| Message ID | 20200822003834.5696-1-tusharsu@linux.microsoft.com (mailing list archive) |
|---|---|
| Headers | show
Return-Path: <SRS0=hBPR=CC=redhat.com=dm-devel-bounces@kernel.org> Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6F167913 for <patchwork-dm-devel@patchwork.kernel.org>; Mon, 24 Aug 2020 07:45:44 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1DC66206BE for <patchwork-dm-devel@patchwork.kernel.org>; Mon, 24 Aug 2020 07:45:43 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1DC66206BE Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dm-devel-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-169-XaIccnVUOi2m-PqBYNqBZg-1; Mon, 24 Aug 2020 03:45:41 -0400 X-MC-Unique: XaIccnVUOi2m-PqBYNqBZg-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A018A18A2244; Mon, 24 Aug 2020 07:45:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 827FF19D6C; Mon, 24 Aug 2020 07:45:36 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5AEF8EC0B; Mon, 24 Aug 2020 07:45:36 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 07M0cxLo015166 for <dm-devel@listman.util.phx.redhat.com>; Fri, 21 Aug 2020 20:38:59 -0400 Received: by smtp.corp.redhat.com (Postfix) id 532011007262; Sat, 22 Aug 2020 00:38:59 +0000 (UTC) Delivered-To: dm-devel@redhat.com Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4F48B1006EB6 for <dm-devel@redhat.com>; Sat, 22 Aug 2020 00:38:58 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4A1C8888BE1 for <dm-devel@redhat.com>; Sat, 22 Aug 2020 00:38:58 +0000 (UTC) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by relay.mimecast.com with ESMTP id us-mta-236-BDV9q-fiNZmz3YopheMw8Q-1; Fri, 21 Aug 2020 20:38:48 -0400 X-MC-Unique: BDV9q-fiNZmz3YopheMw8Q-1 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id 2F91020B4908; Fri, 21 Aug 2020 17:38:42 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 2F91020B4908 From: Tushar Sugandhi <tusharsu@linux.microsoft.com> To: zohar@linux.ibm.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com Date: Fri, 21 Aug 2020 17:38:32 -0700 Message-Id: <20200822003834.5696-1-tusharsu@linux.microsoft.com> X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Mon, 24 Aug 2020 03:44:38 -0400 Cc: sashal@kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, nramas@linux.microsoft.com, dm-devel@redhat.com, tyhicks@linux.microsoft.com, linux-integrity@vger.kernel.org Subject: [dm-devel] [PATCH v2 0/2] dm-devel:dm-crypt: infrastructure for measurement of DM target data using IMA X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development <dm-devel.redhat.com> List-Unsubscribe: <https://www.redhat.com/mailman/options/dm-devel>, <mailto:dm-devel-request@redhat.com?subject=unsubscribe> List-Archive: <https://www.redhat.com/archives/dm-devel> List-Post: <mailto:dm-devel@redhat.com> List-Help: <mailto:dm-devel-request@redhat.com?subject=help> List-Subscribe: <https://www.redhat.com/mailman/listinfo/dm-devel>, <mailto:dm-devel-request@redhat.com?subject=subscribe> MIME-Version: 1.0 Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0.002 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit |
| Series |
dm-devel:dm-crypt: infrastructure for measurement of DM target data using IMA
|
expand
|
There are several device-mapper targets which contribute to verify the integrity of the mapped devices e.g. dm-integrity, dm-verity, dm-crypt etc. But they do not use the capabilities provided by kernel integrity subsystem (IMA). For instance, the IMA capability that measures several in-memory constructs and files to detect if they have been accidentally or maliciously altered. IMA also has the capability to include these measurements in the IMA measurement list and use them to extend a TPM PCR so that they can be quoted. These TPM PCR extend operations ensure that the tampering with the order of constructs being measured, and tampering with the measured constructs themselves - doesn't go undetected. In general, this capability is used for remote attestation of in-memory constructs and files of interest. As of today,device-mapper targets don't use the benefits of extended TPM PCR quotes and ultimately the benefits of remote attestation. This series bridges this gap, so that all device-mapper targets could take advantage of IMA's measuring and quoting abilities - thus ultimately enabling remote attestation for device-mapper targets. This series is based on the following repo/branch: repo: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git branch: next-integrity commit 3db0d0c276a7 ("integrity: remove redundant initialization of variable ret") This series also has a dependency on the following patch series and should be applied in the following order: 1. https://patchwork.kernel.org/patch/11709527/ 2. https://patchwork.kernel.org/patch/11730193/ 3. https://patchwork.kernel.org/patch/11730757/ Change Log V2: - Removed the references to "local" measurement from the description - as this series only support remote attestation, and not local integrity enforcement. - Taken dependency on the updated base series (2. above), which introduced a boolean parameter measure_buf_hash as per community feedback to support measuring hash of the buffer, instead of the buffer itself. - Taken dependency on the updated early boot measurement series (3. above). Tushar Sugandhi (2): dm-devel: collect target data and submit to IMA to measure dm-crypt: collect data and submit to DM to measure drivers/md/Makefile | 1 + drivers/md/dm-crypt.c | 170 +++++++++++++++++++ drivers/md/dm-ima.c | 298 +++++++++++++++++++++++++++++++++ include/linux/device-mapper.h | 60 +++++++ security/integrity/ima/Kconfig | 3 +- 5 files changed, 530 insertions(+), 2 deletions(-) create mode 100644 drivers/md/dm-ima.c