tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

dm ima: update dm target attributes for ima measurements

Certain DM targets ('integrity', 'multipath', 'verity') need to update the
way their attributes are recorded in the ima log, so that the attestation
servers can interpret the data correctly and decide if the devices
meet the attestation requirements. For instance, the "mode=%c" attribute
in the 'integrity' target is measured twice, the 'verity' target is
missing the attribute "root_hash_sig_key_desc=%s", and the 'multipath'
target needs to index the attributes properly.

Update 'integrity' target to remove the duplicate measurement of
the attribute "mode=%c". Add "root_hash_sig_key_desc=%s" attribute
for the 'verity' target. Index various attributes in 'multipath'
target. Also, add "nr_priority_groups=%u" attribute to 'multipath'
target to record the number of priority groups.

Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
Suggested-by: Thore Sommer <public@thson.de>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>

authored by

Tushar Sugandhi and committed by
Mike Snitzer 33ace4ca f1cd6cb2

+20 -9
-1
drivers/md/dm-integrity.c
··· 3328 3328 DMEMIT(",journal_sectors=%u", ic->initial_sectors - SB_SECTORS); 3329 3329 DMEMIT(",interleave_sectors=%u", 1U << ic->sb->log2_interleave_sectors); 3330 3330 DMEMIT(",buffer_sectors=%u", 1U << ic->log2_buffer_sectors); 3331 - DMEMIT(",mode=%c", ic->mode); 3332 3331 DMEMIT(";"); 3333 3332 break; 3334 3333 }
+18 -8
drivers/md/dm-mpath.c
··· 1790 1790 static void multipath_status(struct dm_target *ti, status_type_t type, 1791 1791 unsigned status_flags, char *result, unsigned maxlen) 1792 1792 { 1793 - int sz = 0; 1793 + int sz = 0, pg_counter, pgpath_counter; 1794 1794 unsigned long flags; 1795 1795 struct multipath *m = ti->private; 1796 1796 struct priority_group *pg; ··· 1906 1906 break; 1907 1907 1908 1908 case STATUSTYPE_IMA: 1909 + sz = 0; /*reset the result pointer*/ 1910 + 1909 1911 DMEMIT_TARGET_NAME_VERSION(ti->type); 1912 + DMEMIT(",nr_priority_groups=%u", m->nr_priority_groups); 1913 + 1914 + pg_counter = 0; 1910 1915 list_for_each_entry(pg, &m->priority_groups, list) { 1911 1916 if (pg->bypassed) 1912 1917 state = 'D'; /* Disabled */ ··· 1919 1914 state = 'A'; /* Currently Active */ 1920 1915 else 1921 1916 state = 'E'; /* Enabled */ 1922 - DMEMIT(",pg_state=%c", state); 1923 - DMEMIT(",nr_pgpaths=%u", pg->nr_pgpaths); 1924 - DMEMIT(",path_selector_name=%s", pg->ps.type->name); 1917 + DMEMIT(",pg_state_%d=%c", pg_counter, state); 1918 + DMEMIT(",nr_pgpaths_%d=%u", pg_counter, pg->nr_pgpaths); 1919 + DMEMIT(",path_selector_name_%d=%s", pg_counter, pg->ps.type->name); 1925 1920 1921 + pgpath_counter = 0; 1926 1922 list_for_each_entry(p, &pg->pgpaths, list) { 1927 - DMEMIT(",path_name=%s,is_active=%c,fail_count=%u", 1928 - p->path.dev->name, p->is_active ? 'A' : 'F', 1929 - p->fail_count); 1923 + DMEMIT(",path_name_%d_%d=%s,is_active_%d_%d=%c,fail_count_%d_%d=%u", 1924 + pg_counter, pgpath_counter, p->path.dev->name, 1925 + pg_counter, pgpath_counter, p->is_active ? 'A' : 'F', 1926 + pg_counter, pgpath_counter, p->fail_count); 1930 1927 if (pg->ps.type->status) { 1931 - DMEMIT(",path_selector_status="); 1928 + DMEMIT(",path_selector_status_%d_%d=", 1929 + pg_counter, pgpath_counter); 1932 1930 sz += pg->ps.type->status(&pg->ps, &p->path, 1933 1931 type, result + sz, 1934 1932 maxlen - sz); 1935 1933 } 1934 + pgpath_counter++; 1936 1935 } 1936 + pg_counter++; 1937 1937 } 1938 1938 DMEMIT(";"); 1939 1939 break;
+2
drivers/md/dm-verity-target.c
··· 794 794 795 795 DMEMIT(",ignore_zero_blocks=%c", v->zero_digest ? 'y' : 'n'); 796 796 DMEMIT(",check_at_most_once=%c", v->validated_blocks ? 'y' : 'n'); 797 + if (v->signature_key_desc) 798 + DMEMIT(",root_hash_sig_key_desc=%s", v->signature_key_desc); 797 799 798 800 if (v->mode != DM_VERITY_MODE_EIO) { 799 801 DMEMIT(",verity_mode=");