[dm-devel] [PATCH 0/7] device mapper target measurements using IMA
Tushar Sugandhi
tusharsu at linux.microsoft.com
Sat Jul 24 06:57:07 UTC 2021
Hi Mike,
On 7/20/21 2:27 PM, Mike Snitzer wrote:
> On Mon, Jul 12 2021 at 8:48P -0400,
> Tushar Sugandhi <tusharsu at linux.microsoft.com> wrote:
>
>> For a given system, various external services/infrastructure tools
>> (including the attestation service) interact with it - both during the
>> setup and during rest of the system run-time. They share sensitive data
>> and/or execute critical workload on that system. The external services
>> may want to verify the current run-time state of the relevant kernel
>> subsystems before fully trusting the system with business-critical
>> data/workload.
>>
>> Device mapper is one such kernel subsystem that plays a critical role on
>> a given system by providing various important functionalities to the
>> block devices with various target types like crypt, verity, integrity
>> etc. Each of these target types’ functionalities can be configured with
>> various attributes. The attributes chosen to configure these target types
>> can significantly impact the security profile of the block device,
>> and in-turn, of the system itself. For instance, the type of encryption
>> algorithm and the key size determines the strength of encryption for a
>> given block device.
>>
>> Therefore, verifying the current state of various block devices as well
>> as their various target attributes is crucial for external services
>> before fully trusting the system with business-critical data/workload.
>>
>> IMA provides the necessary functionality for device mapper to measure the
>> state and configuration of various block devices -
>> - BY device mapper itself, from within the kernel,
>> - in a tamper resistant way,
>> - and re-measured - triggered on state/configuration change.
>>
>> This patch series uses this IMA functionality, by calling the function
>> ima_measure_critical_data(), when a block device state is changed (e.g.
>> on device create, resume, rename, remove etc.) It measures the device
>> state and configuration and stores it in IMA logs, so that it can be
>> used by external services for managing the system.
> I needed to EXPORT_SYMBOL_GPL(ima_measure_critical_data); otherwise I
> couldn't compile.. not sure but I can only imagine you compile DM
> (and all targets) to be builtin?
I believe the EXPORT_SYMBOL_GPL(ima_measure_critical_data) is now needed
because of the move “#ifdef CONFIG_IMA from dm-ima.c to dm-ima.h”, and
the associated change in the Makefile
+ifeq ($(CONFIG_IMA),y)
dm-mod-objs += dm-ima.o
+endif
Earlier I needed to export symbol only if I was calling
ima_measure_critical_data() directly from various dm-*.c files.
With my earlier implementation, it wasn’t needed when it was called from
the wrapper dm_ima_measure_data() in dm-ima.c.
> In addition to fixing that (in first table load patch) I changed
> various things along the way while I reviewed each patch.
Thank you so much for making the necessary changes Mike. Really
appreciate it.
> Things that I recall are:
> - moved #ifdef CONFIG_IMA from dm-ima.c to dm-ima.h
> - fixed various typos and whitespace
> - consistently prepend "," in STATUSTYPE_IMA's DMEMIT()s as opposed to
> having a mix or pre and postfix throughout targets
> - fixed what seemed like malformed STATUSTYPE_IMA handling for
> dm-multipath -- it was DMEMIT(";") for each dm-mpath's pathgroup
> - added some fields to dm-mpath, renamed some IMA names in name=value
> pairs to be more clear.
I went through the changes you made. They look fine. In addition to the
above changes, you also fixed a warning in dm-raid.c. (initializing the
recovery variable)
Thanks again. :)
> I've staged the result in linux-next via linux-dm.git's dm-5.15
> branch, see:
> https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git/log/?h=dm-5.15
>
> I've compiled tested both with and without CONFIG_IMA set. But
> haven't actually tested the code.
No worries. I will test the changesthoroughly again.
> Please send any incremental fixes relative to the dm-5.15 branch and
> I'll get them folded in where appropriate.
Ok. I will send incremental patches against dm-5.15 as you've suggested.
Thanks again for the review and all the help so far. Really appreciate
it. ~Tushar
> Thanks,
> Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/dm-devel/attachments/20210723/7ef23eee/attachment.htm>
More information about the dm-devel
mailing list