[dm-devel] [PATCH 0/7] device mapper target measurements using IMA

Tushar Sugandhi tusharsu at linux.microsoft.com
Thu Jul 29 19:24:18 UTC 2021 

Hi Thore,
Replying to a few questions which were not already answered by me/Alasdair.


On 7/27/21 3:18 AM, Thore Sommer wrote:

> There is no way to verify if the root hash was verified against a signature. We
> have "root_hash_sig_key_desc SIGNATURE_DESCRIPTION" in the dm table.
> "SIGNATURE_DESCRIPTION" itself is not really useful because it seems that we
> cannot map it back to the certificate that was used for verification but the
> presence of "root_hash_sig_key_desc" might be enough in combination with
> measuring the keyring.

Thanks for the suggestion Thore.
I can update the verity_status() to measure if v->signature_key_desc is 
set.

Something like:
DMEMIT("signature_key_desc_present=%c,", v->signature_key_desc ? 'y' :
'n');

Alasdair, Mike,
Can you tell if this is needed and/or sufficient?
If it is needed, should we log the full string  v->signature_key_desc?
I am concerned about logging the full string as it is an unbounded
buffer (a char*) coming from UM. And at the same time, not sure if just
logging the presence is sufficient. Thoughts?

Thore,
Please note – even if we measure signature_key_desc (full string or just
its presence): in order to use it with the keyrings, the IMA policy also
needs to be set to measure key rings (using “measure func=KEY_CHECK
...”). It is independent from measuring the device mapper data (which is
measured when the policy is set to “measure func=CRITICAL_DATA
label=device-mapper ...”).

Therefore measuring keyrings together (i.e. in the same IMA log) with DM
data  is not always guaranteed, since it is dictated by how the IMA
policy is configured.

Just FYI.

> For remote attestation services it would be nice if we have clear indicator from
> what component the "ima-buf" entry was generated. Prefixing all "n-ng" field
> entries with something like "dm_" would make it easier for us to add different
> validators for different measurements that use the "ima-buf" template. The
> keyring measurements already use "ima-buf" and using some kind of naming scheme
> to easily differentiate the entries would be nice.
The event names typically come from kernel components that are doing the
measurement of critical data. So any duplicates should be caught in the
upstream review of the kernel patch.

But thanks for the suggestion. I will prefix the event names in this 
patch series with “dm_” to indicate they are related to device mapper.

Thanks,
Tushar
> Regards,
> Thore
>

More information about the dm-devel mailing list