[dm-devel] [RFC PATCH 2/3] dm verity: add support for IMA target update event
Thore Sommer
public at thson.de
Mon May 9 09:33:34 UTC 2022
Hi Lakshmi,
On 06.05.22 22:35, Lakshmi Ramasubramanian wrote:
> Hi Thore,
>
> On 1/6/2022 12:34 PM, Thore Sommer wrote:
>> On first corruption the verity targets triggers a dm_target_update event.
>> This allows other systems to check using IMA if the state of the
>> device is
>> still trustworthy via remote attestation.
> In the patch description please state the existing problem (or,
> limitation in the existing implementation) and then describe how the
> proposed change addresses the issue.
The problem is that we never see a IMA entry when a target gets marked
as corrupted. The proposed change uses the new dm_target_update event to
remeasure the table when the target table entry changes from valid to
corrupted. I will add a more complete description to v2.
>
>>
>> Signed-off-by: Thore Sommer <public at thson.de>
>> ---
>> drivers/md/dm-verity-target.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/md/dm-verity-target.c
>> b/drivers/md/dm-verity-target.c
>> index 80133aae0db3..09696e25bf1c 100644
>> --- a/drivers/md/dm-verity-target.c
>> +++ b/drivers/md/dm-verity-target.c
>> @@ -16,6 +16,7 @@
>> #include "dm-verity.h"
>> #include "dm-verity-fec.h"
>> #include "dm-verity-verify-sig.h"
>> +#include "dm-ima.h"
>> #include <linux/module.h>
>> #include <linux/reboot.h>
>> #include <linux/scatterlist.h>
>> @@ -218,10 +219,15 @@ static int verity_handle_err(struct dm_verity
>> *v, enum verity_block_type type,
>> char *envp[] = { verity_env, NULL };
>> const char *type_str = "";
>> struct mapped_device *md = dm_table_get_md(v->ti->table);
>> + int old_hash_failed = v->hash_failed;
>> /* Corruption should be visible in device status in all modes */
>> v->hash_failed = 1;
>> + /* Only remeasure on first failure */
>> + if (!old_hash_failed)
>> + dm_ima_measure_on_target_update(v->ti);
> It is not obvious to me why the call to measure on target update is not
> done here immediately. Updating the comment to explain the logic would
> help.
The change should be only measured once, because otherwise we would
create many IMA entries each for every corrupted block read if I
understand the verity code correctly. So we need to check if the state
before was valid, but we need to measure after the table was changed to
corrupted (v->hash_failed = 1).
Something like this might be a bit clearer and does not use a extra
variable:
+ if (!v->hash_failed)
+ v->hash_failed = 1;
+ dm_ima_measure_on_target_update(v->ti);
Regards,
Thore
>
> thanks,
> -lakshmi
>
>> +
>> if (v->corrupted_errs >= DM_VERITY_MAX_CORRUPTED_ERRS)
>> goto out;
More information about the dm-devel
mailing list