mbox series

[RFC,0/3] dm ima: allow targets to remeasure their state

Message ID 20220106203436.281629-1-public@thson.de (mailing list archive)
Headers show
Series dm ima: allow targets to remeasure their state | expand

Message

Thore Sommer Jan. 6, 2022, 8:34 p.m. UTC
The current DM IMA events do not cover the case where a device changes
their attributes to indicate a state change. This adds a new event 
(dm_target_update) which allows targets to remeasure their table entries.
The event includes the dm version, device metadata and the target data.

Currently only verity supports this event to ensure that device corruption
can be detected using IMA which is useful for remote attestation.

The current implementation does not update the active table hash because
it would require to rehash the entire table on every target change.

Thore Sommer (3):
  dm ima: allow targets to remeasure their table entry
  dm verity: add support for IMA target update event
  dm ima: add documentation target update event

 .../admin-guide/device-mapper/dm-ima.rst      | 33 ++++++++
 drivers/md/dm-ima.c                           | 76 +++++++++++++++++++
 drivers/md/dm-ima.h                           |  2 +
 drivers/md/dm-verity-target.c                 |  6 ++
 4 files changed, 117 insertions(+)

Comments

Lakshmi Ramasubramanian May 6, 2022, 8:16 p.m. UTC | #1
Hi Thore,

On 1/6/2022 12:34 PM, Thore Sommer wrote:
> The current DM IMA events do not cover the case where a device changes
> their attributes to indicate a state change. 
It would be good to state here what issue(s) are caused, if any, or what 
data\event we might be missing as a result of not measuring the device 
attribute changes. And, then state the benefits of the changes you have 
implemented in this patch series.

This adds a new event
> (dm_target_update) which allows targets to remeasure their table entries.
> The event includes the dm version, device metadata and the target data.
> 
> Currently only verity supports this event to ensure that device corruption
> can be detected using IMA which is useful for remote attestation.
Using the term "currently" in this context seems to indicate that this 
is the current state (existing behavior) in the Linux kernel 
implementation. You could instead reword it to indicate that your 
proposed measurement change is used by verity to add support for 
detecting device corruption.

> 
> The current implementation does not update the active table hash because
> it would require to rehash the entire table on every target change.
Similar to the above comment - could be reworded to indicate this is the 
proposed change and not the existing behavior.

thanks,
  -lakshmi

> 
> Thore Sommer (3):
>    dm ima: allow targets to remeasure their table entry
>    dm verity: add support for IMA target update event
>    dm ima: add documentation target update event
> 
>   .../admin-guide/device-mapper/dm-ima.rst      | 33 ++++++++
>   drivers/md/dm-ima.c                           | 76 +++++++++++++++++++
>   drivers/md/dm-ima.h                           |  2 +
>   drivers/md/dm-verity-target.c                 |  6 ++
>   4 files changed, 117 insertions(+)
> 

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
Thore Sommer May 9, 2022, 9:12 a.m. UTC | #2
Hi Lakshmi,

thank you for taking a closer look at this patch set.

On 06.05.22 22:16, Lakshmi Ramasubramanian wrote:
> Hi Thore,
> 
> On 1/6/2022 12:34 PM, Thore Sommer wrote:
>> The current DM IMA events do not cover the case where a device changes
>> their attributes to indicate a state change. 
> It would be good to state here what issue(s) are caused, if any, or what 
> data\event we might be missing as a result of not measuring the device 
> attribute changes. And, then state the benefits of the changes you have 
> implemented in this patch series.

The existing behavior only measures the table content on target/device 
creation. This is fine for targets where the table content never 
changes, but some targets like verity, multipath and raid also use the 
table to indicate state changes. Those state changes are currently not 
measured via the device mapper IMA integration.

Measuring the state changes for verity this is especially important 
because after the initial creation the target is never corrupted and 
only marked as such when a corrupted block read. We want to measure that 
change to remotely attest that the correct file system is used and not 
tampered with. Doing that is not possible with the current features in 
the kernel.

> This adds a new event
>> (dm_target_update) which allows targets to remeasure their table entries.
>> The event includes the dm version, device metadata and the target data.
>>
>> Currently only verity supports this event to ensure that device 
>> corruption
>> can be detected using IMA which is useful for remote attestation.
> Using the term "currently" in this context seems to indicate that this 
> is the current state (existing behavior) in the Linux kernel 
> implementation. You could instead reword it to indicate that your 
> proposed measurement change is used by verity to add support for 
> detecting device corruption.

Yes "currently" is confusing here, I will change it in v2.

Regards,
Thore


> 
>>
>> The current implementation does not update the active table hash because
>> it would require to rehash the entire table on every target change.
> Similar to the above comment - could be reworded to indicate this is the 
> proposed change and not the existing behavior.
> 
> thanks,
>   -lakshmi
> 
>>
>> Thore Sommer (3):
>>    dm ima: allow targets to remeasure their table entry
>>    dm verity: add support for IMA target update event
>>    dm ima: add documentation target update event
>>
>>   .../admin-guide/device-mapper/dm-ima.rst      | 33 ++++++++
>>   drivers/md/dm-ima.c                           | 76 +++++++++++++++++++
>>   drivers/md/dm-ima.h                           |  2 +
>>   drivers/md/dm-verity-target.c                 |  6 ++
>>   4 files changed, 117 insertions(+)
>>

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel