Re: Proposal: Remove MD5 / SHA1 support from veriexec

[Brett Lymn <brett.lymn%baesystems.com@localhost>]

On Sat, Sep 09, 2017 at 09:50:05PM +0100, Sevan Janiyan wrote:
> 
> Removing the kernel support for MD5 results in veriexecctl reporting
> Cannot load '/etc/signatures' when running a signature file with MD5 hashes.
> The kernel reports 'Invalid or unknown fingerprint type 'MD5' for file'
> for each entry in the signature file with MD5 hash.
> 
> System operates fine otherwise.
> 

Things will come unstuck when you ramp the strictness up, executables
without fingerprints will then not run.  At worst, you may have to hard
power off and boot single user to rework the fingerprints.

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies:

    BAE Systems Australia Limited - Australian Company Number 008 423 005
    BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846
    BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864

Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
Edinburgh, South Australia, 5111. If the identity of the sending company is
not clear from the content of this email please contact the sender.

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy or
disclose its content, but please reply to this email immediately and highlight
the error to the sender and then immediately delete the message.