dm-devel.redhat.com archive mirror
 help / color / mirror / Atom feed
From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: dm-devel@redhat.com, agk@redhat.com, snitzer@redhat.com
Cc: sfr@canb.auug.org.au, zohar@linux.ibm.com,
	nramas@linux.microsoft.com, public@thson.de,
	tusharsu@linux.microsoft.com, linux-integrity@vger.kernel.org
Subject: [dm-devel] [PATCH 2/6] dm ima: add version info to dm related events in ima log
Date: Fri, 13 Aug 2021 14:37:57 -0700	[thread overview]
Message-ID: <20210813213801.297051-3-tusharsu@linux.microsoft.com> (raw)
In-Reply-To: <20210813213801.297051-1-tusharsu@linux.microsoft.com>

The DM events present in the ima log contain various attributes in the
key=value format.  The attributes' names/values may change in future,
and new attributes may also get added.  The attestation server needs
some versioning to determine which attributes are supported and are
expected in the ima log.

Add version information to the DM events present in the ima log to
help attestation servers to correctly process the attributes across
different versions.

Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
---
 drivers/md/dm-ima.c | 60 ++++++++++++++++++++++++++++++++++++---------
 drivers/md/dm-ima.h |  9 +++++++
 2 files changed, 57 insertions(+), 12 deletions(-)

diff --git a/drivers/md/dm-ima.c b/drivers/md/dm-ima.c
index 4bab35c8f0c7..458a3a1d78bc 100644
--- a/drivers/md/dm-ima.c
+++ b/drivers/md/dm-ima.c
@@ -168,6 +168,7 @@ static int dm_ima_alloc_and_copy_capacity_str(struct mapped_device *md, char **c
 void dm_ima_reset_data(struct mapped_device *md)
 {
 	memset(&(md->ima), 0, sizeof(md->ima));
+	md->ima.dm_version_str_len = strlen(DM_IMA_VERSION_STR);
 }
 
 /*
@@ -224,6 +225,9 @@ void dm_ima_measure_on_table_load(struct dm_table *table, unsigned int status_fl
 	if (r)
 		goto error;
 
+	memcpy(ima_buf + l, DM_IMA_VERSION_STR, table->md->ima.dm_version_str_len);
+	l += table->md->ima.dm_version_str_len;
+
 	device_data_buf_len = strlen(device_data_buf);
 	memcpy(ima_buf + l, device_data_buf, device_data_buf_len);
 	l += device_data_buf_len;
@@ -281,6 +285,9 @@ void dm_ima_measure_on_table_load(struct dm_table *table, unsigned int status_fl
 			 * prefix, so that multiple records from the same table_load for
 			 * a given device can be linked together.
 			 */
+			memcpy(ima_buf + l, DM_IMA_VERSION_STR, table->md->ima.dm_version_str_len);
+			l += table->md->ima.dm_version_str_len;
+
 			memcpy(ima_buf + l, device_data_buf, device_data_buf_len);
 			l += device_data_buf_len;
 
@@ -368,6 +375,7 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap)
 	unsigned int active_len = strlen(active), capacity_len = 0;
 	unsigned int l = 0;
 	bool noio = true;
+	bool nodata = true;
 	int r;
 
 	device_table_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN, GFP_KERNEL, noio);
@@ -378,6 +386,9 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap)
 	if (r)
 		goto error;
 
+	memcpy(device_table_data + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len);
+	l += md->ima.dm_version_str_len;
+
 	if (swap) {
 		if (md->ima.active_table.hash != md->ima.inactive_table.hash)
 			kfree(md->ima.active_table.hash);
@@ -413,8 +424,11 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap)
 	}
 
 	if (md->ima.active_table.device_metadata) {
-		l = md->ima.active_table.device_metadata_len;
-		memcpy(device_table_data, md->ima.active_table.device_metadata, l);
+		memcpy(device_table_data + l, md->ima.active_table.device_metadata,
+		       md->ima.active_table.device_metadata_len);
+		l += md->ima.active_table.device_metadata_len;
+
+		nodata = false;
 	}
 
 	if (md->ima.active_table.hash) {
@@ -427,16 +441,18 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap)
 
 		memcpy(device_table_data + l, ";", 1);
 		l++;
+
+		nodata = false;
 	}
 
-	if (!l) {
+	if (nodata) {
 		r = dm_ima_alloc_and_copy_name_uuid(md, &dev_name, &dev_uuid, noio);
 		if (r)
 			goto error;
 
 		scnprintf(device_table_data, DM_IMA_DEVICE_BUF_LEN,
-			  "name=%s,uuid=%s;device_resume=no_data;",
-			  dev_name, dev_uuid);
+			  "%sname=%s,uuid=%s;device_resume=no_data;",
+			  DM_IMA_VERSION_STR, dev_name, dev_uuid);
 		l += strlen(device_table_data);
 
 	}
@@ -473,6 +489,7 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
 	unsigned int capacity_len = 0;
 	unsigned int l = 0;
 	bool noio = true;
+	bool nodata = true;
 	int r;
 
 	device_table_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN*2, GFP_KERNEL, noio);
@@ -485,6 +502,9 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
 		goto exit;
 	}
 
+	memcpy(device_table_data + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len);
+	l += md->ima.dm_version_str_len;
+
 	if (md->ima.active_table.device_metadata) {
 		memcpy(device_table_data + l, device_active_str, device_active_len);
 		l += device_active_len;
@@ -492,6 +512,8 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
 		memcpy(device_table_data + l, md->ima.active_table.device_metadata,
 		       md->ima.active_table.device_metadata_len);
 		l += md->ima.active_table.device_metadata_len;
+
+		nodata = false;
 	}
 
 	if (md->ima.inactive_table.device_metadata) {
@@ -501,6 +523,8 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
 		memcpy(device_table_data + l, md->ima.inactive_table.device_metadata,
 		       md->ima.inactive_table.device_metadata_len);
 		l += md->ima.inactive_table.device_metadata_len;
+
+		nodata = false;
 	}
 
 	if (md->ima.active_table.hash) {
@@ -513,6 +537,8 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
 
 		memcpy(device_table_data + l, ",", 1);
 		l++;
+
+		nodata = false;
 	}
 
 	if (md->ima.inactive_table.hash) {
@@ -525,19 +551,21 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
 
 		memcpy(device_table_data + l, ",", 1);
 		l++;
+
+		nodata = false;
 	}
 	/*
 	 * In case both active and inactive tables, and corresponding
 	 * device metadata is cleared/missing - record the name and uuid
 	 * in IMA measurements.
 	 */
-	if (!l) {
+	if (nodata) {
 		if (dm_ima_alloc_and_copy_name_uuid(md, &dev_name, &dev_uuid, noio))
 			goto error;
 
 		scnprintf(device_table_data, DM_IMA_DEVICE_BUF_LEN,
-			  "name=%s,uuid=%s;device_remove=no_data;",
-			  dev_name, dev_uuid);
+			  "%sname=%s,uuid=%s;device_remove=no_data;",
+			  DM_IMA_VERSION_STR, dev_name, dev_uuid);
 		l += strlen(device_table_data);
 	}
 
@@ -583,6 +611,7 @@ void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map)
 	char inactive_str[] = "inactive_table_hash=";
 	unsigned int inactive_len = strlen(inactive_str);
 	bool noio = true;
+	bool nodata = true;
 	int r;
 
 	device_table_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN, GFP_KERNEL, noio);
@@ -593,6 +622,9 @@ void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map)
 	if (r)
 		goto error1;
 
+	memcpy(device_table_data + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len);
+	l += md->ima.dm_version_str_len;
+
 	if (md->ima.inactive_table.device_metadata_len &&
 	    md->ima.inactive_table.hash_len) {
 		memcpy(device_table_data + l, md->ima.inactive_table.device_metadata,
@@ -609,14 +641,17 @@ void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map)
 
 		memcpy(device_table_data + l, ";", 1);
 		l++;
+
+		nodata = false;
 	}
 
-	if (!l) {
+	if (nodata) {
 		if (dm_ima_alloc_and_copy_name_uuid(md, &dev_name, &dev_uuid, noio))
 			goto error2;
 
 		scnprintf(device_table_data, DM_IMA_DEVICE_BUF_LEN,
-			  "name=%s,uuid=%s;table_clear=no_data;", dev_name, dev_uuid);
+			  "%sname=%s,uuid=%s;table_clear=no_data;",
+			   DM_IMA_VERSION_STR, dev_name, dev_uuid);
 		l += strlen(device_table_data);
 	}
 
@@ -695,8 +730,9 @@ void dm_ima_measure_on_device_rename(struct mapped_device *md)
 	md->ima.active_table.device_metadata = new_device_data;
 	md->ima.active_table.device_metadata_len = strlen(new_device_data);
 
-	scnprintf(combined_device_data, DM_IMA_DEVICE_BUF_LEN * 2, "%snew_name=%s,new_uuid=%s;%s",
-		  old_device_data, new_dev_name, new_dev_uuid, capacity_str);
+	scnprintf(combined_device_data, DM_IMA_DEVICE_BUF_LEN * 2,
+		  "%s%snew_name=%s,new_uuid=%s;%s", DM_IMA_VERSION_STR, old_device_data,
+		  new_dev_name, new_dev_uuid, capacity_str);
 
 	dm_ima_measure_data("device_rename", combined_device_data, strlen(combined_device_data),
 			    noio);
diff --git a/drivers/md/dm-ima.h b/drivers/md/dm-ima.h
index 0731a51565d6..b8c3b614670b 100644
--- a/drivers/md/dm-ima.h
+++ b/drivers/md/dm-ima.h
@@ -18,6 +18,14 @@
 #define DM_IMA_DEVICE_CAPACITY_BUF_LEN	128
 #define DM_IMA_TABLE_HASH_ALG		"sha256"
 
+#define __dm_ima_stringify(s) #s
+#define __dm_ima_str(s) __dm_ima_stringify(s)
+
+#define DM_IMA_VERSION_STR "dm_version="	\
+	__dm_ima_str(DM_VERSION_MAJOR) "."	\
+	__dm_ima_str(DM_VERSION_MINOR) "."	\
+	__dm_ima_str(DM_VERSION_PATCHLEVEL) ";"
+
 #ifdef CONFIG_IMA
 
 struct dm_ima_device_table_metadata {
@@ -46,6 +54,7 @@ struct dm_ima_device_table_metadata {
 struct dm_ima_measurements {
 	struct dm_ima_device_table_metadata active_table;
 	struct dm_ima_device_table_metadata inactive_table;
+	unsigned int dm_version_str_len;
 };
 
 void dm_ima_reset_data(struct mapped_device *md);
-- 
2.32.0


--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel


  parent reply	other threads:[~2021-08-13 21:38 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-13 21:37 [dm-devel] [PATCH 0/6] updates to device mapper target measurement using ima Tushar Sugandhi
2021-08-13 21:37 ` [dm-devel] [PATCH 1/6] dm ima: prefix dm table hashes in ima log with hash algorithm Tushar Sugandhi
2021-08-13 21:37 ` Tushar Sugandhi [this message]
2021-08-13 21:37 ` [dm-devel] [PATCH 3/6] dm ima: prefix ima event name related to device mapper with dm_ Tushar Sugandhi
2021-08-13 21:37 ` [dm-devel] [PATCH 4/6] dm ima: add a warning in dm_init if duplicate ima events are not measured Tushar Sugandhi
2021-08-13 21:38 ` [dm-devel] [PATCH 5/6] dm ima: update dm target attributes for ima measurements Tushar Sugandhi
2021-08-13 21:38 ` [dm-devel] [PATCH 6/6] dm ima: update dm documentation for ima measurement support Tushar Sugandhi
2021-08-20 20:19 ` [dm-devel] [PATCH 0/6] updates to device mapper target measurement using ima Mike Snitzer
2021-08-23 17:18   ` Tushar Sugandhi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210813213801.297051-3-tusharsu@linux.microsoft.com \
    --to=tusharsu@linux.microsoft.com \
    --cc=agk@redhat.com \
    --cc=dm-devel@redhat.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=public@thson.de \
    --cc=sfr@canb.auug.org.au \
    --cc=snitzer@redhat.com \
    --cc=zohar@linux.ibm.com \
    --subject='Re: [dm-devel] [PATCH 2/6] dm ima: add version info to dm related events in ima log' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).