Commit 8ec45662 authored by Tushar Sugandhi's avatar Tushar Sugandhi Committed by Mike Snitzer

dm: update target status functions to support IMA measurement

For device mapper targets to take advantage of IMA's measurement
capabilities, the status functions for the individual targets need to be
updated to handle the status_type_t case for value STATUSTYPE_IMA.

Update status functions for the following target types, to log their
respective attributes to be measured using IMA.
 01. cache
 02. crypt
 03. integrity
 04. linear
 05. mirror
 06. multipath
 07. raid
 08. snapshot
 09. striped
 10. verity

For rest of the targets, handle the STATUSTYPE_IMA case by setting the
measurement buffer to NULL.

For IMA to measure the data on a given system, the IMA policy on the
system needs to be updated to have the following line, and the system
needs to be restarted for the measurements to take effect.

/etc/ima/ima-policy
 measure func=CRITICAL_DATA label=device-mapper template=ima-buf

The measurements will be reflected in the IMA logs, which are located at:

/sys/kernel/security/integrity/ima/ascii_runtime_measurements
/sys/kernel/security/integrity/ima/binary_runtime_measurements

These IMA logs can later be consumed by various attestation clients
running on the system, and send them to external services for attesting
the system.

The DM target data measured by IMA subsystem can alternatively
be queried from userspace by setting DM_IMA_MEASUREMENT_FLAG with
DM_TABLE_STATUS_CMD.
Signed-off-by: default avatarTushar Sugandhi <tusharsu@linux.microsoft.com>
Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
parent 7d1d1df8
......@@ -3122,6 +3122,30 @@ static void cache_status(struct dm_target *ti, status_type_t type,
DMEMIT(" %s", cache->ctr_args[i]);
if (cache->nr_ctr_args)
DMEMIT(" %s", cache->ctr_args[cache->nr_ctr_args - 1]);
break;
case STATUSTYPE_IMA:
DMEMIT_TARGET_NAME_VERSION(ti->type);
if (get_cache_mode(cache) == CM_FAIL)
DMEMIT(",metadata_mode=fail");
else if (get_cache_mode(cache) == CM_READ_ONLY)
DMEMIT(",metadata_mode=ro");
else
DMEMIT(",metadata_mode=rw");
format_dev_t(buf, cache->metadata_dev->bdev->bd_dev);
DMEMIT(",cache_metadata_device=%s", buf);
format_dev_t(buf, cache->cache_dev->bdev->bd_dev);
DMEMIT(",cache_device=%s", buf);
format_dev_t(buf, cache->origin_dev->bdev->bd_dev);
DMEMIT(",cache_origin_device=%s", buf);
DMEMIT(",writethrough=%c", writethrough_mode(cache) ? 'y' : 'n');
DMEMIT(",writeback=%c", writeback_mode(cache) ? 'y' : 'n');
DMEMIT(",passthrough=%c", passthrough_mode(cache) ? 'y' : 'n');
DMEMIT(",metadata2=%c", cache->features.metadata_version == 2 ? 'y' : 'n');
DMEMIT(",no_discard_passdown=%c", cache->features.discard_passdown ? 'n' : 'y');
DMEMIT(";");
break;
}
return;
......
......@@ -1499,6 +1499,11 @@ static void clone_status(struct dm_target *ti, status_type_t type,
for (i = 0; i < clone->nr_ctr_args; i++)
DMEMIT(" %s", clone->ctr_args[i]);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
return;
......
......@@ -3485,7 +3485,34 @@ static void crypt_status(struct dm_target *ti, status_type_t type,
if (test_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags))
DMEMIT(" iv_large_sectors");
}
break;
case STATUSTYPE_IMA:
DMEMIT_TARGET_NAME_VERSION(ti->type);
DMEMIT(",allow_discards=%c", ti->num_discard_bios ? 'y' : 'n');
DMEMIT(",same_cpu_crypt=%c", test_bit(DM_CRYPT_SAME_CPU, &cc->flags) ? 'y' : 'n');
DMEMIT(",submit_from_crypt_cpus=%c", test_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags) ?
'y' : 'n');
DMEMIT(",no_read_workqueue=%c", test_bit(DM_CRYPT_NO_READ_WORKQUEUE, &cc->flags) ?
'y' : 'n');
DMEMIT(",no_write_workqueue=%c", test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags) ?
'y' : 'n');
DMEMIT(",iv_large_sectors=%c", test_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags) ?
'y' : 'n');
if (cc->on_disk_tag_size)
DMEMIT(",integrity_tag_size=%u,cipher_auth=%s",
cc->on_disk_tag_size, cc->cipher_auth);
if (cc->sector_size != (1 << SECTOR_SHIFT))
DMEMIT(",sector_size=%d", cc->sector_size);
if (cc->cipher_string)
DMEMIT(",cipher_string=%s", cc->cipher_string);
DMEMIT(",key_size=%u", cc->key_size);
DMEMIT(",key_parts=%u", cc->key_parts);
DMEMIT(",key_extra_size=%u", cc->key_extra_size);
DMEMIT(",key_mac_size=%u", cc->key_mac_size);
DMEMIT(";");
break;
}
}
......
......@@ -326,6 +326,10 @@ static void delay_status(struct dm_target *ti, status_type_t type,
DMEMIT_DELAY_CLASS(&dc->flush);
}
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
}
......
......@@ -527,6 +527,10 @@ static void dust_status(struct dm_target *ti, status_type_t type,
DMEMIT("%s %llu %u", dd->dev->name,
(unsigned long long)dd->start, dd->blksz);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
}
......
......@@ -401,6 +401,9 @@ static void ebs_status(struct dm_target *ti, status_type_t type,
snprintf(result, maxlen, ec->u_bs_set ? "%s %llu %u %u" : "%s %llu %u",
ec->dev->name, (unsigned long long) ec->start, ec->e_bs, ec->u_bs);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
}
......
......@@ -1644,6 +1644,10 @@ static void era_status(struct dm_target *ti, status_type_t type,
format_dev_t(buf, era->origin_dev->bdev->bd_dev);
DMEMIT("%s %u", buf, era->sectors_per_block);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
return;
......
......@@ -440,6 +440,10 @@ static void flakey_status(struct dm_target *ti, status_type_t type,
fc->corrupt_bio_value, fc->corrupt_bio_flags);
break;
case STATUSTYPE_IMA:
result[0] = '\0';
break;
}
}
......
......@@ -3306,6 +3306,31 @@ static void dm_integrity_status(struct dm_target *ti, status_type_t type,
EMIT_ALG(journal_mac_alg, "journal_mac");
break;
}
case STATUSTYPE_IMA:
DMEMIT_TARGET_NAME_VERSION(ti->type);
DMEMIT(",dev_name=%s,start=%llu,tag_size=%u,mode=%c",
ic->dev->name, ic->start, ic->tag_size, ic->mode);
if (ic->meta_dev)
DMEMIT(",meta_device=%s", ic->meta_dev->name);
if (ic->sectors_per_block != 1)
DMEMIT(",block_size=%u", ic->sectors_per_block << SECTOR_SHIFT);
DMEMIT(",recalculate=%c", (ic->sb->flags & cpu_to_le32(SB_FLAG_RECALCULATING)) ?
'y' : 'n');
DMEMIT(",allow_discards=%c", ic->discard ? 'y' : 'n');
DMEMIT(",fix_padding=%c",
((ic->sb->flags & cpu_to_le32(SB_FLAG_FIXED_PADDING)) != 0) ? 'y' : 'n');
DMEMIT(",fix_hmac=%c",
((ic->sb->flags & cpu_to_le32(SB_FLAG_FIXED_HMAC)) != 0) ? 'y' : 'n');
DMEMIT(",legacy_recalculate=%c", ic->legacy_recalculate ? 'y' : 'n');
DMEMIT(",journal_sectors=%u", ic->initial_sectors - SB_SECTORS);
DMEMIT(",interleave_sectors=%u", 1U << ic->sb->log2_interleave_sectors);
DMEMIT(",buffer_sectors=%u", 1U << ic->log2_buffer_sectors);
DMEMIT(",mode=%c", ic->mode);
DMEMIT(";");
break;
}
}
......
......@@ -106,6 +106,7 @@ static void linear_status(struct dm_target *ti, status_type_t type,
unsigned status_flags, char *result, unsigned maxlen)
{
struct linear_c *lc = (struct linear_c *) ti->private;
size_t sz = 0;
switch (type) {
case STATUSTYPE_INFO:
......@@ -113,7 +114,12 @@ static void linear_status(struct dm_target *ti, status_type_t type,
break;
case STATUSTYPE_TABLE:
snprintf(result, maxlen, "%s %llu", lc->dev->name,
DMEMIT("%s %llu", lc->dev->name, (unsigned long long)lc->start);
break;
case STATUSTYPE_IMA:
DMEMIT_TARGET_NAME_VERSION(ti->type);
DMEMIT(",device_name=%s,start=%llu;", lc->dev->name,
(unsigned long long)lc->start);
break;
}
......
......@@ -820,6 +820,9 @@ static int userspace_status(struct dm_dirty_log *log, status_type_t status_type,
DMEMIT("integrated_flush ");
DMEMIT("%s ", table_args);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
return (r) ? 0 : (int)sz;
}
......
......@@ -834,6 +834,10 @@ static void log_writes_status(struct dm_target *ti, status_type_t type,
case STATUSTYPE_TABLE:
DMEMIT("%s %s", lc->dev->name, lc->logdev->name);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
}
......
......@@ -793,6 +793,11 @@ static int core_status(struct dm_dirty_log *log, status_type_t status,
DMEMIT("%s %u %u ", log->type->name,
lc->sync == DEFAULTSYNC ? 1 : 2, lc->region_size);
DMEMIT_SYNC;
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
return sz;
......@@ -817,6 +822,11 @@ static int disk_status(struct dm_dirty_log *log, status_type_t status,
lc->sync == DEFAULTSYNC ? 2 : 3, lc->log_dev->name,
lc->region_size);
DMEMIT_SYNC;
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
return sz;
......
......@@ -1904,6 +1904,34 @@ static void multipath_status(struct dm_target *ti, status_type_t type,
}
}
break;
case STATUSTYPE_IMA:
DMEMIT_TARGET_NAME_VERSION(ti->type);
list_for_each_entry(pg, &m->priority_groups, list) {
if (pg->bypassed)
state = 'D'; /* Disabled */
else if (pg == m->current_pg)
state = 'A'; /* Currently Active */
else
state = 'E'; /* Enabled */
DMEMIT(",pg_state=%c", state);
DMEMIT(",nr_pgpaths=%u", pg->nr_pgpaths);
DMEMIT(",path_selector_name=%s", pg->ps.type->name);
list_for_each_entry(p, &pg->pgpaths, list) {
DMEMIT(",path_name=%s,is_active=%c,fail_count=%u",
p->path.dev->name, p->is_active ? 'A' : 'F',
p->fail_count);
if (pg->ps.type->status) {
DMEMIT(",path_selector_status=");
sz += pg->ps.type->status(&pg->ps, &p->path,
type, result + sz,
maxlen - sz);
}
}
}
DMEMIT(";");
break;
}
spin_unlock_irqrestore(&m->lock, flags);
......
......@@ -255,6 +255,9 @@ static int hst_status(struct path_selector *ps, struct dm_path *path,
case STATUSTYPE_TABLE:
DMEMIT("0 ");
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
}
......
......@@ -170,6 +170,9 @@ static int ioa_status(struct path_selector *ps, struct dm_path *path,
pi = path->pscontext;
DMEMIT("%*pb ", cpumask_pr_args(pi->cpumask));
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
return sz;
......
......@@ -102,6 +102,9 @@ static int ql_status(struct path_selector *ps, struct dm_path *path,
case STATUSTYPE_TABLE:
DMEMIT("%u ", pi->repeat_count);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
}
......
......@@ -100,6 +100,10 @@ static int rr_status(struct path_selector *ps, struct dm_path *path,
pi = path->pscontext;
DMEMIT("%u ", pi->repeat_count);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
}
......
......@@ -99,6 +99,9 @@ static int st_status(struct path_selector *ps, struct dm_path *path,
DMEMIT("%u %u ", pi->repeat_count,
pi->relative_throughput);
break;
case STATUSTYPE_IMA:
result[0] = '\0';
break;
}
}
......
......@@ -3671,6 +3671,45 @@ static void raid_status(struct dm_target *ti, status_type_t type,
for (i = 0; i < rs->raid_disks; i++)
DMEMIT(" %s %s", __get_dev_name(rs->dev[i].meta_dev),
__get_dev_name(rs->dev[i].data_dev));
break;
case STATUSTYPE_IMA:
rt = get_raid_type_by_ll(mddev->new_level, mddev->new_layout);
if (!rt)
return;
DMEMIT_TARGET_NAME_VERSION(ti->type);
DMEMIT(",raid_type=%s,raid_disks=%d", rt->name, mddev->raid_disks);
/* Access most recent mddev properties for status output */
smp_rmb();
recovery = rs->md.recovery;
state = decipher_sync_action(mddev, recovery);
DMEMIT(",raid_state=%s", sync_str(state));
for (i = 0; i < rs->raid_disks; i++) {
DMEMIT(",raid_device_%d_status=", i);
DMEMIT(__raid_dev_status(rs, &rs->dev[i].rdev));
}
if (rt_is_raid456(rt)) {
DMEMIT(",journal_dev_mode=");
switch (rs->journal_dev.mode) {
case R5C_JOURNAL_MODE_WRITE_THROUGH:
DMEMIT("%s",
_raid456_journal_mode[R5C_JOURNAL_MODE_WRITE_THROUGH].param);
break;
case R5C_JOURNAL_MODE_WRITE_BACK:
DMEMIT("%s",
_raid456_journal_mode[R5C_JOURNAL_MODE_WRITE_BACK].param);
break;
default:
DMEMIT("invalid");
break;
}
}
DMEMIT(";");
break;
}
}
......
......@@ -1435,6 +1435,23 @@ static void mirror_status(struct dm_target *ti, status_type_t type,
}
break;
case STATUSTYPE_IMA:
DMEMIT_TARGET_NAME_VERSION(ti->type);
DMEMIT(",nr_mirrors=%d", ms->nr_mirrors);
for (m = 0; m < ms->nr_mirrors; m++) {
DMEMIT(",mirror_device_%d=%s", m, ms->mirror[m].dev->name);
DMEMIT(",mirror_device_%d_status=%c",
m, device_status_char(&(ms->mirror[m])));
}
DMEMIT(",handle_errors=%c", errors_handled(ms) ? 'y' : 'n');
DMEMIT(",keep_log=%c", keep_log(ms) ? 'y' : 'n');
DMEMIT(",log_type_status=");
sz += log->type->status(log, type, result+sz, maxlen-sz);
DMEMIT(";");
break;
}
}
......
......@@ -908,6 +908,10 @@ static unsigned persistent_status(struct dm_exception_store *store,
case STATUSTYPE_TABLE:
DMEMIT(" %s %llu", store->userspace_supports_overflow ? "PO" : "P",
(unsigned long long)store->chunk_size);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
return sz;
......
......@@ -95,6 +95,10 @@ static unsigned transient_status(struct dm_exception_store *store,
break;
case STATUSTYPE_TABLE:
DMEMIT(" N %llu", (unsigned long long)store->chunk_size);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
return sz;
......
......@@ -2390,6 +2390,16 @@ static void snapshot_status(struct dm_target *ti, status_type_t type,
DMEMIT(" discard_passdown_origin");
}
break;
case STATUSTYPE_IMA:
DMEMIT_TARGET_NAME_VERSION(ti->type);
DMEMIT(",snap_origin_name=%s", snap->origin->name);
DMEMIT(",snap_cow_name=%s", snap->cow->name);
DMEMIT(",snap_valid=%c", snap->valid ? 'y' : 'n');
DMEMIT(",snap_merge_failed=%c", snap->merge_failed ? 'y' : 'n');
DMEMIT(",snapshot_overflowed=%c", snap->snapshot_overflowed ? 'y' : 'n');
DMEMIT(";");
break;
}
}
......@@ -2734,6 +2744,9 @@ static void origin_status(struct dm_target *ti, status_type_t type,
case STATUSTYPE_TABLE:
snprintf(result, maxlen, "%s", o->dev->name);
break;
case STATUSTYPE_IMA:
result[0] = '\0';
break;
}
}
......
......@@ -428,6 +428,21 @@ static void stripe_status(struct dm_target *ti, status_type_t type,
DMEMIT(" %s %llu", sc->stripe[i].dev->name,
(unsigned long long)sc->stripe[i].physical_start);
break;
case STATUSTYPE_IMA:
DMEMIT_TARGET_NAME_VERSION(ti->type);
DMEMIT(",stripes=%d,chunk_size=%llu", sc->stripes,
(unsigned long long)sc->chunk_size);
for (i = 0; i < sc->stripes; i++) {
DMEMIT(",stripe_%d_device_name=%s", i, sc->stripe[i].dev->name);
DMEMIT(",stripe_%d_physical_start=%llu", i,
(unsigned long long)sc->stripe[i].physical_start);
DMEMIT(",stripe_%d_status=%c", i,
atomic_read(&(sc->stripe[i].error_count)) ? 'D' : 'A');
}
DMEMIT(";");
break;
}
}
......
......@@ -504,6 +504,10 @@ static void switch_status(struct dm_target *ti, status_type_t type,
DMEMIT(" %s %llu", sctx->path_list[path_nr].dmdev->name,
(unsigned long long)sctx->path_list[path_nr].start);
break;
case STATUSTYPE_IMA:
result[0] = '\0';
break;
}
}
......
......@@ -4012,6 +4012,10 @@ static void pool_status(struct dm_target *ti, status_type_t type,
(unsigned long long)pt->low_water_blocks);
emit_flags(&pt->requested_pf, result, sz, maxlen);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
return;
......@@ -4423,6 +4427,10 @@ static void thin_status(struct dm_target *ti, status_type_t type,
if (tc->origin_dev)
DMEMIT(" %s", format_dev_t(buf, tc->origin_dev->bdev->bd_dev));
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
}
......
......@@ -156,6 +156,10 @@ static void unstripe_status(struct dm_target *ti, status_type_t type,
uc->stripes, (unsigned long long)uc->chunk_size, uc->unstripe,
uc->dev->name, (unsigned long long)uc->physical_start);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
}
......
......@@ -772,6 +772,47 @@ static void verity_status(struct dm_target *ti, status_type_t type,
DMEMIT(" " DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY
" %s", v->signature_key_desc);
break;
case STATUSTYPE_IMA:
DMEMIT_TARGET_NAME_VERSION(ti->type);
DMEMIT(",hash_failed=%c", v->hash_failed ? 'C' : 'V');
DMEMIT(",verity_version=%u", v->version);
DMEMIT(",data_device_name=%s", v->data_dev->name);
DMEMIT(",hash_device_name=%s", v->hash_dev->name);
DMEMIT(",verity_algorithm=%s", v->alg_name);
DMEMIT(",root_digest=");
for (x = 0; x < v->digest_size; x++)
DMEMIT("%02x", v->root_digest[x]);
DMEMIT(",salt=");
if (!v->salt_size)
DMEMIT("-");
else
for (x = 0; x < v->salt_size; x++)
DMEMIT("%02x", v->salt[x]);
DMEMIT(",ignore_zero_blocks=%c", v->zero_digest ? 'y' : 'n');
DMEMIT(",check_at_most_once=%c", v->validated_blocks ? 'y' : 'n');
if (v->mode != DM_VERITY_MODE_EIO) {
DMEMIT(",verity_mode=");
switch (v->mode) {
case DM_VERITY_MODE_LOGGING:
DMEMIT(DM_VERITY_OPT_LOGGING);
break;
case DM_VERITY_MODE_RESTART:
DMEMIT(DM_VERITY_OPT_RESTART);
break;
case DM_VERITY_MODE_PANIC:
DMEMIT(DM_VERITY_OPT_PANIC);
break;
default:
DMEMIT("invalid");
}
}
DMEMIT(";");
break;
}
}
......
......@@ -2723,6 +2723,9 @@ static void writecache_status(struct dm_target *ti, status_type_t type,
if (wc->pause_set)
DMEMIT(" pause_writeback %u", wc->pause_value);
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
}
......
......@@ -1119,6 +1119,9 @@ static void dmz_status(struct dm_target *ti, status_type_t type,
DMEMIT(" %s", buf);
}
break;
case STATUSTYPE_IMA:
*result = '\0';
break;
}
return;
}
......
......@@ -603,6 +603,10 @@ void dm_destroy_keyslot_manager(struct blk_keyslot_manager *ksm);
#define DMEMIT(x...) sz += ((sz >= maxlen) ? \
0 : scnprintf(result + sz, maxlen - sz, x))
#define DMEMIT_TARGET_NAME_VERSION(y) \
DMEMIT("target_name=%s,target_version=%u.%u.%u", \
(y)->name, (y)->version[0], (y)->version[1], (y)->version[2])
/*
* Definitions of return values from target end_io function.
*/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment