dm ima: update dm target attributes for ima measurements

Certain DM targets ('integrity', 'multipath', 'verity') need to update the
way their attributes are recorded in the ima log, so that the attestation
servers can interpret the data correctly and decide if the devices
meet the attestation requirements.  For instance, the "mode=%c" attribute
in the 'integrity' target is measured twice, the 'verity' target is
missing the attribute "root_hash_sig_key_desc=%s", and the 'multipath'
target needs to index the attributes properly.

Update 'integrity' target to remove the duplicate measurement of
the attribute "mode=%c".  Add "root_hash_sig_key_desc=%s" attribute
for the 'verity' target.  Index various attributes in 'multipath'
target.  Also, add "nr_priority_groups=%u" attribute to 'multipath'
target to record the number of priority groups.

Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
Suggested-by: Thore Sommer <public@thson.de>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>

diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
index 40f8116c8e443ffcb0cde0c5e50e23c7308f1744..6e0b2f2f59113b67f4167a8f7890fd71a7c58f45 100644 (file)
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -3328,7 +3328,6 @@ static void dm_integrity_status(struct dm_target *ti, status_type_t type,
                DMEMIT(",journal_sectors=%u", ic->initial_sectors - SB_SECTORS);
                DMEMIT(",interleave_sectors=%u", 1U << ic->sb->log2_interleave_sectors);
                DMEMIT(",buffer_sectors=%u", 1U << ic->log2_buffer_sectors);
-               DMEMIT(",mode=%c", ic->mode);
                DMEMIT(";");
                break;
        }

diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
index c3c514a9edbb9a52ee7c35487d705cb7eb9ae630..694aaca4eea24627c4de0a3b1d6c59bae23058c9 100644 (file)
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -1790,7 +1790,7 @@ static void multipath_resume(struct dm_target *ti)
 static void multipath_status(struct dm_target *ti, status_type_t type,
                             unsigned status_flags, char *result, unsigned maxlen)
 {
-       int sz = 0;
+       int sz = 0, pg_counter, pgpath_counter;
        unsigned long flags;
        struct multipath *m = ti->private;
        struct priority_group *pg;
@@ -1906,7 +1906,12 @@ static void multipath_status(struct dm_target *ti, status_type_t type,
                break;
 
        case STATUSTYPE_IMA:
+               sz = 0; /*reset the result pointer*/
+
                DMEMIT_TARGET_NAME_VERSION(ti->type);
+               DMEMIT(",nr_priority_groups=%u", m->nr_priority_groups);
+
+               pg_counter = 0;
                list_for_each_entry(pg, &m->priority_groups, list) {
                        if (pg->bypassed)
                                state = 'D';    /* Disabled */
@@ -1914,21 +1919,26 @@ static void multipath_status(struct dm_target *ti, status_type_t type,
                                state = 'A';    /* Currently Active */
                        else
                                state = 'E';    /* Enabled */
-                       DMEMIT(",pg_state=%c", state);
-                       DMEMIT(",nr_pgpaths=%u", pg->nr_pgpaths);
-                       DMEMIT(",path_selector_name=%s", pg->ps.type->name);
+                       DMEMIT(",pg_state_%d=%c", pg_counter, state);
+                       DMEMIT(",nr_pgpaths_%d=%u", pg_counter, pg->nr_pgpaths);
+                       DMEMIT(",path_selector_name_%d=%s", pg_counter, pg->ps.type->name);
 
+                       pgpath_counter = 0;
                        list_for_each_entry(p, &pg->pgpaths, list) {
-                               DMEMIT(",path_name=%s,is_active=%c,fail_count=%u",
-                                      p->path.dev->name, p->is_active ? 'A' : 'F',
-                                      p->fail_count);
+                               DMEMIT(",path_name_%d_%d=%s,is_active_%d_%d=%c,fail_count_%d_%d=%u",
+                                      pg_counter, pgpath_counter, p->path.dev->name,
+                                      pg_counter, pgpath_counter, p->is_active ? 'A' : 'F',
+                                      pg_counter, pgpath_counter, p->fail_count);
                                if (pg->ps.type->status) {
-                                       DMEMIT(",path_selector_status=");
+                                       DMEMIT(",path_selector_status_%d_%d=",
+                                              pg_counter, pgpath_counter);
                                        sz += pg->ps.type->status(&pg->ps, &p->path,
                                                                  type, result + sz,
                                                                  maxlen - sz);
                                }
+                               pgpath_counter++;
                        }
+                       pg_counter++;
                }
                DMEMIT(";");
                break;

diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index bfefa100c265c62c5e534d3ef5998f510ce9c572..22a5ac82446a6c3ce16ccd360e3ab42ceb9a2bed 100644 (file)
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -794,6 +794,8 @@ static void verity_status(struct dm_target *ti, status_type_t type,
 
                DMEMIT(",ignore_zero_blocks=%c", v->zero_digest ? 'y' : 'n');
                DMEMIT(",check_at_most_once=%c", v->validated_blocks ? 'y' : 'n');
+               if (v->signature_key_desc)
+                       DMEMIT(",root_hash_sig_key_desc=%s", v->signature_key_desc);
 
                if (v->mode != DM_VERITY_MODE_EIO) {
                        DMEMIT(",verity_mode=");