[dm-devel] [RFC PATCH 2/3] dm verity: add support for IMA target update event
Thore Sommer
public at thson.de
Thu Jan 6 20:34:35 UTC 2022
On first corruption the verity targets triggers a dm_target_update event.
This allows other systems to check using IMA if the state of the device is
still trustworthy via remote attestation.
Signed-off-by: Thore Sommer <public at thson.de>
---
drivers/md/dm-verity-target.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 80133aae0db3..09696e25bf1c 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -16,6 +16,7 @@
#include "dm-verity.h"
#include "dm-verity-fec.h"
#include "dm-verity-verify-sig.h"
+#include "dm-ima.h"
#include <linux/module.h>
#include <linux/reboot.h>
#include <linux/scatterlist.h>
@@ -218,10 +219,15 @@ static int verity_handle_err(struct dm_verity *v, enum verity_block_type type,
char *envp[] = { verity_env, NULL };
const char *type_str = "";
struct mapped_device *md = dm_table_get_md(v->ti->table);
+ int old_hash_failed = v->hash_failed;
/* Corruption should be visible in device status in all modes */
v->hash_failed = 1;
+ /* Only remeasure on first failure */
+ if (!old_hash_failed)
+ dm_ima_measure_on_target_update(v->ti);
+
if (v->corrupted_errs >= DM_VERITY_MAX_CORRUPTED_ERRS)
goto out;
--
2.34.1
More information about the dm-devel
mailing list