linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alasdair G Kergon <agk@redhat.com>
To: Thore Sommer <public@thson.de>
Cc: tusharsu@linux.microsoft.com, agk@redhat.com,
	dm-devel@redhat.com, linux-integrity@vger.kernel.org,
	nramas@linux.microsoft.com, snitzer@redhat.com,
	zohar@linux.ibm.com
Subject: Re: [dm-devel] [PATCH 0/7] device mapper target measurements using IMA
Date: Tue, 27 Jul 2021 21:33:37 +0100	[thread overview]
Message-ID: <20210727203337.GA81220@agk-cloud1.hosts.prod.upshift.rdu2.redhat.com> (raw)
In-Reply-To: <20210727101802.779067-1-public@thson.de>

On Tue, Jul 27, 2021 at 12:18:02PM +0200, Thore Sommer wrote:
> No new IMA measurement is generated if dm-verity verification fails. This is
> unfortunate because to make the dm-verity measurements useful we need to be
> notified when hash_failed is set to true. We will need something like
> "device_update" where we remeasure the device state if it has changed.
 
Measurements in the current patchset are only triggered by ioctl calls
initiated by userspace.

Having other triggering mechanisms - such as hooking into internal
events when something unexpected happens - could be considered for
follow-on patches.

> Creating a dm-verity device with mount then removing it and now if you create it
> again no measurement is generated. Is that the expected behavior?  

Each of the relevant dm ioctls should be logged separately each time.  If that's
not happening it might need fixing.

> Is there a reason that suspend is not measured?

A suspend doesn't change the configuration so falls outside the criteria
for this patch set.  (If there is some need for it, it would be covered
by the need to measure internal events that I mentioned above.)
 
> What can happen in between a "table_load" and "device_resume" that is security
> relevant?

The table prepared by the load can be cleared.  That would change the
effect of the resume.
 
> Not directly device mapper related, but it would be nice to also measure the
> mount points and a mapping to the device IDs. 

Again, that would be for future patches building on these ones.

Alasdair


  reply	other threads:[~2021-07-27 20:33 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-13  0:48 Tushar Sugandhi
2021-07-13  0:48 ` [PATCH 1/7] dm: measure data on table load Tushar Sugandhi
2021-07-21  2:12   ` Mimi Zohar
2021-07-21 15:42     ` Mike Snitzer
2021-07-21 16:07       ` Mimi Zohar
2021-07-21 21:17         ` Mimi Zohar
2021-07-29 19:58           ` Tushar Sugandhi
2021-07-13  0:48 ` [PATCH 2/7] dm: measure data on device resume Tushar Sugandhi
2021-07-13  0:49 ` [PATCH 3/7] dm: measure data on device remove Tushar Sugandhi
2021-07-13  0:49 ` [PATCH 4/7] dm: measure data on table clear Tushar Sugandhi
2021-07-13  0:49 ` [PATCH 5/7] dm: measure data on device rename Tushar Sugandhi
2021-07-13  0:49 ` [PATCH 6/7] dm: update target specific status functions to measure data Tushar Sugandhi
2021-07-13  1:06   ` Alasdair G Kergon
2021-07-14 20:23     ` Tushar Sugandhi
2021-07-13  0:49 ` [PATCH 7/7] dm: add documentation for IMA measurement support Tushar Sugandhi
2021-07-21  2:33   ` Mimi Zohar
2021-07-24  7:25     ` Tushar Sugandhi
2021-07-26 16:33       ` Mimi Zohar
2021-07-26 18:28         ` Tushar Sugandhi
2021-07-14 11:32 ` [dm-devel] [PATCH 0/7] device mapper target measurements using IMA Thore Sommer
2021-07-14 20:20   ` Tushar Sugandhi
2021-07-27 10:18     ` Thore Sommer
2021-07-27 20:33       ` Alasdair G Kergon [this message]
2021-07-28  3:10         ` Tushar Sugandhi
2021-07-28 17:14           ` Thore Sommer
2021-07-29 17:32             ` Tushar Sugandhi
2021-07-28 17:34         ` Thore Sommer
2021-07-28 21:33       ` Alasdair G Kergon
2021-08-02 10:45         ` Thore Sommer
2021-07-29 19:24       ` Tushar Sugandhi
2021-08-02 10:38         ` Thore Sommer
2021-07-20 21:27 ` Mike Snitzer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210727203337.GA81220@agk-cloud1.hosts.prod.upshift.rdu2.redhat.com \
    --to=agk@redhat.com \
    --cc=dm-devel@redhat.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=public@thson.de \
    --cc=snitzer@redhat.com \
    --cc=tusharsu@linux.microsoft.com \
    --cc=zohar@linux.ibm.com \
    --subject='Re: [dm-devel] [PATCH 0/7] device mapper target measurements using IMA' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).