On Tue, Jul 27, 2021 at 12:18:02PM +0200, Thore Sommer wrote: > No new IMA measurement is generated if dm-verity verification fails. This is > unfortunate because to make the dm-verity measurements useful we need to be > notified when hash_failed is set to true. We will need something like > "device_update" where we remeasure the device state if it has changed. Measurements in the current patchset are only triggered by ioctl calls initiated by userspace. Having other triggering mechanisms - such as hooking into internal events when something unexpected happens - could be considered for follow-on patches. > Creating a dm-verity device with mount then removing it and now if you create it > again no measurement is generated. Is that the expected behavior? Each of the relevant dm ioctls should be logged separately each time. If that's not happening it might need fixing. > Is there a reason that suspend is not measured? A suspend doesn't change the configuration so falls outside the criteria for this patch set. (If there is some need for it, it would be covered by the need to measure internal events that I mentioned above.) > What can happen in between a "table_load" and "device_resume" that is security > relevant? The table prepared by the load can be cleared. That would change the effect of the resume. > Not directly device mapper related, but it would be nice to also measure the > mount points and a mapping to the device IDs. Again, that would be for future patches building on these ones. Alasdair
