[PATCH 0/3] dm ima: allow targets to remeasure their state

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The existing device mapper IMA measurements only measure the table content
on target creation. This is fine for targets that do not change their table
during runtime, but some targets like verity use the table to display state
changes. Those changes are not visible through the existing device mapper
integration.

A new DM event "dm_target_update" is introduced for targets to remeasure
their table entry. This event is intended to be used by targets that change
their table entries to indicate potential security relevant information.
This allows for a more complete Remote Attestation of device mapper
targets.

One example use case is to verify the with verity protected root filesystem
using Remote Attestation via IMA. This was not possible before because the
corruption is only detected during runtime and not when the table is
loaded.

Keylime [1] has experimental support for validating this event, but it has
to be enabled manually.

Changes since RFC patch set [2]:
 - Added suggested changes from Lakshmi
 - rewrote target index calculation and removed unnecessary NULL check
 - rewrote verity integration to be more readable
 - Added more detailed description to the single commit messages


[1] https://keylime.dev/
[2] https://lore.kernel.org/linux-integrity/20220106203436.281629-1-public@xxxxxxxx/T/


Thore Sommer (3):
  dm ima: allow targets to remeasure their table entry
  dm verity: add support for IMA target update event
  dm ima: add documentation target update event

 .../admin-guide/device-mapper/dm-ima.rst      | 33 +++++++++
 drivers/md/dm-ima.c                           | 70 +++++++++++++++++++
 drivers/md/dm-ima.h                           |  2 +
 drivers/md/dm-verity-target.c                 | 10 ++-
 4 files changed, 113 insertions(+), 2 deletions(-)

-- 
2.36.0




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux