action #67243
closed[sle][security][sle15sp2] test fails in ima_measurement: runtime boot_aggregate algorithm changed from sha1 to sha256
0%
Description
Observation¶
openQA test in scenario sle-15-SP2-Online-x86_64-ima_measurement@uefi fails in
ima_measurement
Test suite description¶
Maintainer: llzhao@suse.com
Setup and test for IMA measurement functions.
Reproducible¶
Fails since (at least) Build 201.1 (current job)
Expected result¶
Last good: 197.1 (or more recent)
Further details¶
Always latest result in this scenario: latest
Check the contents of "ima_measurement-ascii_runtime_measurements" files,
When this test case passed we got:
10 1d8d532d463c9f8c205d0df7787669a85f93e260 ima-ng sha1:0000000000000000000000000000000000000000 boot_aggregate
10 f678f4b5d72eaa69875827a0ef6bd8245fd699fb ima-ng sha256:02c483d784f05f2ed4d699d1e9ae80a81d17c6e54014831126869b0100b72216 /usr/lib/systemd/systemd
...
When this test case failed we got:
10 0adefe762c149c7cec19da62f0da1297fcfbffff ima-ng sha256:0000000000000000000000000000000000000000000000000000000000000000 boot_aggregate
10 f678f4b5d72eaa69875827a0ef6bd8245fd699fb ima-ng sha256:02c483d784f05f2ed4d699d1e9ae80a81d17c6e54014831126869b0100b72216 /usr/lib/systemd/systemd
...
It seems the default boot_aggregate algorithem changed from sha1
to sha256
on sle15sp2 build 201.1.
I will double confirm with developers.
Updated by llzhao almost 4 years ago
- Subject changed from [sle][security][sle15sp2] test fails in ima_measurement: runtime boot_aggregate algorithem changed from sha1 to sha256 to [sle][security][sle15sp2] test fails in ima_measurement: runtime boot_aggregate algorithm changed from sha1 to sha256
Updated by llzhao almost 4 years ago
Yes, it is by design, replying from Mattias:
it's obvious that the kernel changed the digest algorithm in
ascii_runtime_measurements. Which is a good thing, because sha1 is no
longer considered safe.
Updated by llzhao almost 4 years ago
- Status changed from New to In Progress
Updated by llzhao almost 4 years ago
- Status changed from In Progress to Resolved
Updated by pvorel almost 4 years ago
FYI I'm thinking about getting TPM 2.0 for some of our baremetal machines for openQA.
Updated by llzhao almost 4 years ago
pvorel wrote:
FYI I'm thinking about getting TPM 2.0 for some of our baremetal machines for openQA.
Thanks for the updates, looking forward to "TPM 2.0" being in openQA