Project

General

Profile

Actions
Copy link

action #67243

closed

[sle][security][sle15sp2] test fails in ima_measurement: runtime boot_aggregate algorithm changed from sha1 to sha256

Added by llzhao almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
llzhao
Category:
Bugs in existing tests
Target version:
-
Start date:
2020-05-26
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

Observation

openQA test in scenario sle-15-SP2-Online-x86_64-ima_measurement@uefi fails in
ima_measurement

Test suite description

Maintainer: llzhao@suse.com
Setup and test for IMA measurement functions.

Reproducible

Fails since (at least) Build 201.1 (current job)

Expected result

Last good: 197.1 (or more recent)

Further details

Always latest result in this scenario: latest

Check the contents of "ima_measurement-ascii_runtime_measurements" files,
When this test case passed we got:
10 1d8d532d463c9f8c205d0df7787669a85f93e260 ima-ng sha1:0000000000000000000000000000000000000000 boot_aggregate
10 f678f4b5d72eaa69875827a0ef6bd8245fd699fb ima-ng sha256:02c483d784f05f2ed4d699d1e9ae80a81d17c6e54014831126869b0100b72216 /usr/lib/systemd/systemd
...

When this test case failed we got:
10 0adefe762c149c7cec19da62f0da1297fcfbffff ima-ng sha256:0000000000000000000000000000000000000000000000000000000000000000 boot_aggregate
10 f678f4b5d72eaa69875827a0ef6bd8245fd699fb ima-ng sha256:02c483d784f05f2ed4d699d1e9ae80a81d17c6e54014831126869b0100b72216 /usr/lib/systemd/systemd
...

It seems the default boot_aggregate algorithem changed from sha1 to sha256 on sle15sp2 build 201.1.
I will double confirm with developers.

Actions
Copy link
 #1

Updated by llzhao almost 4 years ago

  • Subject changed from [sle][security][sle15sp2] test fails in ima_measurement: runtime boot_aggregate algorithem changed from sha1 to sha256 to [sle][security][sle15sp2] test fails in ima_measurement: runtime boot_aggregate algorithm changed from sha1 to sha256
Actions
Copy link
 #2

Updated by llzhao almost 4 years ago

Yes, it is by design, replying from Mattias:
it's obvious that the kernel changed the digest algorithm in
ascii_runtime_measurements. Which is a good thing, because sha1 is no
longer considered safe.

Actions
Copy link
 #3

Updated by llzhao almost 4 years ago

  • Status changed from New to In Progress
Actions
Copy link
 #4

Updated by llzhao almost 4 years ago

  • Status changed from In Progress to Resolved
Actions
Copy link
 #6

Updated by pvorel almost 4 years ago

FYI I'm thinking about getting TPM 2.0 for some of our baremetal machines for openQA.

Actions
Copy link
 #7

Updated by llzhao almost 4 years ago

pvorel wrote:

FYI I'm thinking about getting TPM 2.0 for some of our baremetal machines for openQA.

Thanks for the updates, looking forward to "TPM 2.0" being in openQA

Actions
Copy link

Also available in: Atom PDF