Re: Proposal: Remove MD5 / SHA1 support from veriexec

[Brett Lymn <brett.lymn%baesystems.com@localhost>]

On Tue, Aug 22, 2017 at 07:47:17AM +0200, Martin Husemann wrote:
> 
> Removing support to generate these hash types in veriexecgen sounds fine.
> 
> Isn't that enough?
> 

Yes.

We could also just default comment out the md5/sha1 support in the
kernels too which will stop that hash being used by veriexec.  That is
the only thing that will happen - veriexec relies on the hash routines
already in the kernel, it does not have its own implementation.

> If I want to test boot a new kernel on an old installation, I should
> not be forced to regen all hashes (but maybe I misunderstood how it works).
> 

You don't have to up the strict level on veriexec, that way it won't
block execs but, yes, it would not be good if you cannot boot a new
kernel.

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies:

    BAE Systems Australia Limited - Australian Company Number 008 423 005
    BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846
    BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864

Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
Edinburgh, South Australia, 5111. If the identity of the sending company is
not clear from the content of this email please contact the sender.

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy or
disclose its content, but please reply to this email immediately and highlight
the error to the sender and then immediately delete the message.