From: Deven Bowers <deven.desai@linux.microsoft.com>
To: agk@redhat.com, axboe@kernel.dk, snitzer@redhat.com,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
viro@zeniv.linux.org.uk, paul@paul-moore.com, eparis@redhat.com,
jannh@google.com, dm-devel@redhat.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org,
linux-audit@redhat.com
Cc: tyhicks@linux.microsoft.com, linux-kernel@vger.kernel.org,
corbet@lwn.net, sashal@kernel.org,
jaskarankhurana@linux.microsoft.com, mdsakib@microsoft.com,
nramas@linux.microsoft.com, pasha.tatashin@soleen.com
Subject: [RFC PATCH v6 08/11] dm-verity: add bdev_setsecurity hook for root-hash
Date: Wed, 29 Jul 2020 17:31:10 -0700 [thread overview]
Message-ID: <20200730003113.2561644-9-deven.desai@linux.microsoft.com> (raw)
In-Reply-To: <20200730003113.2561644-1-deven.desai@linux.microsoft.com>
Add a security hook call to set a security property of a block_device
in dm-verity with the root-hash that was passed to device-mapper.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
drivers/md/dm-verity-target.c | 8 ++++++++
include/linux/device-mapper.h | 1 +
2 files changed, 9 insertions(+)
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 9970488e67ed..44914668398d 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -16,8 +16,10 @@
#include "dm-verity.h"
#include "dm-verity-fec.h"
#include "dm-verity-verify-sig.h"
+#include "dm-core.h"
#include <linux/module.h>
#include <linux/reboot.h>
+#include <linux/security.h>
#define DM_MSG_PREFIX "verity"
@@ -1207,6 +1209,12 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
ti->per_io_data_size = roundup(ti->per_io_data_size,
__alignof__(struct dm_verity_io));
+ r = security_bdev_setsecurity(dm_table_get_md(v->ti->table)->bdev,
+ DM_VERITY_ROOTHASH_SEC_NAME,
+ v->root_digest, v->digest_size);
+ if (r)
+ goto bad;
+
verity_verify_sig_opts_cleanup(&verify_args);
return 0;
diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h
index ab6b8eb0a150..e8ef887e4bae 100644
--- a/include/linux/device-mapper.h
+++ b/include/linux/device-mapper.h
@@ -626,5 +626,6 @@ static inline unsigned long to_bytes(sector_t n)
}
#define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-sig"
+#define DM_VERITY_ROOTHASH_SEC_NAME DM_NAME ".verity-rh"
#endif /* _LINUX_DEVICE_MAPPER_H */
--
2.27.0
WARNING: multiple messages have this Message-ID (diff)
From: Deven Bowers <deven.desai@linux.microsoft.com>
To: agk@redhat.com, axboe@kernel.dk, snitzer@redhat.com,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
viro@zeniv.linux.org.uk, paul@paul-moore.com, eparis@redhat.com,
jannh@google.com, dm-devel@redhat.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org,
linux-audit@redhat.com
Cc: sashal@kernel.org, pasha.tatashin@soleen.com,
mdsakib@microsoft.com, corbet@lwn.net,
linux-kernel@vger.kernel.org, nramas@linux.microsoft.com,
tyhicks@linux.microsoft.com, jaskarankhurana@linux.microsoft.com
Subject: [RFC PATCH v6 08/11] dm-verity: add bdev_setsecurity hook for root-hash
Date: Wed, 29 Jul 2020 17:31:10 -0700 [thread overview]
Message-ID: <20200730003113.2561644-9-deven.desai@linux.microsoft.com> (raw)
In-Reply-To: <20200730003113.2561644-1-deven.desai@linux.microsoft.com>
Add a security hook call to set a security property of a block_device
in dm-verity with the root-hash that was passed to device-mapper.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
---
drivers/md/dm-verity-target.c | 8 ++++++++
include/linux/device-mapper.h | 1 +
2 files changed, 9 insertions(+)
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 9970488e67ed..44914668398d 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -16,8 +16,10 @@
#include "dm-verity.h"
#include "dm-verity-fec.h"
#include "dm-verity-verify-sig.h"
+#include "dm-core.h"
#include <linux/module.h>
#include <linux/reboot.h>
+#include <linux/security.h>
#define DM_MSG_PREFIX "verity"
@@ -1207,6 +1209,12 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
ti->per_io_data_size = roundup(ti->per_io_data_size,
__alignof__(struct dm_verity_io));
+ r = security_bdev_setsecurity(dm_table_get_md(v->ti->table)->bdev,
+ DM_VERITY_ROOTHASH_SEC_NAME,
+ v->root_digest, v->digest_size);
+ if (r)
+ goto bad;
+
verity_verify_sig_opts_cleanup(&verify_args);
return 0;
diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h
index ab6b8eb0a150..e8ef887e4bae 100644
--- a/include/linux/device-mapper.h
+++ b/include/linux/device-mapper.h
@@ -626,5 +626,6 @@ static inline unsigned long to_bytes(sector_t n)
}
#define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-sig"
+#define DM_VERITY_ROOTHASH_SEC_NAME DM_NAME ".verity-rh"
#endif /* _LINUX_DEVICE_MAPPER_H */
--
2.27.0
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-07-30 0:31 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-30 0:31 [RFC PATCH v6 00/11] Integrity Policy Enforcement LSM (IPE) Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` [RFC PATCH v6 01/11] scripts: add ipe tooling to generate boot policy Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` [RFC PATCH v6 02/11] security: add ipe lsm evaluation loop and audit system Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` [RFC PATCH v6 03/11] security: add ipe lsm policy parser and policy loading Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` [RFC PATCH v6 04/11] ipe: add property for trust of boot volume Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` [RFC PATCH v6 05/11] fs: add security blob and hooks for block_device Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` [RFC PATCH v6 06/11] dm-verity: add bdev_setsecurity hook for dm-verity signature Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` [RFC PATCH v6 07/11] ipe: add property for signed dmverity volumes Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` Deven Bowers [this message]
2020-07-30 0:31 ` [RFC PATCH v6 08/11] dm-verity: add bdev_setsecurity hook for root-hash Deven Bowers
2020-07-30 0:31 ` [RFC PATCH v6 09/11] ipe: add property for dmverity roothash Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` [RFC PATCH v6 10/11] documentation: add ipe documentation Deven Bowers
2020-07-30 0:31 ` Deven Bowers
2020-07-30 0:31 ` [RFC PATCH v6 11/11] cleanup: uapi/linux/audit.h Deven Bowers
2020-07-30 0:31 ` Deven Bowers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200730003113.2561644-9-deven.desai@linux.microsoft.com \
--to=deven.desai@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=dm-devel@redhat.com \
--cc=eparis@redhat.com \
--cc=jannh@google.com \
--cc=jaskarankhurana@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mdsakib@microsoft.com \
--cc=nramas@linux.microsoft.com \
--cc=pasha.tatashin@soleen.com \
--cc=paul@paul-moore.com \
--cc=sashal@kernel.org \
--cc=serge@hallyn.com \
--cc=snitzer@redhat.com \
--cc=tyhicks@linux.microsoft.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.