On Fri, 15 May 2020 at 08:40, Tzung-Bi Shih tzungbi@google.com wrote:
On Fri, May 15, 2020 at 2:04 PM Ard Biesheuvel ardb@kernel.org wrote:
Looking at the code, I was wondering if the SHA-256 is really required here? It looks like it is using it as some kind of fingerprint to decide whether the provided file is identical to the one that has already been loaded. If this is the case, we should probably just use CRC32 instead.
No, the binary blob carries data and possibly code. We are not only using the hash as a fingerprint but also an integrity check.
But does it have to be cryptographically strong? Why is CRC32 not sufficient?
Please see https://crrev.com/c/1490800/26/include/ec_commands.h#4744 for our original decision.
In this case, you are using the digest to decide whether the same code has already been loaded, right?
So it makes sense to think about the threat model here: if you are able to defeat the strong hash, what does that buy an attacker? If an attacker is able to create a different piece of code that has the same digest as the code that was already loaded, the only thing that happens is that the loader will ignore it. If that is a threat you want to protect yourself against, then you need sha256. Otherwise, a crc is sufficient.
Also would like to let you know that the data path to call calculate_sha256( ) is in-frequent (1~2 times) if you think it is too expensive to use SHA256
In general, you shouldn't use crypto at all unless you can explain why it is necessary.