aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2013-06-07 06:16:37 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-10-26 21:32:55 -0400
commite7a2ad7eb6f48ad80c70a22dd8167fb34b409466 (patch)
treed1b7e58d2029a273a347b9b9a08f35c50b244d27 /Documentation
parent9b9d4ce592d283fc4c01da746c02a840c499bb7e (diff)
ima: enable support for larger default filedata hash algorithms
The IMA measurement list contains two hashes - a template data hash and a filedata hash. The template data hash is committed to the TPM, which is limited, by the TPM v1.2 specification, to 20 bytes. The filedata hash is defined as 20 bytes as well. Now that support for variable length measurement list templates was added, the filedata hash is not limited to 20 bytes. This patch adds Kconfig support for defining larger default filedata hash algorithms and replacing the builtin default with one specified on the kernel command line. <uapi/linux/hash_info.h> contains a list of hash algorithms. The Kconfig default hash algorithm is a subset of this list, but any hash algorithm included in the list can be specified at boot, using the 'ima_hash=' kernel command line option. Changelog v2: - update Kconfig Changelog: - support hashes that are configured - use generic HASH_ALGO_ definitions - add Kconfig support - hash_setup must be called only once (Dmitry) - removed trailing whitespaces (Roberto Sassu) Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Diffstat (limited to 'Documentation')
-rw-r--r--Documentation/kernel-parameters.txt6
1 files changed, 5 insertions, 1 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 2b78cb55ac34..1e8761c89a2c 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1181,9 +1181,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
1181 owned by uid=0. 1181 owned by uid=0.
1182 1182
1183 ima_hash= [IMA] 1183 ima_hash= [IMA]
1184 Format: { "sha1" | "md5" } 1184 Format: { md5 | sha1 | rmd160 | sha256 | sha384
1185 | sha512 | ... }
1185 default: "sha1" 1186 default: "sha1"
1186 1187
1188 The list of supported hash algorithms is defined
1189 in crypto/hash_info.h.
1190
1187 ima_tcb [IMA] 1191 ima_tcb [IMA]
1188 Load a policy which meets the needs of the Trusted 1192 Load a policy which meets the needs of the Trusted
1189 Computing Base. This means IMA will measure all 1193 Computing Base. This means IMA will measure all