From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5C77C07E9A for ; Wed, 14 Jul 2021 11:32:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 91C1C6100A for ; Wed, 14 Jul 2021 11:32:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232161AbhGNLfq (ORCPT ); Wed, 14 Jul 2021 07:35:46 -0400 Received: from mo4-p01-ob.smtp.rzone.de ([85.215.255.54]:34191 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230451AbhGNLfq (ORCPT ); Wed, 14 Jul 2021 07:35:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1626262371; s=strato-dkim-0002; d=thson.de; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=rVhnIMns4Yw4iYT7zIPdwcOxsFidC0nZeXfDWV0u3e8=; b=iO8Cg//gl9+P/4/u74Qa3XwsCpZ5hQnD36fhEFihEUlplpATBQRZaXphOD9UpffEE1 mlccyrLbaANvecXQ+OWsGQzmY+HX0sj5a9gcy2wqb4l9MZQLPcbt+Tk7rCtB3b4Qrg8H xeW6RyHHLEZW2elYlayUa6qe7wqZ+1SMkgLLc1zgJoCHCDsFJ+2KO5utu1zacH/lSdZi 6a6A86YgqL11LsIGEfTJAxZ05X6u6DCV2QPRL/KAx0icxSbV+omSAJkuyD7eiPsP7sPk W3YXQpDrWKe2wVvKHAAq/MuNgFCVKHy5K3I9kHy2bPCDjrhqNl+O+gakRmdJdjIp3Py6 6gzw== Authentication-Results: strato.com; dkim=none X-RZG-AUTH: ":IW0NeWC8c+zN1nIYOgi8rPKEoKABwRR6O3/XVYQwcrYSSclzVPtV9u1ghAtu" X-RZG-CLASS-ID: mo00 Received: from USER-PC.fritz.box by smtp.strato.de (RZmta 47.28.1 DYNA|AUTH) with ESMTPSA id 30791cx6EBWpw99 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Wed, 14 Jul 2021 13:32:51 +0200 (CEST) From: Thore Sommer To: tusharsu@linux.microsoft.com Cc: agk@redhat.com, dm-devel@redhat.com, linux-integrity@vger.kernel.org, nramas@linux.microsoft.com, snitzer@redhat.com, zohar@linux.ibm.com Subject: Re: [dm-devel] [PATCH 0/7] device mapper target measurements using IMA Date: Wed, 14 Jul 2021 13:32:41 +0200 Message-Id: <20210714113241.28580-1-public@thson.de> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210713004904.8808-1-tusharsu@linux.microsoft.com> References: <20210713004904.8808-1-tusharsu@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Thank you for bringing IMA support to device mapper. The addition of dm-verity to IMA is very useful for the project I'm working on where we boot our distribution from removable USB media. One of our goals is to detect tampering of the root file system remotely. Therefore we enabled dm-verity support but implementing remote attestation for dm-verity from userland is not ideal which was our initial plan. This patch set enables us to leverage to already implemented IMA attestation infrastructure by the remote attestation service that we are using (Keylime) without trying to roll a custom solution. We tested the initial RFC patch set and will continue testing with this one to see if it fully works in our environment and with our use case. Thore Sommer From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB070C07E9A for ; Wed, 14 Jul 2021 11:36:17 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CAAC4613AF for ; Wed, 14 Jul 2021 11:36:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CAAC4613AF Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=thson.de Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=dm-devel-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-586-fZZihtCSPT-pkA3Qa0pQmw-1; Wed, 14 Jul 2021 07:36:14 -0400 X-MC-Unique: fZZihtCSPT-pkA3Qa0pQmw-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3F85A100CCC5; Wed, 14 Jul 2021 11:36:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 79ECC5DEFB; Wed, 14 Jul 2021 11:36:08 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id AE2C94EA29; Wed, 14 Jul 2021 11:36:04 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 16EBa2HZ010859 for ; Wed, 14 Jul 2021 07:36:03 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9D9F52168696; Wed, 14 Jul 2021 11:36:02 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 998362168695 for ; Wed, 14 Jul 2021 11:35:59 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0F7811078460 for ; Wed, 14 Jul 2021 11:35:59 +0000 (UTC) Received: from mo4-p01-ob.smtp.rzone.de (mo4-p01-ob.smtp.rzone.de [85.215.255.50]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-299-1aZqoRtNOQa1iay9DyA75A-1; Wed, 14 Jul 2021 07:35:55 -0400 X-MC-Unique: 1aZqoRtNOQa1iay9DyA75A-1 X-RZG-AUTH: ":IW0NeWC8c+zN1nIYOgi8rPKEoKABwRR6O3/XVYQwcrYSSclzVPtV9u1ghAtu" X-RZG-CLASS-ID: mo00 Received: from USER-PC.fritz.box by smtp.strato.de (RZmta 47.28.1 DYNA|AUTH) with ESMTPSA id 30791cx6EBWpw99 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Wed, 14 Jul 2021 13:32:51 +0200 (CEST) From: Thore Sommer To: tusharsu@linux.microsoft.com Date: Wed, 14 Jul 2021 13:32:41 +0200 Message-Id: <20210714113241.28580-1-public@thson.de> In-Reply-To: <20210713004904.8808-1-tusharsu@linux.microsoft.com> References: <20210713004904.8808-1-tusharsu@linux.microsoft.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: dm-devel@redhat.com Cc: snitzer@redhat.com, zohar@linux.ibm.com, nramas@linux.microsoft.com, dm-devel@redhat.com, linux-integrity@vger.kernel.org, agk@redhat.com Subject: Re: [dm-devel] [PATCH 0/7] device mapper target measurements using IMA X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Thank you for bringing IMA support to device mapper. The addition of dm-verity to IMA is very useful for the project I'm working on where we boot our distribution from removable USB media. One of our goals is to detect tampering of the root file system remotely. Therefore we enabled dm-verity support but implementing remote attestation for dm-verity from userland is not ideal which was our initial plan. This patch set enables us to leverage to already implemented IMA attestation infrastructure by the remote attestation service that we are using (Keylime) without trying to roll a custom solution. We tested the initial RFC patch set and will continue testing with this one to see if it fully works in our environment and with our use case. Thore Sommer -- dm-devel mailing list dm-devel@redhat.com https://listman.redhat.com/mailman/listinfo/dm-devel