Skip to content

Commit dc7b79c

Browse files
Tushar Sugandhisnitm
Tushar Sugandhi
authored and
snitm
committed
dm ima: add version info to dm related events in ima log
The DM events present in the ima log contain various attributes in the key=value format. The attributes' names/values may change in future, and new attributes may also get added. The attestation server needs some versioning to determine which attributes are supported and are expected in the ima log. Add version information to the DM events present in the ima log to help attestation servers to correctly process the attributes across different versions. Signed-off-by: Tushar Sugandhi <[email protected]> Suggested-by: Mimi Zohar <[email protected]> Signed-off-by: Mike Snitzer <[email protected]>
1 parent 8f509fd commit dc7b79c

File tree

2 files changed

+57
-12
lines changed

2 files changed

+57
-12
lines changed

drivers/md/dm-ima.c

Lines changed: 48 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,7 @@ static int dm_ima_alloc_and_copy_capacity_str(struct mapped_device *md, char **c
168168
void dm_ima_reset_data(struct mapped_device *md)
169169
{
170170
memset(&(md->ima), 0, sizeof(md->ima));
171+
md->ima.dm_version_str_len = strlen(DM_IMA_VERSION_STR);
171172
}
172173

173174
/*
@@ -223,6 +224,9 @@ void dm_ima_measure_on_table_load(struct dm_table *table, unsigned int status_fl
223224
if (r)
224225
goto error;
225226

227+
memcpy(ima_buf + l, DM_IMA_VERSION_STR, table->md->ima.dm_version_str_len);
228+
l += table->md->ima.dm_version_str_len;
229+
226230
device_data_buf_len = strlen(device_data_buf);
227231
memcpy(ima_buf + l, device_data_buf, device_data_buf_len);
228232
l += device_data_buf_len;
@@ -280,6 +284,9 @@ void dm_ima_measure_on_table_load(struct dm_table *table, unsigned int status_fl
280284
* prefix, so that multiple records from the same table_load for
281285
* a given device can be linked together.
282286
*/
287+
memcpy(ima_buf + l, DM_IMA_VERSION_STR, table->md->ima.dm_version_str_len);
288+
l += table->md->ima.dm_version_str_len;
289+
283290
memcpy(ima_buf + l, device_data_buf, device_data_buf_len);
284291
l += device_data_buf_len;
285292

@@ -367,6 +374,7 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap)
367374
unsigned int active_len = strlen(active), capacity_len = 0;
368375
unsigned int l = 0;
369376
bool noio = true;
377+
bool nodata = true;
370378
int r;
371379

372380
device_table_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN, GFP_KERNEL, noio);
@@ -377,6 +385,9 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap)
377385
if (r)
378386
goto error;
379387

388+
memcpy(device_table_data + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len);
389+
l += md->ima.dm_version_str_len;
390+
380391
if (swap) {
381392
if (md->ima.active_table.hash != md->ima.inactive_table.hash)
382393
kfree(md->ima.active_table.hash);
@@ -412,8 +423,11 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap)
412423
}
413424

414425
if (md->ima.active_table.device_metadata) {
415-
l = md->ima.active_table.device_metadata_len;
416-
memcpy(device_table_data, md->ima.active_table.device_metadata, l);
426+
memcpy(device_table_data + l, md->ima.active_table.device_metadata,
427+
md->ima.active_table.device_metadata_len);
428+
l += md->ima.active_table.device_metadata_len;
429+
430+
nodata = false;
417431
}
418432

419433
if (md->ima.active_table.hash) {
@@ -426,16 +440,18 @@ void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap)
426440

427441
memcpy(device_table_data + l, ";", 1);
428442
l++;
443+
444+
nodata = false;
429445
}
430446

431-
if (!l) {
447+
if (nodata) {
432448
r = dm_ima_alloc_and_copy_name_uuid(md, &dev_name, &dev_uuid, noio);
433449
if (r)
434450
goto error;
435451

436452
scnprintf(device_table_data, DM_IMA_DEVICE_BUF_LEN,
437-
"name=%s,uuid=%s;device_resume=no_data;",
438-
dev_name, dev_uuid);
453+
"%sname=%s,uuid=%s;device_resume=no_data;",
454+
DM_IMA_VERSION_STR, dev_name, dev_uuid);
439455
l += strlen(device_table_data);
440456

441457
}
@@ -472,6 +488,7 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
472488
unsigned int capacity_len = 0;
473489
unsigned int l = 0;
474490
bool noio = true;
491+
bool nodata = true;
475492
int r;
476493

477494
device_table_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN*2, GFP_KERNEL, noio);
@@ -484,13 +501,18 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
484501
goto exit;
485502
}
486503

504+
memcpy(device_table_data + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len);
505+
l += md->ima.dm_version_str_len;
506+
487507
if (md->ima.active_table.device_metadata) {
488508
memcpy(device_table_data + l, device_active_str, device_active_len);
489509
l += device_active_len;
490510

491511
memcpy(device_table_data + l, md->ima.active_table.device_metadata,
492512
md->ima.active_table.device_metadata_len);
493513
l += md->ima.active_table.device_metadata_len;
514+
515+
nodata = false;
494516
}
495517

496518
if (md->ima.inactive_table.device_metadata) {
@@ -500,6 +522,8 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
500522
memcpy(device_table_data + l, md->ima.inactive_table.device_metadata,
501523
md->ima.inactive_table.device_metadata_len);
502524
l += md->ima.inactive_table.device_metadata_len;
525+
526+
nodata = false;
503527
}
504528

505529
if (md->ima.active_table.hash) {
@@ -512,6 +536,8 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
512536

513537
memcpy(device_table_data + l, ",", 1);
514538
l++;
539+
540+
nodata = false;
515541
}
516542

517543
if (md->ima.inactive_table.hash) {
@@ -524,19 +550,21 @@ void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all)
524550

525551
memcpy(device_table_data + l, ",", 1);
526552
l++;
553+
554+
nodata = false;
527555
}
528556
/*
529557
* In case both active and inactive tables, and corresponding
530558
* device metadata is cleared/missing - record the name and uuid
531559
* in IMA measurements.
532560
*/
533-
if (!l) {
561+
if (nodata) {
534562
if (dm_ima_alloc_and_copy_name_uuid(md, &dev_name, &dev_uuid, noio))
535563
goto error;
536564

537565
scnprintf(device_table_data, DM_IMA_DEVICE_BUF_LEN,
538-
"name=%s,uuid=%s;device_remove=no_data;",
539-
dev_name, dev_uuid);
566+
"%sname=%s,uuid=%s;device_remove=no_data;",
567+
DM_IMA_VERSION_STR, dev_name, dev_uuid);
540568
l += strlen(device_table_data);
541569
}
542570

@@ -582,6 +610,7 @@ void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map)
582610
char inactive_str[] = "inactive_table_hash=";
583611
unsigned int inactive_len = strlen(inactive_str);
584612
bool noio = true;
613+
bool nodata = true;
585614
int r;
586615

587616
device_table_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN, GFP_KERNEL, noio);
@@ -592,6 +621,9 @@ void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map)
592621
if (r)
593622
goto error1;
594623

624+
memcpy(device_table_data + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len);
625+
l += md->ima.dm_version_str_len;
626+
595627
if (md->ima.inactive_table.device_metadata_len &&
596628
md->ima.inactive_table.hash_len) {
597629
memcpy(device_table_data + l, md->ima.inactive_table.device_metadata,
@@ -608,14 +640,17 @@ void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map)
608640

609641
memcpy(device_table_data + l, ";", 1);
610642
l++;
643+
644+
nodata = false;
611645
}
612646

613-
if (!l) {
647+
if (nodata) {
614648
if (dm_ima_alloc_and_copy_name_uuid(md, &dev_name, &dev_uuid, noio))
615649
goto error2;
616650

617651
scnprintf(device_table_data, DM_IMA_DEVICE_BUF_LEN,
618-
"name=%s,uuid=%s;table_clear=no_data;", dev_name, dev_uuid);
652+
"%sname=%s,uuid=%s;table_clear=no_data;",
653+
DM_IMA_VERSION_STR, dev_name, dev_uuid);
619654
l += strlen(device_table_data);
620655
}
621656

@@ -694,8 +729,9 @@ void dm_ima_measure_on_device_rename(struct mapped_device *md)
694729
md->ima.active_table.device_metadata = new_device_data;
695730
md->ima.active_table.device_metadata_len = strlen(new_device_data);
696731

697-
scnprintf(combined_device_data, DM_IMA_DEVICE_BUF_LEN * 2, "%snew_name=%s,new_uuid=%s;%s",
698-
old_device_data, new_dev_name, new_dev_uuid, capacity_str);
732+
scnprintf(combined_device_data, DM_IMA_DEVICE_BUF_LEN * 2,
733+
"%s%snew_name=%s,new_uuid=%s;%s", DM_IMA_VERSION_STR, old_device_data,
734+
new_dev_name, new_dev_uuid, capacity_str);
699735

700736
dm_ima_measure_data("device_rename", combined_device_data, strlen(combined_device_data),
701737
noio);

drivers/md/dm-ima.h

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,14 @@
1818
#define DM_IMA_DEVICE_CAPACITY_BUF_LEN 128
1919
#define DM_IMA_TABLE_HASH_ALG "sha256"
2020

21+
#define __dm_ima_stringify(s) #s
22+
#define __dm_ima_str(s) __dm_ima_stringify(s)
23+
24+
#define DM_IMA_VERSION_STR "dm_version=" \
25+
__dm_ima_str(DM_VERSION_MAJOR) "." \
26+
__dm_ima_str(DM_VERSION_MINOR) "." \
27+
__dm_ima_str(DM_VERSION_PATCHLEVEL) ";"
28+
2129
#ifdef CONFIG_IMA
2230

2331
struct dm_ima_device_table_metadata {
@@ -46,6 +54,7 @@ struct dm_ima_device_table_metadata {
4654
struct dm_ima_measurements {
4755
struct dm_ima_device_table_metadata active_table;
4856
struct dm_ima_device_table_metadata inactive_table;
57+
unsigned int dm_version_str_len;
4958
};
5059

5160
void dm_ima_reset_data(struct mapped_device *md);

0 commit comments

Comments
 (0)