[PATCH 0/1] dm-integrity: integrity protection device-mapper target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There are two existing offline integrity models: file level integrity
(linux-integrity subsystem EVM/IMA-appraisal) and block level integrity
(dm-verity, dm-crypt).

This patch provides a new block level method called device-mapper "integrity"
target (dm-integrity), which provides transparent cryptographic integrity
protection of the underlying read-write block device using hash-based message
authentication codes (HMACs). The HMACs can be stored on the same or different
block device.

dm-integrity uses an encrypted key type, stored on the kernel keyring, to
obtain a secret key for use in cryptographic operations. Encrypted keys are
never exposed in plain text to user space. The encrypted keys are encrypted
using master key, which can either be a user defined or trusted key type.
The secret key, which is usually device specific, binds integrity data to the
device. As a result data blocks and corresponding HMACs cannot simply be
copied over from other file systems.

EVM/IMA-appraisal provides file level integrity protection. The advantages
are that it is policy based, file measurements are available for remote
attestation, and files can be digitally signed to provide authenticity.

Both dm-verity and dm-crypt provide block level integrity protection.
dm-verity provides block level integrity protection for read-only file
systems, while dm-crypt provides block level integrity protection, with
minimum penalty, for filesystems requiring full disk encryption.

dm-integrity provides a lighter weight read-write block level integrity
protection for file systems not requiring full disk encryption, but
which do require writability.

- Dmitry

Dmitry Kasatkin (1):
  dm-integrity: integrity protection device-mapper target

 Documentation/device-mapper/dm-integrity.txt |  125 ++++
 drivers/md/Kconfig                           |   12 +
 drivers/md/Makefile                          |    1 +
 drivers/md/dm-integrity.c                    | 1019 ++++++++++++++++++++++++++
 4 files changed, 1157 insertions(+)
 create mode 100644 Documentation/device-mapper/dm-integrity.txt
 create mode 100644 drivers/md/dm-integrity.c

-- 
1.7.9.5

--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel


[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux