dm-devel.redhat.com archive mirror
 help / color / mirror / Atom feed
From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: dm-devel@redhat.com, agk@redhat.com, snitzer@redhat.com
Cc: sfr@canb.auug.org.au, zohar@linux.ibm.com,
	nramas@linux.microsoft.com, public@thson.de,
	tusharsu@linux.microsoft.com, linux-integrity@vger.kernel.org
Subject: [dm-devel] [PATCH 1/6] dm ima: prefix dm table hashes in ima log with hash algorithm
Date: Fri, 13 Aug 2021 14:37:56 -0700	[thread overview]
Message-ID: <20210813213801.297051-2-tusharsu@linux.microsoft.com> (raw)
In-Reply-To: <20210813213801.297051-1-tusharsu@linux.microsoft.com>

The active/inactive table hashes measured in the ima log do not contain
the information about hash algorithm.  This information is useful for the
attestation servers to recreate the hashes and compare them with the ones
present in the ima log to verify the table contents.

Prefix the table hashes in various DM events in ima log with the hash
algorithm used to compute those hashes.

Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
---
 drivers/md/dm-ima.c | 15 ++++++++++++---
 drivers/md/dm-ima.h |  1 +
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/drivers/md/dm-ima.c b/drivers/md/dm-ima.c
index 91ea4a7202ab..4bab35c8f0c7 100644
--- a/drivers/md/dm-ima.c
+++ b/drivers/md/dm-ima.c
@@ -186,6 +186,12 @@ void dm_ima_measure_on_table_load(struct dm_table *table, unsigned int status_fl
 	struct crypto_shash *tfm = NULL;
 	u8 *digest = NULL;
 	bool noio = false;
+	const size_t hash_alg_prefix_len = strlen(DM_IMA_TABLE_HASH_ALG) + 1;
+				/*
+				 * +1 for the additional char (':'), when prefixing
+				 * the hash value with the hash algorithm name.
+				 * e.g. sha256:<hash_value>.
+				 */
 
 	ima_buf = dm_ima_alloc(DM_IMA_MEASUREMENT_BUF_LEN, GFP_KERNEL, noio);
 	if (!ima_buf)
@@ -204,7 +210,7 @@ void dm_ima_measure_on_table_load(struct dm_table *table, unsigned int status_fl
 	if (dm_ima_alloc_and_copy_device_data(table->md, &device_data_buf, num_targets, noio))
 		goto error;
 
-	tfm = crypto_alloc_shash("sha256", 0, 0);
+	tfm = crypto_alloc_shash(DM_IMA_TABLE_HASH_ALG, 0, 0);
 	if (IS_ERR(tfm))
 		goto error;
 
@@ -315,12 +321,15 @@ void dm_ima_measure_on_table_load(struct dm_table *table, unsigned int status_fl
 	if (r < 0)
 		goto error;
 
-	digest_buf = dm_ima_alloc((digest_size*2)+1, GFP_KERNEL, noio);
+	digest_buf = dm_ima_alloc((digest_size*2) + hash_alg_prefix_len + 1, GFP_KERNEL, noio);
+
 	if (!digest_buf)
 		goto error;
 
+	snprintf(digest_buf, hash_alg_prefix_len + 1, "%s:", DM_IMA_TABLE_HASH_ALG);
+
 	for (i = 0; i < digest_size; i++)
-		snprintf((digest_buf+(i*2)), 3, "%02x", digest[i]);
+		snprintf((digest_buf + hash_alg_prefix_len + (i*2)), 3, "%02x", digest[i]);
 
 	if (table->md->ima.active_table.hash != table->md->ima.inactive_table.hash)
 		kfree(table->md->ima.inactive_table.hash);
diff --git a/drivers/md/dm-ima.h b/drivers/md/dm-ima.h
index 6e6f18bf05b4..0731a51565d6 100644
--- a/drivers/md/dm-ima.h
+++ b/drivers/md/dm-ima.h
@@ -16,6 +16,7 @@
 #define DM_IMA_TARGET_METADATA_BUF_LEN	128
 #define DM_IMA_TARGET_DATA_BUF_LEN	2048
 #define DM_IMA_DEVICE_CAPACITY_BUF_LEN	128
+#define DM_IMA_TABLE_HASH_ALG		"sha256"
 
 #ifdef CONFIG_IMA
 
-- 
2.32.0


--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel


  reply	other threads:[~2021-08-13 21:38 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-13 21:37 [dm-devel] [PATCH 0/6] updates to device mapper target measurement using ima Tushar Sugandhi
2021-08-13 21:37 ` Tushar Sugandhi [this message]
2021-08-13 21:37 ` [dm-devel] [PATCH 2/6] dm ima: add version info to dm related events in ima log Tushar Sugandhi
2021-08-13 21:37 ` [dm-devel] [PATCH 3/6] dm ima: prefix ima event name related to device mapper with dm_ Tushar Sugandhi
2021-08-13 21:37 ` [dm-devel] [PATCH 4/6] dm ima: add a warning in dm_init if duplicate ima events are not measured Tushar Sugandhi
2021-08-13 21:38 ` [dm-devel] [PATCH 5/6] dm ima: update dm target attributes for ima measurements Tushar Sugandhi
2021-08-13 21:38 ` [dm-devel] [PATCH 6/6] dm ima: update dm documentation for ima measurement support Tushar Sugandhi
2021-08-20 20:19 ` [dm-devel] [PATCH 0/6] updates to device mapper target measurement using ima Mike Snitzer
2021-08-23 17:18   ` Tushar Sugandhi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210813213801.297051-2-tusharsu@linux.microsoft.com \
    --to=tusharsu@linux.microsoft.com \
    --cc=agk@redhat.com \
    --cc=dm-devel@redhat.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=public@thson.de \
    --cc=sfr@canb.auug.org.au \
    --cc=snitzer@redhat.com \
    --cc=zohar@linux.ibm.com \
    --subject='Re: [dm-devel] [PATCH 1/6] dm ima: prefix dm table hashes in ima log with hash algorithm' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).