Hi Thore,
On 1/6/2022 12:34 PM, Thore Sommer wrote:
The current DM IMA events do not cover the case where a device changes
their attributes to indicate a state change.
It would be good to state here what issue(s) are caused, if any, or what
data\event we might be missing as a result of not measuring the device
attribute changes. And, then state the benefits of the changes you have
implemented in this patch series.
This adds a new event
(dm_target_update) which allows targets to remeasure their table entries.
The event includes the dm version, device metadata and the target data.
Currently only verity supports this event to ensure that device corruption
can be detected using IMA which is useful for remote attestation.
Using the term "currently" in this context seems to indicate that this
is the current state (existing behavior) in the Linux kernel
implementation. You could instead reword it to indicate that your
proposed measurement change is used by verity to add support for
detecting device corruption.
The current implementation does not update the active table hash because
it would require to rehash the entire table on every target change.
Similar to the above comment - could be reworded to indicate this is the
proposed change and not the existing behavior.
thanks,
-lakshmi
Thore Sommer (3):
dm ima: allow targets to remeasure their table entry
dm verity: add support for IMA target update event
dm ima: add documentation target update event
.../admin-guide/device-mapper/dm-ima.rst | 33 ++++++++
drivers/md/dm-ima.c | 76 +++++++++++++++++++
drivers/md/dm-ima.h | 2 +
drivers/md/dm-verity-target.c | 6 ++
4 files changed, 117 insertions(+)
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/dm-devel
