Re: Proposal: Remove MD5 / SHA1 support from veriexec

[Sevan Janiyan <venture37%geeklan.co.uk@localhost>]

On 08/28/17 14:46, Sevan Janiyan wrote:
> Apologies for not replying to your earlier email, no objection in 
> accommodating your requests on how this change should be. Let me
> test out what happens on system with an MD5 based signature file when
> you replace it with a kernel that lacks MD5 support and report back.
> Just for the record, the default hash function used has always been
> SHA256 and there haven't been any new ones added since.
Ok, so tested it.
With the the first patch, removing the hashes from veriexecgen results in
veriexecgen: No such hash algorithm (md5) for example when I try to use
the MD5 algorithm.

Removing the kernel support for MD5 results in veriexecctl reporting
Cannot load '/etc/signatures' when running a signature file with MD5 hashes.
The kernel reports 'Invalid or unknown fingerprint type 'MD5' for file'
for each entry in the signature file with MD5 hash.

System operates fine otherwise.


Sevan