Re: [RFC PATCH 0/3] dm ima: allow targets to remeasure their state

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Thore,

On 1/6/2022 12:34 PM, Thore Sommer wrote:
The current DM IMA events do not cover the case where a device changes
their attributes to indicate a state change.
It would be good to state here what issue(s) are caused, if any, or what data\event we might be missing as a result of not measuring the device attribute changes. And, then state the benefits of the changes you have implemented in this patch series.

This adds a new event
(dm_target_update) which allows targets to remeasure their table entries.
The event includes the dm version, device metadata and the target data.

Currently only verity supports this event to ensure that device corruption
can be detected using IMA which is useful for remote attestation.
Using the term "currently" in this context seems to indicate that this is the current state (existing behavior) in the Linux kernel implementation. You could instead reword it to indicate that your proposed measurement change is used by verity to add support for detecting device corruption.


The current implementation does not update the active table hash because
it would require to rehash the entire table on every target change.
Similar to the above comment - could be reworded to indicate this is the proposed change and not the existing behavior.

thanks,
 -lakshmi


Thore Sommer (3):
   dm ima: allow targets to remeasure their table entry
   dm verity: add support for IMA target update event
   dm ima: add documentation target update event

  .../admin-guide/device-mapper/dm-ima.rst      | 33 ++++++++
  drivers/md/dm-ima.c                           | 76 +++++++++++++++++++
  drivers/md/dm-ima.h                           |  2 +
  drivers/md/dm-verity-target.c                 |  6 ++
  4 files changed, 117 insertions(+)


--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/dm-devel




[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux