1 ======
2 dm-ima
3 ======
4
5 For a given system, various external services/
6 (including the attestation service) interact w
7 setup and during rest of the system run-time.
8 and/or execute critical workload on that syste
9 may want to verify the current run-time state
10 subsystems before fully trusting the system wi
11 data/workload.
12
13 Device mapper plays a critical role on a given
14 various important functionalities to the block
15 target types like crypt, verity, integrity etc
16 types’ functionalities can be configured wit
17 The attributes chosen to configure these targe
18 impact the security profile of the block devic
19 system itself. For instance, the type of encr
20 key size determines the strength of encryption
21
22 Therefore, verifying the current state of vari
23 as their various target attributes is crucial
24 fully trusting the system with business-critic
25
26 IMA kernel subsystem provides the necessary fu
27 device mapper to measure the state and configu
28 various block devices -
29
30 - by device mapper itself, from within the ker
31 - in a tamper resistant way,
32 - and re-measured - triggered on state/configu
33
34 Setting the IMA Policy:
35 =======================
36 For IMA to measure the data on a given system,
37 system needs to be updated to have following l
38 to be restarted for the measurements to take e
39
40 ::
41
42 /etc/ima/ima-policy
43 measure func=CRITICAL_DATA label=device-ma
44
45 The measurements will be reflected in the IMA
46
47 ::
48
49 /sys/kernel/security/integrity/ima/ascii_runt
50 /sys/kernel/security/integrity/ima/binary_run
51
52 Then IMA ASCII measurement log has the followi
53
54 ::
55
56 <PCR> <TEMPLATE_DATA_DIGEST> <TEMPLATE_NAME>
57
58 PCR := Platform Configuration Register, in wh
59 This is applicable if TPM chip is in us
60
61 TEMPLATE_DATA_DIGEST := Template data digest
62 TEMPLATE_NAME := Template name that registere
63
64 TEMPLATE_DATA := <ALG> ":" <EVENT_DIGEST> <EV
65 It contains data for the spe
66 in a given template data for
67
68 ALG := Algorithm to compute event digest
69 EVENT_DIGEST := Digest of the event data
70 EVENT_NAME := Description of the event (e.g.
71 EVENT_DATA := The event data to be measured.
72
73 |
74
75 | *NOTE #1:*
76 | The DM target data measured by IMA subsystem
77 be queried from userspace by setting DM_IMA_M
78 DM_TABLE_STATUS_CMD.
79
80 |
81
82 | *NOTE #2:*
83 | The Kernel configuration CONFIG_IMA_DISABLE_
84 | To support recording duplicate IMA events in
85 CONFIG_IMA_DISABLE_HTABLE=y.
86
87 Supported Device States:
88 ========================
89 Following device state changes will trigger IM
90
91 1. Table load
92 #. Device resume
93 #. Device remove
94 #. Table clear
95 #. Device rename
96
97 1. Table load:
98 ---------------
99 When a new table is loaded in a device's inact
100 the device information and target specific det
101 targets in the table are measured.
102
103 The IMA measurement log has the following form
104
105 ::
106
107 EVENT_NAME := "dm_table_load"
108 EVENT_DATA := <dm_version_str> ";" <device_me
109
110 dm_version_str := "dm_version=" <N> "." <N> "
111 Same as Device Mapper driver
112 device_metadata := <device_name> "," <device_
113 <minor_count> "," <num_devi
114
115 device_name := "name=" <dm-device-name>
116 device_uuid := "uuid=" <dm-device-uuid>
117 device_major := "major=" <N>
118 device_minor := "minor=" <N>
119 minor_count := "minor_count=" <N>
120 num_device_targets := "num_targets=" <N>
121 dm-device-name := Name of the device. If it c
122 they are prefixed with '\'.
123 dm-device-uuid := UUID of the device. If it c
124 they are prefixed with '\'.
125
126 table_load_data := <target_data>
127 Represents the data (as na
128 which is being loaded into
129 target_data := <target_data_row> | <target_da
130
131 target_data_row := <target_index> "," <target
132 <target_version> "," <targ
133 target_index := "target_index=" <N>
134 Represents nth target in the
135 If all the data for N targets
136 in the buffer (say from targe
137 The remaining data from targe
138 with the same format as that
139 i.e. <dm_version_str> ";" <de
140
141 target_begin := "target_begin=" <N>
142 target_len := "target_len=" <N>
143 target_name := Name of the target. 'linear',
144 The targets that are supported
145 'Supported targets' section.
146 target_version := "target_version=" <N> "." <
147 target_attributes := Data containing comma se
148
149 For instance, if a linear device is created w
150 # dmsetup create linear1
151 0 2 linear /dev/loop0 512
152 2 2 linear /dev/loop0 512
153 4 2 linear /dev/loop0 512
154 6 2 linear /dev/loop0 512
155
156 Then IMA ASCII measurement log will have the
157 (converted from ASCII to text for readability
158
159 10 a8c5ff755561c7a28146389d1514c318592af49a i
160 dm_table_load
161 dm_version=4.45.0;
162 name=linear1,uuid=,major=253,minor=0,minor_co
163 target_index=0,target_begin=0,target_len=2,ta
164 target_index=1,target_begin=2,target_len=2,ta
165 target_index=2,target_begin=4,target_len=2,ta
166 target_index=3,target_begin=6,target_len=2,ta
167
168 2. Device resume:
169 ------------------
170 When a suspended device is resumed, the device
171 data from previous load of an active table are
172
173 The IMA measurement log has the following form
174
175 ::
176
177 EVENT_NAME := "dm_device_resume"
178 EVENT_DATA := <dm_version_str> ";" <device_me
179
180 dm_version_str := As described in the 'Table
181 device_metadata := As described in the 'Table
182 active_table_hash := "active_table_hash=" <ta
183 Rerpresents the hash of
184 active table for the dev
185 table_hash_alg := Algorithm used to compute t
186 table_hash := Hash of the (<dm_version_str> "
187 as described in the 'dm_table_l
188 Note: If the table_load data sp
189 events for a given device, the
190 i.e. (<dm_version_str> ";" <dev
191 across all those events.
192 current_device_capacity := "current_device_ca
193
194 For instance, if a linear device is resumed w
195 #dmsetup resume linear1
196
197 then IMA ASCII measurement log will have an e
198 (converted from ASCII to text for readability
199
200 10 56c00cc062ffc24ccd9ac2d67d194af3282b934e i
201 dm_device_resume
202 dm_version=4.45.0;
203 name=linear1,uuid=,major=253,minor=0,minor_co
204 active_table_hash=sha256:4d73481ecce5eadba8ab
205
206 3. Device remove:
207 ------------------
208 When a device is removed, the device informati
209 data from an active and inactive table are mea
210
211 The IMA measurement log has the following form
212
213 ::
214
215 EVENT_NAME := "dm_device_remove"
216 EVENT_DATA := <dm_version_str> ";" <device_ac
217 <active_table_hash> "," <inacti
218
219 dm_version_str := As described in the 'Table
220 device_active_metadata := Device metadata tha
221 The format is same
222 device_inactive_metadata := Device metadata t
223 The format is sam
224 active_table_hash := Hash of the currently lo
225 The format is same as 'a
226 inactive_table_hash := Hash of the inactive
227 The format is same as
228 remove_all := "remove_all=" <yes_no>
229 yes_no := "y" | "n"
230 current_device_capacity := "current_device_ca
231
232 For instance, if a linear device is removed w
233 #dmsetup remove l1
234
235 then IMA ASCII measurement log will have the
236 (converted from ASCII to text for readability
237
238 10 790e830a3a7a31590824ac0642b3b31c2d0e8b38 i
239 dm_device_remove
240 dm_version=4.45.0;
241 device_active_metadata=name=l1,uuid=,major=25
242 device_inactive_metadata=name=l1,uuid=,major=
243 active_table_hash=sha256:4a7e62efaebfc86af755
244 inactive_table_hash=sha256:9d79c175bc2302d55a
245 current_device_capacity=2048;
246
247 4. Table clear:
248 ----------------
249 When an inactive table is cleared from the dev
250 data from an inactive table are measured.
251
252 The IMA measurement log has the following form
253
254 ::
255
256 EVENT_NAME := "dm_table_clear"
257 EVENT_DATA := <dm_version_str> ";" <device_in
258
259 dm_version_str := As described in the 'Table
260 device_inactive_metadata := Device metadata t
261 The format is sam
262 inactive_table_hash := Hash of the inactive t
263 The format is same as
264 current_device_capacity := "current_device_ca
265
266 For instance, if a linear device's inactive t
267 #dmsetup clear l1
268
269 then IMA ASCII measurement log will have an e
270 (converted from ASCII to text for readability
271
272 10 77d347408f557f68f0041acb0072946bb2367fe5 i
273 dm_table_clear
274 dm_version=4.45.0;
275 name=l1,uuid=,major=253,minor=2,minor_count=1
276 inactive_table_hash=sha256:75c0dc347063bf474d
277
278 5. Device rename:
279 ------------------
280 When an device's NAME or UUID is changed, the
281 are measured.
282
283 The IMA measurement log has the following form
284
285 ::
286
287 EVENT_NAME := "dm_device_rename"
288 EVENT_DATA := <dm_version_str> ";" <device_ac
289
290 dm_version_str := As described in the 'Table
291 device_active_metadata := Device metadata tha
292 The format is same
293 new_device_name := "new_name=" <dm-device-nam
294 dm-device-name := Same as <dm-device-name> de
295 new_device_uuid := "new_uuid=" <dm-device-uui
296 dm-device-uuid := Same as <dm-device-uuid> de
297 current_device_capacity := "current_device_ca
298
299 E.g 1: if a linear device's name is changed w
300 #dmsetup rename linear1 --setuuid 1234-5678
301
302 then IMA ASCII measurement log will have an e
303 (converted from ASCII to text for readability
304
305 10 8b0423209b4c66ac1523f4c9848c9b51ee332f48 i
306 dm_device_rename
307 dm_version=4.45.0;
308 name=linear1,uuid=,major=253,minor=2,minor_co
309 current_device_capacity=1024;
310
311 E.g 2: if a linear device's name is changed
312 # dmsetup rename linear1 linear=2
313
314 then IMA ASCII measurement log will have an e
315 (converted from ASCII to text for readability
316
317 10 bef70476b99c2bdf7136fae033aa8627da1bf76f i
318 dm_device_rename
319 dm_version=4.45.0;
320 name=linear1,uuid=1234-5678,major=253,minor=2
321 new_name=linear\=2,new_uuid=1234-5678;
322 current_device_capacity=1024;
323
324 Supported targets:
325 ==================
326
327 Following targets are supported to measure the
328
329 1. cache
330 #. crypt
331 #. integrity
332 #. linear
333 #. mirror
334 #. multipath
335 #. raid
336 #. snapshot
337 #. striped
338 #. verity
339
340 1. cache
341 ---------
342 The 'target_attributes' (described as part of
343 section above) has the following data format f
344
345 ::
346
347 target_attributes := <target_name> "," <targe
348 <cache_device> "," <cach
349 <passthrough> "," <no_di
350
351 target_name := "target_name=cache"
352 target_version := "target_version=" <N> "." <
353 metadata_mode := "metadata_mode=" <cache_meta
354 cache_metadata_mode := "fail" | "ro" | "rw"
355 cache_device := "cache_device=" <cache_device
356 cache_origin_device := "cache_origin_device="
357 writethrough := "writethrough=" <yes_no>
358 writeback := "writeback=" <yes_no>
359 passthrough := "passthrough=" <yes_no>
360 no_discard_passdown := "no_discard_passdown="
361 yes_no := "y" | "n"
362
363 E.g.
364 When a 'cache' target is loaded, then IMA ASC
365 similar to the following, depicting what 'cac
366 for 'dm_table_load' event.
367 (converted from ASCII to text for readability
368
369 dm_version=4.45.0;name=cache1,uuid=cache_uuid
370 target_index=0,target_begin=0,target_len=2867
371 cache_metadata_device=253:4,cache_device=253:
372 passthrough=n,metadata2=y,no_discard_passdown
373
374
375 2. crypt
376 ---------
377 The 'target_attributes' (described as part of
378 section above) has the following data format f
379
380 ::
381
382 target_attributes := <target_name> "," <targe
383 <submit_from_crypt_cpus>
384 <iv_large_sectors> "," <
385 [<sector_size> ","] [<ci
386 <key_extra_size> "," <ke
387
388 target_name := "target_name=crypt"
389 target_version := "target_version=" <N> "." <
390 allow_discards := "allow_discards=" <yes_no>
391 same_cpu_crypt := "same_cpu_crypt=" <yes_no>
392 submit_from_crypt_cpus := "submit_from_crypt_
393 no_read_workqueue := "no_read_workqueue=" <ye
394 no_write_workqueue := "no_write_workqueue=" <
395 iv_large_sectors := "iv_large_sectors=" <yes_
396 integrity_tag_size := "integrity_tag_size=" <
397 cipher_auth := "cipher_auth=" <string>
398 sector_size := "sector_size=" <N>
399 cipher_string := "cipher_string="
400 key_size := "key_size=" <N>
401 key_parts := "key_parts=" <N>
402 key_extra_size := "key_extra_size=" <N>
403 key_mac_size := "key_mac_size=" <N>
404 yes_no := "y" | "n"
405
406 E.g.
407 When a 'crypt' target is loaded, then IMA ASC
408 similar to the following, depicting what 'cry
409 for 'dm_table_load' event.
410 (converted from ASCII to text for readability
411
412 dm_version=4.45.0;
413 name=crypt1,uuid=crypt_uuid1,major=253,minor=
414 target_index=0,target_begin=0,target_len=1953
415 allow_discards=y,same_cpu=n,submit_from_crypt
416 iv_large_sectors=n,cipher_string=aes-xts-plai
417
418 3. integrity
419 -------------
420 The 'target_attributes' (described as part of
421 section above) has the following data format f
422
423 ::
424
425 target_attributes := <target_name> "," <targe
426 <tag_size> "," <mode> ",
427 <allow_discards> "," <fi
428 <journal_sectors> "," <i
429
430 target_name := "target_name=integrity"
431 target_version := "target_version=" <N> "." <
432 dev_name := "dev_name=" <device_name_str>
433 start := "start=" <N>
434 tag_size := "tag_size=" <N>
435 mode := "mode=" <integrity_mode_str>
436 integrity_mode_str := "J" | "B" | "D" | "R"
437 meta_device := "meta_device=" <meta_device_st
438 block_size := "block_size=" <N>
439 recalculate := "recalculate=" <yes_no>
440 allow_discards := "allow_discards=" <yes_no>
441 fix_padding := "fix_padding=" <yes_no>
442 fix_hmac := "fix_hmac=" <yes_no>
443 legacy_recalculate := "legacy_recalculate=" <
444 journal_sectors := "journal_sectors=" <N>
445 interleave_sectors := "interleave_sectors=" <
446 buffer_sectors := "buffer_sectors=" <N>
447 yes_no := "y" | "n"
448
449 E.g.
450 When a 'integrity' target is loaded, then IMA
451 similar to the following, depicting what 'int
452 for 'dm_table_load' event.
453 (converted from ASCII to text for readability
454
455 dm_version=4.45.0;
456 name=integrity1,uuid=,major=253,minor=1,minor
457 target_index=0,target_begin=0,target_len=7856
458 dev_name=253:0,start=0,tag_size=32,mode=J,rec
459 fix_hmac=n,legacy_recalculate=n,journal_secto
460
461
462 4. linear
463 ----------
464 The 'target_attributes' (described as part of
465 section above) has the following data format f
466
467 ::
468
469 target_attributes := <target_name> "," <targe
470
471 target_name := "target_name=linear"
472 target_version := "target_version=" <N> "." <
473 device_name := "device_name=" <linear_device_
474 start := "start=" <N>
475
476 E.g.
477 When a 'linear' target is loaded, then IMA AS
478 similar to the following, depicting what 'lin
479 for 'dm_table_load' event.
480 (converted from ASCII to text for readability
481
482 dm_version=4.45.0;
483 name=linear1,uuid=linear_uuid1,major=253,mino
484 target_index=0,target_begin=0,target_len=2867
485 device_name=253:1,start=2048;
486
487 5. mirror
488 ----------
489 The 'target_attributes' (described as part of
490 section above) has the following data format f
491
492 ::
493
494 target_attributes := <target_name> "," <targe
495 <mirror_device_data> ","
496
497 target_name := "target_name=mirror"
498 target_version := "target_version=" <N> "." <
499 nr_mirrors := "nr_mirrors=" <NR>
500 mirror_device_data := <mirror_device_row> | <
501 mirror_device_row is re
502 mirror_device_row := <mirror_device_name> ","
503 mirror_device_name := "mirror_device_" <X> "=
504 where <X> ranges from 0
505 mirror_device_status := "mirror_device_" <X>
506 where <X> ranges from
507 mirror_device_status_char := "A" | "F" | "D"
508 handle_errors := "handle_errors=" <yes_no>
509 keep_log := "keep_log=" <yes_no>
510 log_type_status := "log_type_status=" <log_ty
511 yes_no := "y" | "n"
512
513 E.g.
514 When a 'mirror' target is loaded, then IMA AS
515 similar to the following, depicting what 'mir
516 for 'dm_table_load' event.
517 (converted from ASCII to text for readability
518
519 dm_version=4.45.0;
520 name=mirror1,uuid=mirror_uuid1,major=253,mino
521 target_index=0,target_begin=0,target_len=2048
522 mirror_device_0=253:4,mirror_device_0_stat
523 mirror_device_1=253:5,mirror_device_1_stat
524 handle_errors=y,keep_log=n,log_type_status=;
525
526 6. multipath
527 -------------
528 The 'target_attributes' (described as part of
529 section above) has the following data format f
530
531 ::
532
533 target_attributes := <target_name> "," <targe
534 ["," <pg_state> "," <pri
535
536 target_name := "target_name=multipath"
537 target_version := "target_version=" <N> "." <
538 nr_priority_groups := "nr_priority_groups=" <
539 priority_groups := <priority_groups_row>|<pri
540 priority_groups_row := "pg_state_" <X> "=" <p
541 "path_selector_name_"
542 where <X> ranges from
543 pg_state_str := "E" | "A" | "D"
544 <priority_group_paths> := <priority_group_pat
545 priority_group_paths_row := "path_name_" <X>
546 "fail_count_" <X>
547 where <X> ranges
548 and <Y> ranges fr
549 is_active_str := "A" | "F"
550
551 E.g.
552 When a 'multipath' target is loaded, then IMA
553 similar to the following, depicting what 'mul
554 for 'dm_table_load' event.
555 (converted from ASCII to text for readability
556
557 dm_version=4.45.0;
558 name=mp,uuid=,major=253,minor=0,minor_count=1
559 target_index=0,target_begin=0,target_len=2097
560 pg_state_0=E,nr_pgpaths_0=2,path_selector_
561 path_name_0_0=8:16,is_active_0_0=A,fai
562 path_name_0_1=8:32,is_active_0_1=A,fai
563 pg_state_1=E,nr_pgpaths_1=2,path_selector_
564 path_name_1_0=8:48,is_active_1_0=A,fai
565 path_name_1_1=8:64,is_active_1_1=A,fai
566
567 7. raid
568 --------
569 The 'target_attributes' (described as part of
570 section above) has the following data format f
571
572 ::
573
574 target_attributes := <target_name> "," <targe
575 <raid_device_status> [",
576
577 target_name := "target_name=raid"
578 target_version := "target_version=" <N> "." <
579 raid_type := "raid_type=" <raid_type_str>
580 raid_disks := "raid_disks=" <NRD>
581 raid_state := "raid_state=" <raid_state_str>
582 raid_state_str := "frozen" | "reshape" |"resy
583 raid_device_status := <raid_device_status_row
584 <raid_device_status_row
585 raid_device_status_row := "raid_device_" <X>
586 where <X> ranges fr
587 raid_device_status_str := "A" | "D" | "a" | "
588 journal_dev_mode := "journal_dev_mode=" <jour
589 journal_dev_mode_str := "writethrough" | "wri
590
591 E.g.
592 When a 'raid' target is loaded, then IMA ASCI
593 similar to the following, depicting what 'rai
594 for 'dm_table_load' event.
595 (converted from ASCII to text for readability
596
597 dm_version=4.45.0;
598 name=raid_LV1,uuid=uuid_raid_LV1,major=253,mi
599 target_index=0,target_begin=0,target_len=2048
600 raid_type=raid10,raid_disks=4,raid_state=idle
601 raid_device_0_status=A,
602 raid_device_1_status=A,
603 raid_device_2_status=A,
604 raid_device_3_status=A;
605
606
607 8. snapshot
608 ------------
609 The 'target_attributes' (described as part of
610 section above) has the following data format f
611
612 ::
613
614 target_attributes := <target_name> "," <targe
615 <snap_cow_name> "," <sna
616
617 target_name := "target_name=snapshot"
618 target_version := "target_version=" <N> "." <
619 snap_origin_name := "snap_origin_name=" <stri
620 snap_cow_name := "snap_cow_name=" <string>
621 snap_valid := "snap_valid=" <yes_no>
622 snap_merge_failed := "snap_merge_failed=" <ye
623 snapshot_overflowed := "snapshot_overflowed="
624 yes_no := "y" | "n"
625
626 E.g.
627 When a 'snapshot' target is loaded, then IMA
628 similar to the following, depicting what 'sna
629 for 'dm_table_load' event.
630 (converted from ASCII to text for readability
631
632 dm_version=4.45.0;
633 name=snap1,uuid=snap_uuid1,major=253,minor=13
634 target_index=0,target_begin=0,target_len=4096
635 snap_origin_name=253:11,snap_cow_name=253:12,
636
637 9. striped
638 -----------
639 The 'target_attributes' (described as part of
640 section above) has the following data format f
641
642 ::
643
644 target_attributes := <target_name> "," <targe
645 <stripe_data> ";"
646
647 target_name := "target_name=striped"
648 target_version := "target_version=" <N> "." <
649 stripes := "stripes=" <NS>
650 chunk_size := "chunk_size=" <N>
651 stripe_data := <stripe_data_row>|<stripe_data
652 stripe_data_row := <stripe_device_name> "," <
653 stripe_device_name := "stripe_" <X> "_device_
654 where <X> ranges from 0
655 stripe_physical_start := "stripe_" <X> "_phys
656 where <X> ranges fr
657 stripe_status := "stripe_" <X> "_status=" <st
658 where <X> ranges from 0 to (
659 stripe_status_str := "D" | "A"
660
661 E.g.
662 When a 'striped' target is loaded, then IMA A
663 similar to the following, depicting what 'str
664 for 'dm_table_load' event.
665 (converted from ASCII to text for readability
666
667 dm_version=4.45.0;
668 name=striped1,uuid=striped_uuid1,major=253,mi
669 target_index=0,target_begin=0,target_len=640,
670 stripe_0_device_name=253:0,stripe_0_physic
671 stripe_1_device_name=253:3,stripe_1_physic
672
673 10. verity
674 ----------
675 The 'target_attributes' (described as part of
676 section above) has the following data format f
677
678 ::
679
680 target_attributes := <target_name> "," <targe
681 <data_device_name> "," <
682 <salt> "," <ignore_zero_
683 ["," <verity_mode>] ";"
684
685 target_name := "target_name=verity"
686 target_version := "target_version=" <N> "." <
687 hash_failed := "hash_failed=" <hash_failed_st
688 hash_failed_str := "C" | "V"
689 verity_version := "verity_version=" <verity_v
690 data_device_name := "data_device_name=" <data
691 hash_device_name := "hash_device_name=" <hash
692 verity_algorithm := "verity_algorithm=" <veri
693 root_digest := "root_digest=" <root_digest_st
694 salt := "salt=" <salt_str>
695 salt_str := "-" <verity_salt_str>
696 ignore_zero_blocks := "ignore_zero_blocks=" <
697 check_at_most_once := "check_at_most_once=" <
698 root_hash_sig_key_desc := "root_hash_sig_key_
699 verity_mode := "verity_mode=" <verity_mode_st
700 verity_mode_str := "ignore_corruption" | "res
701 yes_no := "y" | "n"
702
703 E.g.
704 When a 'verity' target is loaded, then IMA AS
705 similar to the following, depicting what 'ver
706 for 'dm_table_load' event.
707 (converted from ASCII to text for readability
708
709 dm_version=4.45.0;
710 name=test-verity,uuid=,major=253,minor=2,mino
711 target_index=0,target_begin=0,target_len=1953
712 verity_version=1,data_device_name=253:1,hash_
713 root_digest=29cb87e60ce7b12b443ba6008266f3e41
714 salt=e48da609055204e89ae53b655ca2216dd983cf3c
715 ignore_zero_blocks=n,check_at_most_once=n;
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.