On first corruption the verity targets triggers a "dm_target_update" event.
This allows other systems to detect the corruption via IMA instead of
manually querying the table. The corruption cannot be detected using the
other IMA measurements because "dm_table_load" only measures the table
content during target creation. Using the new "dm_target_update" remeasures
the target table entries during runtime.
The event is only triggered if the target was not corrupted before because
verity_handle_err(..) is still called when the target is corrupted and the
IMA log should only contain an entry when the table changed.
Signed-off-by: Thore Sommer <public@xxxxxxxx>
---
- v1: rewrite check to not use an extra variable
drivers/md/dm-verity-target.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 80133aae0db3..5133c2274057 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -16,6 +16,7 @@
#include "dm-verity.h"
#include "dm-verity-fec.h"
#include "dm-verity-verify-sig.h"
+#include "dm-ima.h"
#include <linux/module.h>
#include <linux/reboot.h>
#include <linux/scatterlist.h>
@@ -219,8 +220,13 @@ static int verity_handle_err(struct dm_verity *v, enum verity_block_type type,
const char *type_str = "";
struct mapped_device *md = dm_table_get_md(v->ti->table);
- /* Corruption should be visible in device status in all modes */
- v->hash_failed = 1;
+ /* Only change and measure change if not already corrupted */
+ if (!v->hash_failed) {
+ /* Corruption should be visible in device status in all modes */
+ v->hash_failed = 1;
+ /* After the state has changed remeasure target table */
+ dm_ima_measure_on_target_update(v->ti);
+ }
if (v->corrupted_errs >= DM_VERITY_MAX_CORRUPTED_ERRS)
goto out;
--
2.36.0
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/dm-devel
