From: Thore Sommer <public@thson.de>
To: dm-devel@redhat.com, agk@redhat.com, snitzer@redhat.com
Cc: tusharsu@linux.microsoft.com, linux-integrity@vger.kernel.org,
Thore Sommer <public@thson.de>
Subject: [RFC PATCH 1/3] dm ima: allow targets to remeasure their table entry
Date: Thu, 6 Jan 2022 21:34:34 +0100 [thread overview]
Message-ID: <20220106203436.281629-2-public@thson.de> (raw)
In-Reply-To: <20220106203436.281629-1-public@thson.de>
A new DM event dm_target_update is introduced for targets to remeasure
their table entry. This is intended for targets that indicate security
relevant events by updating one of their table entries (e.g. verity for
corruption).
In the event the dm version, device metadata and target data gets
measured.
This does not update the hash of the active table because it would require
to rehash the whole table with all the other targets entries.
Signed-off-by: Thore Sommer <public@thson.de>
---
drivers/md/dm-ima.c | 76 +++++++++++++++++++++++++++++++++++++++++++++
drivers/md/dm-ima.h | 2 ++
2 files changed, 78 insertions(+)
diff --git a/drivers/md/dm-ima.c b/drivers/md/dm-ima.c
index 957999998d70..3b1bb97263d9 100644
--- a/drivers/md/dm-ima.c
+++ b/drivers/md/dm-ima.c
@@ -750,3 +750,79 @@ void dm_ima_measure_on_device_rename(struct mapped_device *md)
kfree(new_dev_name);
kfree(new_dev_uuid);
}
+
+/*
+ * Give the option for targets to remeasure on state change.
+ */
+void dm_ima_measure_on_target_update(struct dm_target *ti)
+{
+ char *ima_buf = NULL, *target_metadata_buf = NULL, *target_data_buf = NULL;
+ struct dm_target *ti2;
+ size_t target_metadata_buf_len, target_data_buf_len;
+ unsigned int num_targets, target_index;
+ struct dm_table *table = ti->table;
+ struct mapped_device *md = table->md;
+ bool found = false;
+ bool noio = true;
+ int l = 0;
+
+ ima_buf = dm_ima_alloc(DM_IMA_MEASUREMENT_BUF_LEN, GFP_KERNEL, noio);
+ if (!ima_buf)
+ return;
+
+ target_metadata_buf = dm_ima_alloc(DM_IMA_TARGET_METADATA_BUF_LEN, GFP_KERNEL, noio);
+ if (!target_metadata_buf)
+ goto exit;
+
+ target_data_buf = dm_ima_alloc(DM_IMA_TARGET_DATA_BUF_LEN, GFP_KERNEL, noio);
+ if (!target_data_buf)
+ goto exit;
+
+ /*
+ * Get the index of the target in the table.
+ */
+ num_targets = dm_table_get_num_targets(table);
+ for (target_index = 0; target_index < num_targets; target_index++) {
+ ti2 = dm_table_get_target(table, target_index);
+ if (!ti)
+ goto exit;
+ if (ti == ti2) {
+ found = true;
+ break;
+ }
+ }
+ if (!found)
+ goto exit;
+
+ scnprintf(target_metadata_buf, DM_IMA_TARGET_METADATA_BUF_LEN,
+ "target_index=%d,target_begin=%llu,target_len=%llu,",
+ target_index, ti->begin, ti->len);
+ target_metadata_buf_len = strlen(target_metadata_buf);
+
+ if (ti->type->status)
+ ti->type->status(ti, STATUSTYPE_IMA, STATUSTYPE_IMA, target_data_buf,
+ DM_IMA_TARGET_DATA_BUF_LEN);
+ else
+ target_data_buf[0] = '\0';
+ target_data_buf_len = strlen(target_data_buf);
+
+ memcpy(ima_buf + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len);
+ l += md->ima.dm_version_str_len;
+
+ memcpy(ima_buf + l, md->ima.active_table.device_metadata,
+ md->ima.active_table.device_metadata_len);
+ l += md->ima.active_table.device_metadata_len;
+
+ memcpy(ima_buf + l, target_metadata_buf, target_metadata_buf_len);
+ l += target_metadata_buf_len;
+
+ memcpy(ima_buf + l, target_data_buf, target_data_buf_len);
+
+ dm_ima_measure_data("dm_target_update", ima_buf, strlen(ima_buf), noio);
+
+exit:
+ kfree(ima_buf);
+ kfree(target_data_buf);
+ kfree(target_metadata_buf);
+}
+EXPORT_SYMBOL_GPL(dm_ima_measure_on_target_update);
diff --git a/drivers/md/dm-ima.h b/drivers/md/dm-ima.h
index b8c3b614670b..281a8b65f8a9 100644
--- a/drivers/md/dm-ima.h
+++ b/drivers/md/dm-ima.h
@@ -63,6 +63,7 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap);
void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all);
void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map);
void dm_ima_measure_on_device_rename(struct mapped_device *md);
+void dm_ima_measure_on_target_update(struct dm_target *ti);
#else
@@ -72,6 +73,7 @@ static inline void dm_ima_measure_on_device_resume(struct mapped_device *md, boo
static inline void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all) {}
static inline void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map) {}
static inline void dm_ima_measure_on_device_rename(struct mapped_device *md) {}
+static inline void dm_ima_measure_on_target_update(struct dm_target *ti) {}
#endif /* CONFIG_IMA */
--
2.34.1
WARNING: multiple messages have this Message-ID (diff)
From: Thore Sommer <public@thson.de>
To: dm-devel@redhat.com, agk@redhat.com, snitzer@redhat.com
Cc: tusharsu@linux.microsoft.com, linux-integrity@vger.kernel.org,
Thore Sommer <public@thson.de>
Subject: [dm-devel] [RFC PATCH 1/3] dm ima: allow targets to remeasure their table entry
Date: Thu, 6 Jan 2022 21:34:34 +0100 [thread overview]
Message-ID: <20220106203436.281629-2-public@thson.de> (raw)
In-Reply-To: <20220106203436.281629-1-public@thson.de>
A new DM event dm_target_update is introduced for targets to remeasure
their table entry. This is intended for targets that indicate security
relevant events by updating one of their table entries (e.g. verity for
corruption).
In the event the dm version, device metadata and target data gets
measured.
This does not update the hash of the active table because it would require
to rehash the whole table with all the other targets entries.
Signed-off-by: Thore Sommer <public@thson.de>
---
drivers/md/dm-ima.c | 76 +++++++++++++++++++++++++++++++++++++++++++++
drivers/md/dm-ima.h | 2 ++
2 files changed, 78 insertions(+)
diff --git a/drivers/md/dm-ima.c b/drivers/md/dm-ima.c
index 957999998d70..3b1bb97263d9 100644
--- a/drivers/md/dm-ima.c
+++ b/drivers/md/dm-ima.c
@@ -750,3 +750,79 @@ void dm_ima_measure_on_device_rename(struct mapped_device *md)
kfree(new_dev_name);
kfree(new_dev_uuid);
}
+
+/*
+ * Give the option for targets to remeasure on state change.
+ */
+void dm_ima_measure_on_target_update(struct dm_target *ti)
+{
+ char *ima_buf = NULL, *target_metadata_buf = NULL, *target_data_buf = NULL;
+ struct dm_target *ti2;
+ size_t target_metadata_buf_len, target_data_buf_len;
+ unsigned int num_targets, target_index;
+ struct dm_table *table = ti->table;
+ struct mapped_device *md = table->md;
+ bool found = false;
+ bool noio = true;
+ int l = 0;
+
+ ima_buf = dm_ima_alloc(DM_IMA_MEASUREMENT_BUF_LEN, GFP_KERNEL, noio);
+ if (!ima_buf)
+ return;
+
+ target_metadata_buf = dm_ima_alloc(DM_IMA_TARGET_METADATA_BUF_LEN, GFP_KERNEL, noio);
+ if (!target_metadata_buf)
+ goto exit;
+
+ target_data_buf = dm_ima_alloc(DM_IMA_TARGET_DATA_BUF_LEN, GFP_KERNEL, noio);
+ if (!target_data_buf)
+ goto exit;
+
+ /*
+ * Get the index of the target in the table.
+ */
+ num_targets = dm_table_get_num_targets(table);
+ for (target_index = 0; target_index < num_targets; target_index++) {
+ ti2 = dm_table_get_target(table, target_index);
+ if (!ti)
+ goto exit;
+ if (ti == ti2) {
+ found = true;
+ break;
+ }
+ }
+ if (!found)
+ goto exit;
+
+ scnprintf(target_metadata_buf, DM_IMA_TARGET_METADATA_BUF_LEN,
+ "target_index=%d,target_begin=%llu,target_len=%llu,",
+ target_index, ti->begin, ti->len);
+ target_metadata_buf_len = strlen(target_metadata_buf);
+
+ if (ti->type->status)
+ ti->type->status(ti, STATUSTYPE_IMA, STATUSTYPE_IMA, target_data_buf,
+ DM_IMA_TARGET_DATA_BUF_LEN);
+ else
+ target_data_buf[0] = '\0';
+ target_data_buf_len = strlen(target_data_buf);
+
+ memcpy(ima_buf + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len);
+ l += md->ima.dm_version_str_len;
+
+ memcpy(ima_buf + l, md->ima.active_table.device_metadata,
+ md->ima.active_table.device_metadata_len);
+ l += md->ima.active_table.device_metadata_len;
+
+ memcpy(ima_buf + l, target_metadata_buf, target_metadata_buf_len);
+ l += target_metadata_buf_len;
+
+ memcpy(ima_buf + l, target_data_buf, target_data_buf_len);
+
+ dm_ima_measure_data("dm_target_update", ima_buf, strlen(ima_buf), noio);
+
+exit:
+ kfree(ima_buf);
+ kfree(target_data_buf);
+ kfree(target_metadata_buf);
+}
+EXPORT_SYMBOL_GPL(dm_ima_measure_on_target_update);
diff --git a/drivers/md/dm-ima.h b/drivers/md/dm-ima.h
index b8c3b614670b..281a8b65f8a9 100644
--- a/drivers/md/dm-ima.h
+++ b/drivers/md/dm-ima.h
@@ -63,6 +63,7 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap);
void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all);
void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map);
void dm_ima_measure_on_device_rename(struct mapped_device *md);
+void dm_ima_measure_on_target_update(struct dm_target *ti);
#else
@@ -72,6 +73,7 @@ static inline void dm_ima_measure_on_device_resume(struct mapped_device *md, boo
static inline void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all) {}
static inline void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map) {}
static inline void dm_ima_measure_on_device_rename(struct mapped_device *md) {}
+static inline void dm_ima_measure_on_target_update(struct dm_target *ti) {}
#endif /* CONFIG_IMA */
--
2.34.1
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2022-01-06 20:34 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-06 20:34 [dm-devel] [RFC PATCH 0/3] dm ima: allow targets to remeasure their state Thore Sommer
2022-01-06 20:34 ` Thore Sommer
2022-01-06 20:34 ` Thore Sommer [this message]
2022-01-06 20:34 ` [dm-devel] [RFC PATCH 1/3] dm ima: allow targets to remeasure their table entry Thore Sommer
2022-05-06 20:25 ` Lakshmi Ramasubramanian
2022-05-06 20:25 ` [dm-devel] " Lakshmi Ramasubramanian
2022-05-09 9:55 ` Thore Sommer
2022-05-09 9:55 ` Thore Sommer
2022-05-09 17:07 ` Lakshmi Ramasubramanian
2022-05-09 17:07 ` [dm-devel] " Lakshmi Ramasubramanian
2022-01-06 20:34 ` [dm-devel] [RFC PATCH 2/3] dm verity: add support for IMA target update event Thore Sommer
2022-01-06 20:34 ` Thore Sommer
2022-05-06 20:35 ` Lakshmi Ramasubramanian
2022-05-06 20:35 ` [dm-devel] " Lakshmi Ramasubramanian
2022-05-09 9:33 ` Thore Sommer
2022-05-09 9:33 ` Thore Sommer
2022-01-06 20:34 ` [RFC PATCH 3/3] dm ima: add documentation " Thore Sommer
2022-01-06 20:34 ` [dm-devel] " Thore Sommer
2022-05-06 20:16 ` [RFC PATCH 0/3] dm ima: allow targets to remeasure their state Lakshmi Ramasubramanian
2022-05-06 20:16 ` [dm-devel] " Lakshmi Ramasubramanian
2022-05-09 9:12 ` Thore Sommer
2022-05-09 9:12 ` Thore Sommer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220106203436.281629-2-public@thson.de \
--to=public@thson.de \
--cc=agk@redhat.com \
--cc=dm-devel@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=snitzer@redhat.com \
--cc=tusharsu@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.