Commit 33ace4ca authored by Tushar Sugandhi's avatar Tushar Sugandhi Committed by Mike Snitzer
Browse files

dm ima: update dm target attributes for ima measurements 



Certain DM targets ('integrity', 'multipath', 'verity') need to update the
way their attributes are recorded in the ima log, so that the attestation
servers can interpret the data correctly and decide if the devices
meet the attestation requirements.  For instance, the "mode=%c" attribute
in the 'integrity' target is measured twice, the 'verity' target is
missing the attribute "root_hash_sig_key_desc=%s", and the 'multipath'
target needs to index the attributes properly.

Update 'integrity' target to remove the duplicate measurement of
the attribute "mode=%c".  Add "root_hash_sig_key_desc=%s" attribute
for the 'verity' target.  Index various attributes in 'multipath'
target.  Also, add "nr_priority_groups=%u" attribute to 'multipath'
target to record the number of priority groups.

Signed-off-by: default avatarTushar Sugandhi <tusharsu@linux.microsoft.com>
Suggested-by: default avatarThore Sommer <public@thson.de>
Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
parent f1cd6cb2

drivers/md/dm-integrity.c

+0 −1
Original line number Diff line number Diff line
@@ -3328,7 +3328,6 @@ static void dm_integrity_status(struct dm_target *ti, status_type_t type, 
		DMEMIT(",journal_sectors=%u", ic->initial_sectors - SB_SECTORS);

		DMEMIT(",interleave_sectors=%u", 1U << ic->sb->log2_interleave_sectors);

		DMEMIT(",buffer_sectors=%u", 1U << ic->log2_buffer_sectors);

		DMEMIT(",mode=%c", ic->mode);

		DMEMIT(";");

		break;

	}

drivers/md/dm-mpath.c

+18 −8
Original line number Diff line number Diff line
@@ -1790,7 +1790,7 @@ static void multipath_resume(struct dm_target *ti) 
static void multipath_status(struct dm_target *ti, status_type_t type,

			     unsigned status_flags, char *result, unsigned maxlen)

{

	int sz = 0;

	int sz = 0, pg_counter, pgpath_counter;

	unsigned long flags;

	struct multipath *m = ti->private;

	struct priority_group *pg;
@@ -1906,7 +1906,12 @@ static void multipath_status(struct dm_target *ti, status_type_t type, 
		break;



	case STATUSTYPE_IMA:

		sz = 0; /*reset the result pointer*/



		DMEMIT_TARGET_NAME_VERSION(ti->type);

		DMEMIT(",nr_priority_groups=%u", m->nr_priority_groups);



		pg_counter = 0;

		list_for_each_entry(pg, &m->priority_groups, list) {

			if (pg->bypassed)

				state = 'D';	/* Disabled */
@@ -1914,21 +1919,26 @@ static void multipath_status(struct dm_target *ti, status_type_t type, 
				state = 'A';	/* Currently Active */

			else

				state = 'E';	/* Enabled */

			DMEMIT(",pg_state=%c", state);

			DMEMIT(",nr_pgpaths=%u", pg->nr_pgpaths);

			DMEMIT(",path_selector_name=%s", pg->ps.type->name);

			DMEMIT(",pg_state_%d=%c", pg_counter, state);

			DMEMIT(",nr_pgpaths_%d=%u", pg_counter, pg->nr_pgpaths);

			DMEMIT(",path_selector_name_%d=%s", pg_counter, pg->ps.type->name);



			pgpath_counter = 0;

			list_for_each_entry(p, &pg->pgpaths, list) {

				DMEMIT(",path_name=%s,is_active=%c,fail_count=%u",

				       p->path.dev->name, p->is_active ? 'A' : 'F',

				       p->fail_count);

				DMEMIT(",path_name_%d_%d=%s,is_active_%d_%d=%c,fail_count_%d_%d=%u",

				       pg_counter, pgpath_counter, p->path.dev->name,

				       pg_counter, pgpath_counter, p->is_active ? 'A' : 'F',

				       pg_counter, pgpath_counter, p->fail_count);

				if (pg->ps.type->status) {

					DMEMIT(",path_selector_status=");

					DMEMIT(",path_selector_status_%d_%d=",

					       pg_counter, pgpath_counter);

					sz += pg->ps.type->status(&pg->ps, &p->path,

								  type, result + sz,

								  maxlen - sz);

				}

				pgpath_counter++;

			}

			pg_counter++;

		}

		DMEMIT(";");

		break;

drivers/md/dm-verity-target.c

+2 −0
Original line number Diff line number Diff line
@@ -794,6 +794,8 @@ static void verity_status(struct dm_target *ti, status_type_t type, 


		DMEMIT(",ignore_zero_blocks=%c", v->zero_digest ? 'y' : 'n');

		DMEMIT(",check_at_most_once=%c", v->validated_blocks ? 'y' : 'n');

		if (v->signature_key_desc)

			DMEMIT(",root_hash_sig_key_desc=%s", v->signature_key_desc);



		if (v->mode != DM_VERITY_MODE_EIO) {

			DMEMIT(",verity_mode=");