.warning("IMA attestation only works on kernel versions <5.10 with SHA1 as hash algorithm. "
+                       "Even if ascii_runtime_measurements shows \"%s\" as the "
+                       "algorithm, it might be just padding zeros", (instance_tpm.defaults["hash"]))
 
     if ekcert is None:
         if virtual_agent: