On Wed, 2026-02-25 at 15:36 -0500, Mimi Zohar wrote: > On Mon, 2026-02-23 at 14:56 +0000, Dmitry Safonov via B4 Relay wrote: > > From: Dmitry Safonov <[email protected]> > > > > ima_tpm_chip->allocated_banks[i].crypto_id is initialized to > > HASH_ALGO__LAST if the TPM algorithm is not supported. However there > > are places relying on the algorithm to be valid because it is accessed > > by hash_algo_name[]. > > If the TPM algorithm is not supported by whom? the kernel? HASH_ALGO__LAST is > defined in linux/hash_info.h. If the crypto algorithm is not supported by the > kernel, then the kernel won't be able to calculate the hash to extend the TPM.
Yes, by the kernel. True, that is why we do a padded SHA1. > > @@ -404,16 +398,24 @@ static int __init > > create_securityfs_measurement_lists(void) > > char file_name[NAME_MAX + 1]; > > struct dentry *dentry; > > > > - sprintf(file_name, "ascii_runtime_measurements_%s", > > - hash_algo_name[algo]); > > + if (algo == HASH_ALGO__LAST) > > + sprintf(file_name, > > "ascii_runtime_measurements_tpm_alg_%x", > > + ima_tpm_chip->allocated_banks[i].alg_id); > > + else > > + sprintf(file_name, "ascii_runtime_measurements_%s", > > + hash_algo_name[algo]); > > dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP, > > ima_dir, (void *)(uintptr_t)i, > > &ima_ascii_measurements_ops); > > if (IS_ERR(dentry)) > > return PTR_ERR(dentry); > > > > - sprintf(file_name, "binary_runtime_measurements_%s", > > - hash_algo_name[algo]); > > + if (algo == HASH_ALGO__LAST) > > + sprintf(file_name, > > "binary_runtime_measurements_tpm_alg_%x", > > + ima_tpm_chip->allocated_banks[i].alg_id); > > There's no point in creating either of the securityfs files if the kernel > doesn't support the hash algorithm. It is not useful per se, but since it is an information that it is produced and maintained by IMA, we can print it. And second, it will expose the fact that there is an unsupported algorithm (in the case of SHA3-256, the fix is add to the TPM - crypto subsystem mapping in tpm2- cmd.c). Roberto > Mimi > > > > + else > > + sprintf(file_name, "binary_runtime_measurements_%s", > > + hash_algo_name[algo]); > > dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP, > > ima_dir, (void *)(uintptr_t)i, > > &ima_measurements_ops); > >
