From patchwork Thu Jan 6 20:34:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thore Sommer X-Patchwork-Id: 12705696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80DF9C433F5 for ; Thu, 6 Jan 2022 20:34:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243881AbiAFUex (ORCPT ); Thu, 6 Jan 2022 15:34:53 -0500 Received: from mo4-p01-ob.smtp.rzone.de ([85.215.255.50]:45015 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243914AbiAFUex (ORCPT ); Thu, 6 Jan 2022 15:34:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1641501292; s=strato-dkim-0002; d=thson.de; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=Gw9uGHd8kShMn9q0DWe+3Hm/MOu0N2IHugHMPsF3NHU=; b=GBGeEOjDcOl8Jr5zw7j/85r2/KKQXcDq1ukvJpuhw2FqbejInumyv0haZhnwu/WIqJ Hv1/isyU3QUf1u2pJDiONsO4VuYmoLitqSOCAEyPp1NnANB9M1RU3CgaG86ccOii8yyI 2KVFm0IkuwfakAN6MEs9+40jtbPSICuwwWu8HXKhT5SlXBRMmLTGXqeyh+TdqFvLVxHS FaK9xMrd/lozz3wD1gQZwdHI9R/XEyudfBNdczvZUoyRnCJ+tB2X+5OcrCaX8Ws/V8DA zlyhlQTCsoXet0tPearKoMdY/1GsjUlrxR+Q0i72Zpb1+2Dj548/hfDw9mbx6afDCw/Y qkKg== Authentication-Results: strato.com; dkim=none X-RZG-AUTH: ":PHkGeUmrW+uCZmxs998QJRUX30nOwJd7nOD9sw/xoauycprg5uef7cgCEpy7sPc=" X-RZG-CLASS-ID: mo00 Received: from USER-PC.fritz.box by smtp.strato.de (RZmta 47.37.6 DYNA|AUTH) with ESMTPSA id k3f463y06KYp05f (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Thu, 6 Jan 2022 21:34:51 +0100 (CET) From: Thore Sommer To: dm-devel@redhat.com, agk@redhat.com, snitzer@redhat.com Cc: tusharsu@linux.microsoft.com, linux-integrity@vger.kernel.org, Thore Sommer Subject: [RFC PATCH 1/3] dm ima: allow targets to remeasure their table entry Date: Thu, 6 Jan 2022 21:34:34 +0100 Message-Id: <20220106203436.281629-2-public@thson.de> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220106203436.281629-1-public@thson.de> References: <20220106203436.281629-1-public@thson.de> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org A new DM event dm_target_update is introduced for targets to remeasure their table entry. This is intended for targets that indicate security relevant events by updating one of their table entries (e.g. verity for corruption). In the event the dm version, device metadata and target data gets measured. This does not update the hash of the active table because it would require to rehash the whole table with all the other targets entries. Signed-off-by: Thore Sommer --- drivers/md/dm-ima.c | 76 +++++++++++++++++++++++++++++++++++++++++++++ drivers/md/dm-ima.h | 2 ++ 2 files changed, 78 insertions(+) diff --git a/drivers/md/dm-ima.c b/drivers/md/dm-ima.c index 957999998d70..3b1bb97263d9 100644 --- a/drivers/md/dm-ima.c +++ b/drivers/md/dm-ima.c @@ -750,3 +750,79 @@ void dm_ima_measure_on_device_rename(struct mapped_device *md) kfree(new_dev_name); kfree(new_dev_uuid); } + +/* + * Give the option for targets to remeasure on state change. + */ +void dm_ima_measure_on_target_update(struct dm_target *ti) +{ + char *ima_buf = NULL, *target_metadata_buf = NULL, *target_data_buf = NULL; + struct dm_target *ti2; + size_t target_metadata_buf_len, target_data_buf_len; + unsigned int num_targets, target_index; + struct dm_table *table = ti->table; + struct mapped_device *md = table->md; + bool found = false; + bool noio = true; + int l = 0; + + ima_buf = dm_ima_alloc(DM_IMA_MEASUREMENT_BUF_LEN, GFP_KERNEL, noio); + if (!ima_buf) + return; + + target_metadata_buf = dm_ima_alloc(DM_IMA_TARGET_METADATA_BUF_LEN, GFP_KERNEL, noio); + if (!target_metadata_buf) + goto exit; + + target_data_buf = dm_ima_alloc(DM_IMA_TARGET_DATA_BUF_LEN, GFP_KERNEL, noio); + if (!target_data_buf) + goto exit; + + /* + * Get the index of the target in the table. + */ + num_targets = dm_table_get_num_targets(table); + for (target_index = 0; target_index < num_targets; target_index++) { + ti2 = dm_table_get_target(table, target_index); + if (!ti) + goto exit; + if (ti == ti2) { + found = true; + break; + } + } + if (!found) + goto exit; + + scnprintf(target_metadata_buf, DM_IMA_TARGET_METADATA_BUF_LEN, + "target_index=%d,target_begin=%llu,target_len=%llu,", + target_index, ti->begin, ti->len); + target_metadata_buf_len = strlen(target_metadata_buf); + + if (ti->type->status) + ti->type->status(ti, STATUSTYPE_IMA, STATUSTYPE_IMA, target_data_buf, + DM_IMA_TARGET_DATA_BUF_LEN); + else + target_data_buf[0] = '\0'; + target_data_buf_len = strlen(target_data_buf); + + memcpy(ima_buf + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len); + l += md->ima.dm_version_str_len; + + memcpy(ima_buf + l, md->ima.active_table.device_metadata, + md->ima.active_table.device_metadata_len); + l += md->ima.active_table.device_metadata_len; + + memcpy(ima_buf + l, target_metadata_buf, target_metadata_buf_len); + l += target_metadata_buf_len; + + memcpy(ima_buf + l, target_data_buf, target_data_buf_len); + + dm_ima_measure_data("dm_target_update", ima_buf, strlen(ima_buf), noio); + +exit: + kfree(ima_buf); + kfree(target_data_buf); + kfree(target_metadata_buf); +} +EXPORT_SYMBOL_GPL(dm_ima_measure_on_target_update); diff --git a/drivers/md/dm-ima.h b/drivers/md/dm-ima.h index b8c3b614670b..281a8b65f8a9 100644 --- a/drivers/md/dm-ima.h +++ b/drivers/md/dm-ima.h @@ -63,6 +63,7 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap); void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all); void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map); void dm_ima_measure_on_device_rename(struct mapped_device *md); +void dm_ima_measure_on_target_update(struct dm_target *ti); #else @@ -72,6 +73,7 @@ static inline void dm_ima_measure_on_device_resume(struct mapped_device *md, boo static inline void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all) {} static inline void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map) {} static inline void dm_ima_measure_on_device_rename(struct mapped_device *md) {} +static inline void dm_ima_measure_on_target_update(struct dm_target *ti) {} #endif /* CONFIG_IMA */ From patchwork Thu Jan 6 20:34:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thore Sommer X-Patchwork-Id: 12705704 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2F76C433FE for ; Thu, 6 Jan 2022 20:46:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243954AbiAFUqw (ORCPT ); Thu, 6 Jan 2022 15:46:52 -0500 Received: from mo4-p01-ob.smtp.rzone.de ([81.169.146.166]:42037 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243955AbiAFUqw (ORCPT ); Thu, 6 Jan 2022 15:46:52 -0500 X-Greylist: delayed 540 seconds by postgrey-1.27 at vger.kernel.org; Thu, 06 Jan 2022 15:46:51 EST DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1641501293; s=strato-dkim-0002; d=thson.de; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=61pR4jAdZW4XQ5RuZHGn9RtUYwUUzJ367g+BugGTFn8=; b=Fz4YgoWWOQizO0TxkYtAHRK82JTQ3pMn6qhYZh6rY1Q+Fvun7KUTYqErDFbiylZjdu HjVcmm5kfRlClbdAIP9IHJjVb9oJ7FA6Jqjb4NS9cPAAyLKM84vtGAiJZfDZH1D6FWwq sTcHgzCxVFrBq5Xx5b47me5rYSxYYLqdQC1Lv8TO8UeuFP18OoU8ybnGuChDgE2o/3oP 0xKcNQLyK7zN0Pip0/JRlnnCLgA79uVI/av2pFCrjSPA9qveUNCLy8JNHblND8kWHK6r kttdk8ApfngJR5cxrL+aAUu3FpY+dDwhj26NcV2vxQ7XKiumjyeOAPsR2ZonNl9zFCe1 A0WA== Authentication-Results: strato.com; dkim=none X-RZG-AUTH: ":PHkGeUmrW+uCZmxs998QJRUX30nOwJd7nOD9sw/xoauycprg5uef7cgCEpy7sPc=" X-RZG-CLASS-ID: mo00 Received: from USER-PC.fritz.box by smtp.strato.de (RZmta 47.37.6 DYNA|AUTH) with ESMTPSA id k3f463y06KYr05g (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Thu, 6 Jan 2022 21:34:53 +0100 (CET) From: Thore Sommer To: dm-devel@redhat.com, agk@redhat.com, snitzer@redhat.com Cc: tusharsu@linux.microsoft.com, linux-integrity@vger.kernel.org, Thore Sommer Subject: [RFC PATCH 2/3] dm verity: add support for IMA target update event Date: Thu, 6 Jan 2022 21:34:35 +0100 Message-Id: <20220106203436.281629-3-public@thson.de> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220106203436.281629-1-public@thson.de> References: <20220106203436.281629-1-public@thson.de> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On first corruption the verity targets triggers a dm_target_update event. This allows other systems to check using IMA if the state of the device is still trustworthy via remote attestation. Signed-off-by: Thore Sommer --- drivers/md/dm-verity-target.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c index 80133aae0db3..09696e25bf1c 100644 --- a/drivers/md/dm-verity-target.c +++ b/drivers/md/dm-verity-target.c @@ -16,6 +16,7 @@ #include "dm-verity.h" #include "dm-verity-fec.h" #include "dm-verity-verify-sig.h" +#include "dm-ima.h" #include #include #include @@ -218,10 +219,15 @@ static int verity_handle_err(struct dm_verity *v, enum verity_block_type type, char *envp[] = { verity_env, NULL }; const char *type_str = ""; struct mapped_device *md = dm_table_get_md(v->ti->table); + int old_hash_failed = v->hash_failed; /* Corruption should be visible in device status in all modes */ v->hash_failed = 1; + /* Only remeasure on first failure */ + if (!old_hash_failed) + dm_ima_measure_on_target_update(v->ti); + if (v->corrupted_errs >= DM_VERITY_MAX_CORRUPTED_ERRS) goto out; From patchwork Thu Jan 6 20:34:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thore Sommer X-Patchwork-Id: 12705697 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6344CC433F5 for ; Thu, 6 Jan 2022 20:34:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243909AbiAFUe4 (ORCPT ); Thu, 6 Jan 2022 15:34:56 -0500 Received: from mo4-p01-ob.smtp.rzone.de ([85.215.255.52]:40779 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243912AbiAFUe4 (ORCPT ); Thu, 6 Jan 2022 15:34:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1641501295; s=strato-dkim-0002; d=thson.de; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=FC1evWUMQLTdet9/v+dR14paNSJb6IQ45Isfnvwzk+w=; b=UjqznpGmCQS7qOp+W8Uuytpt8xeJYMuv2iMnUGIzEwui5j4RQD6KS8cATKJqcZunwz aevNmUfcdT5YQIlXDQTW9sDAZd2rUKc6yIMDxA664tUpXOfSiGMtHXtGQ/KaIeO3GuRK khe2/Cp0yiIP+4Jax2dGmuT15I9+sWOdyA1yZ272Cdjv//dsuiRMY/O+Sj9Tp2BLviPm xjYVmYolcGOvqB8q9peSZ1sSXJQMPfryJ7F4CJrh7z9RL924fbE7vkyzaHqhRTXL0rG6 G9Le9CBGQa7fcFE1VqIUzzi/sP4e1VNUCeV3EZInbe6ts804bWhYknyAULDwXWZFEa9r oN2g== Authentication-Results: strato.com; dkim=none X-RZG-AUTH: ":PHkGeUmrW+uCZmxs998QJRUX30nOwJd7nOD9sw/xoauycprg5uef7cgCEpy7sPc=" X-RZG-CLASS-ID: mo00 Received: from USER-PC.fritz.box by smtp.strato.de (RZmta 47.37.6 DYNA|AUTH) with ESMTPSA id k3f463y06KYt05h (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Thu, 6 Jan 2022 21:34:55 +0100 (CET) From: Thore Sommer To: dm-devel@redhat.com, agk@redhat.com, snitzer@redhat.com Cc: tusharsu@linux.microsoft.com, linux-integrity@vger.kernel.org, Thore Sommer Subject: [RFC PATCH 3/3] dm ima: add documentation target update event Date: Thu, 6 Jan 2022 21:34:36 +0100 Message-Id: <20220106203436.281629-4-public@thson.de> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220106203436.281629-1-public@thson.de> References: <20220106203436.281629-1-public@thson.de> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The dm_target_update event can be triggered by targets to remeasure their state to reflect that change also in IMA. This is event is currently only supported by verity. Signed-off-by: Thore Sommer --- .../admin-guide/device-mapper/dm-ima.rst | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/Documentation/admin-guide/device-mapper/dm-ima.rst b/Documentation/admin-guide/device-mapper/dm-ima.rst index a4aa50a828e0..ac9418ea99d3 100644 --- a/Documentation/admin-guide/device-mapper/dm-ima.rst +++ b/Documentation/admin-guide/device-mapper/dm-ima.rst @@ -93,6 +93,7 @@ Following device state changes will trigger IMA measurements: #. Device remove #. Table clear #. Device rename + #. Target update 1. Table load: --------------- @@ -321,6 +322,38 @@ The IMA measurement log has the following format for 'dm_device_rename': new_name=linear\=2,new_uuid=1234-5678; current_device_capacity=1024; +6. Target update: +------------------ +When a target changes updates its table it can trigger an remeasurement of that table. + +This is currently only implemented for 'verity' targets to detect measure corruption occurrences. +Note that the active table hash of the device does not get updated. + +The IMA measurement log has the following format for 'dm_target_update': + +:: + + EVENT_NAME := "dm_target_update" + EVENT_DATA := ";" ";" ";" + + dm_version_str := As described in the 'Table load' section above. + device_active_metadata := Device metadata that reflects the currently loaded active table. + The format is same as 'device_metadata' described in the 'Table load' section above. + target_data_row + E.g: if a verity device gets corrupted then IMA ASCII measurement log will have an entry with: + (converted from ASCII to text for readability) + + 10 1cc9c660afb7fddd1b7167f0c4e997ebca8b1c09 ima-buf sha256:e991f7692724257701c8e652682bd3246837ed2d655407b9e9f5a5b469e6c75b + dm_target_update + dm_version=4.45.0; + name=test,uuid=CRYPT-VERITY-e0d2a85fd61e41238174adaa32d296fe-test,major=253,minor=0,minor_count=1,num_targets=1; + target_index=0,target_begin=0,target_len=8,target_name=verity,target_version=1.8.0,hash_failed=C, + verity_version=1,data_device_name=7:1,hash_device_name=7:0,verity_algorithm=sha256, + root_digest=8c2eff0b45fc9815b94350f7a913683ef34085c734229bcf1345c31b07ac61b8, + salt=63010b7c63e28e6929a2f020dc71c97a0660a9f377a83c674a62feb01c5ca6b3, + ignore_zero_blocks=n,check_at_most_once=n; + + Supported targets: ==================