Commit | Line | Data |
---|---|---|
91ccbbac TS |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* | |
3 | * Copyright (C) 2021 Microsoft Corporation | |
4 | * | |
5 | * Author: Tushar Sugandhi <tusharsu@linux.microsoft.com> | |
6 | * | |
7 | * File: dm-ima.c | |
8 | * Enables IMA measurements for DM targets | |
9 | */ | |
10 | ||
11 | #include "dm-core.h" | |
12 | #include "dm-ima.h" | |
13 | ||
14 | #include <linux/ima.h> | |
15 | #include <crypto/hash.h> | |
16 | #include <linux/crypto.h> | |
17 | #include <crypto/hash_info.h> | |
18 | ||
19 | #define DM_MSG_PREFIX "ima" | |
20 | ||
21 | /* | |
22 | * Internal function to prefix separator characters in input buffer with escape | |
23 | * character, so that they don't interfere with the construction of key-value pairs, | |
24 | * and clients can split the key1=val1,key2=val2,key3=val3; pairs properly. | |
25 | */ | |
26 | static void fix_separator_chars(char **buf) | |
27 | { | |
28 | int l = strlen(*buf); | |
29 | int i, j, sp = 0; | |
30 | ||
31 | for (i = 0; i < l; i++) | |
32 | if ((*buf)[i] == '\\' || (*buf)[i] == ';' || (*buf)[i] == '=' || (*buf)[i] == ',') | |
33 | sp++; | |
34 | ||
35 | if (!sp) | |
36 | return; | |
37 | ||
38 | for (i = l-1, j = i+sp; i >= 0; i--) { | |
39 | (*buf)[j--] = (*buf)[i]; | |
40 | if ((*buf)[i] == '\\' || (*buf)[i] == ';' || (*buf)[i] == '=' || (*buf)[i] == ',') | |
41 | (*buf)[j--] = '\\'; | |
42 | } | |
43 | } | |
44 | ||
45 | /* | |
46 | * Internal function to allocate memory for IMA measurements. | |
47 | */ | |
48 | static void *dm_ima_alloc(size_t len, gfp_t flags, bool noio) | |
49 | { | |
50 | unsigned int noio_flag; | |
51 | void *ptr; | |
52 | ||
53 | if (noio) | |
54 | noio_flag = memalloc_noio_save(); | |
55 | ||
56 | ptr = kzalloc(len, flags); | |
57 | ||
58 | if (noio) | |
59 | memalloc_noio_restore(noio_flag); | |
60 | ||
61 | return ptr; | |
62 | } | |
63 | ||
64 | /* | |
65 | * Internal function to allocate and copy name and uuid for IMA measurements. | |
66 | */ | |
67 | static int dm_ima_alloc_and_copy_name_uuid(struct mapped_device *md, char **dev_name, | |
68 | char **dev_uuid, bool noio) | |
69 | { | |
70 | int r; | |
71 | *dev_name = dm_ima_alloc(DM_NAME_LEN*2, GFP_KERNEL, noio); | |
72 | if (!(*dev_name)) { | |
73 | r = -ENOMEM; | |
74 | goto error; | |
75 | } | |
76 | ||
77 | *dev_uuid = dm_ima_alloc(DM_UUID_LEN*2, GFP_KERNEL, noio); | |
78 | if (!(*dev_uuid)) { | |
79 | r = -ENOMEM; | |
80 | goto error; | |
81 | } | |
82 | ||
83 | r = dm_copy_name_and_uuid(md, *dev_name, *dev_uuid); | |
84 | if (r) | |
85 | goto error; | |
86 | ||
87 | fix_separator_chars(dev_name); | |
88 | fix_separator_chars(dev_uuid); | |
89 | ||
90 | return 0; | |
91 | error: | |
92 | kfree(*dev_name); | |
93 | kfree(*dev_uuid); | |
94 | *dev_name = NULL; | |
95 | *dev_uuid = NULL; | |
96 | return r; | |
97 | } | |
98 | ||
99 | /* | |
100 | * Internal function to allocate and copy device data for IMA measurements. | |
101 | */ | |
102 | static int dm_ima_alloc_and_copy_device_data(struct mapped_device *md, char **device_data, | |
103 | unsigned int num_targets, bool noio) | |
104 | { | |
105 | char *dev_name = NULL, *dev_uuid = NULL; | |
106 | int r; | |
107 | ||
108 | r = dm_ima_alloc_and_copy_name_uuid(md, &dev_name, &dev_uuid, noio); | |
109 | if (r) | |
110 | return r; | |
111 | ||
112 | *device_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN, GFP_KERNEL, noio); | |
113 | if (!(*device_data)) { | |
114 | r = -ENOMEM; | |
115 | goto error; | |
116 | } | |
117 | ||
118 | scnprintf(*device_data, DM_IMA_DEVICE_BUF_LEN, | |
119 | "name=%s,uuid=%s,major=%d,minor=%d,minor_count=%d,num_targets=%u;", | |
120 | dev_name, dev_uuid, md->disk->major, md->disk->first_minor, | |
121 | md->disk->minors, num_targets); | |
122 | error: | |
123 | kfree(dev_name); | |
124 | kfree(dev_uuid); | |
125 | return r; | |
126 | } | |
127 | ||
128 | /* | |
129 | * Internal wrapper function to call IMA to measure DM data. | |
130 | */ | |
131 | static void dm_ima_measure_data(const char *event_name, const void *buf, size_t buf_len, | |
132 | bool noio) | |
133 | { | |
134 | unsigned int noio_flag; | |
135 | ||
136 | if (noio) | |
137 | noio_flag = memalloc_noio_save(); | |
138 | ||
aef4892a LT |
139 | ima_measure_critical_data(DM_NAME, event_name, buf, buf_len, |
140 | false, NULL, 0); | |
91ccbbac TS |
141 | |
142 | if (noio) | |
143 | memalloc_noio_restore(noio_flag); | |
144 | } | |
145 | ||
8eb6fab4 TS |
146 | /* |
147 | * Internal function to allocate and copy current device capacity for IMA measurements. | |
148 | */ | |
149 | static int dm_ima_alloc_and_copy_capacity_str(struct mapped_device *md, char **capacity_str, | |
150 | bool noio) | |
151 | { | |
152 | sector_t capacity; | |
153 | ||
154 | capacity = get_capacity(md->disk); | |
155 | ||
156 | *capacity_str = dm_ima_alloc(DM_IMA_DEVICE_CAPACITY_BUF_LEN, GFP_KERNEL, noio); | |
157 | if (!(*capacity_str)) | |
158 | return -ENOMEM; | |
159 | ||
160 | scnprintf(*capacity_str, DM_IMA_DEVICE_BUF_LEN, "current_device_capacity=%llu;", | |
161 | capacity); | |
162 | ||
163 | return 0; | |
164 | } | |
165 | ||
91ccbbac TS |
166 | /* |
167 | * Initialize/reset the dm ima related data structure variables. | |
168 | */ | |
169 | void dm_ima_reset_data(struct mapped_device *md) | |
170 | { | |
171 | memset(&(md->ima), 0, sizeof(md->ima)); | |
dc7b79cc | 172 | md->ima.dm_version_str_len = strlen(DM_IMA_VERSION_STR); |
91ccbbac TS |
173 | } |
174 | ||
175 | /* | |
176 | * Build up the IMA data for each target, and finally measure. | |
177 | */ | |
178 | void dm_ima_measure_on_table_load(struct dm_table *table, unsigned int status_flags) | |
179 | { | |
180 | size_t device_data_buf_len, target_metadata_buf_len, target_data_buf_len, l = 0; | |
181 | char *target_metadata_buf = NULL, *target_data_buf = NULL, *digest_buf = NULL; | |
182 | char *ima_buf = NULL, *device_data_buf = NULL; | |
183 | int digest_size, last_target_measured = -1, r; | |
184 | status_type_t type = STATUSTYPE_IMA; | |
185 | size_t cur_total_buf_len = 0; | |
186 | unsigned int num_targets, i; | |
187 | SHASH_DESC_ON_STACK(shash, NULL); | |
188 | struct crypto_shash *tfm = NULL; | |
189 | u8 *digest = NULL; | |
190 | bool noio = false; | |
8f509fd4 TS |
191 | /* |
192 | * In below hash_alg_prefix_len assignment +1 is for the additional char (':'), | |
193 | * when prefixing the hash value with the hash algorithm name. e.g. sha256:<hash_value>. | |
194 | */ | |
195 | const size_t hash_alg_prefix_len = strlen(DM_IMA_TABLE_HASH_ALG) + 1; | |
9c2adfa6 | 196 | char table_load_event_name[] = "dm_table_load"; |
91ccbbac TS |
197 | |
198 | ima_buf = dm_ima_alloc(DM_IMA_MEASUREMENT_BUF_LEN, GFP_KERNEL, noio); | |
199 | if (!ima_buf) | |
200 | return; | |
201 | ||
202 | target_metadata_buf = dm_ima_alloc(DM_IMA_TARGET_METADATA_BUF_LEN, GFP_KERNEL, noio); | |
203 | if (!target_metadata_buf) | |
204 | goto error; | |
205 | ||
206 | target_data_buf = dm_ima_alloc(DM_IMA_TARGET_DATA_BUF_LEN, GFP_KERNEL, noio); | |
207 | if (!target_data_buf) | |
208 | goto error; | |
209 | ||
210 | num_targets = dm_table_get_num_targets(table); | |
211 | ||
212 | if (dm_ima_alloc_and_copy_device_data(table->md, &device_data_buf, num_targets, noio)) | |
213 | goto error; | |
214 | ||
8f509fd4 | 215 | tfm = crypto_alloc_shash(DM_IMA_TABLE_HASH_ALG, 0, 0); |
91ccbbac TS |
216 | if (IS_ERR(tfm)) |
217 | goto error; | |
218 | ||
219 | shash->tfm = tfm; | |
220 | digest_size = crypto_shash_digestsize(tfm); | |
221 | digest = dm_ima_alloc(digest_size, GFP_KERNEL, noio); | |
222 | if (!digest) | |
223 | goto error; | |
224 | ||
225 | r = crypto_shash_init(shash); | |
226 | if (r) | |
227 | goto error; | |
228 | ||
dc7b79cc TS |
229 | memcpy(ima_buf + l, DM_IMA_VERSION_STR, table->md->ima.dm_version_str_len); |
230 | l += table->md->ima.dm_version_str_len; | |
231 | ||
91ccbbac TS |
232 | device_data_buf_len = strlen(device_data_buf); |
233 | memcpy(ima_buf + l, device_data_buf, device_data_buf_len); | |
234 | l += device_data_buf_len; | |
235 | ||
236 | for (i = 0; i < num_targets; i++) { | |
237 | struct dm_target *ti = dm_table_get_target(table, i); | |
238 | ||
239 | if (!ti) | |
240 | goto error; | |
241 | ||
242 | last_target_measured = 0; | |
243 | ||
244 | /* | |
245 | * First retrieve the target metadata. | |
246 | */ | |
247 | scnprintf(target_metadata_buf, DM_IMA_TARGET_METADATA_BUF_LEN, | |
248 | "target_index=%d,target_begin=%llu,target_len=%llu,", | |
249 | i, ti->begin, ti->len); | |
250 | target_metadata_buf_len = strlen(target_metadata_buf); | |
251 | ||
252 | /* | |
253 | * Then retrieve the actual target data. | |
254 | */ | |
255 | if (ti->type->status) | |
256 | ti->type->status(ti, type, status_flags, target_data_buf, | |
257 | DM_IMA_TARGET_DATA_BUF_LEN); | |
258 | else | |
259 | target_data_buf[0] = '\0'; | |
260 | ||
261 | target_data_buf_len = strlen(target_data_buf); | |
262 | ||
263 | /* | |
264 | * Check if the total data can fit into the IMA buffer. | |
265 | */ | |
266 | cur_total_buf_len = l + target_metadata_buf_len + target_data_buf_len; | |
267 | ||
268 | /* | |
269 | * IMA measurements for DM targets are best-effort. | |
270 | * If the total data buffered so far, including the current target, | |
271 | * is too large to fit into DM_IMA_MEASUREMENT_BUF_LEN, measure what | |
272 | * we have in the current buffer, and continue measuring the remaining | |
273 | * targets by prefixing the device metadata again. | |
274 | */ | |
275 | if (unlikely(cur_total_buf_len >= DM_IMA_MEASUREMENT_BUF_LEN)) { | |
9c2adfa6 | 276 | dm_ima_measure_data(table_load_event_name, ima_buf, l, noio); |
91ccbbac TS |
277 | r = crypto_shash_update(shash, (const u8 *)ima_buf, l); |
278 | if (r < 0) | |
279 | goto error; | |
280 | ||
281 | memset(ima_buf, 0, DM_IMA_MEASUREMENT_BUF_LEN); | |
282 | l = 0; | |
283 | ||
284 | /* | |
9c2adfa6 TS |
285 | * Each new "dm_table_load" entry in IMA log should have device data |
286 | * prefix, so that multiple records from the same "dm_table_load" for | |
91ccbbac TS |
287 | * a given device can be linked together. |
288 | */ | |
dc7b79cc TS |
289 | memcpy(ima_buf + l, DM_IMA_VERSION_STR, table->md->ima.dm_version_str_len); |
290 | l += table->md->ima.dm_version_str_len; | |
291 | ||
91ccbbac TS |
292 | memcpy(ima_buf + l, device_data_buf, device_data_buf_len); |
293 | l += device_data_buf_len; | |
294 | ||
295 | /* | |
296 | * If this iteration of the for loop turns out to be the last target | |
9c2adfa6 | 297 | * in the table, dm_ima_measure_data("dm_table_load", ...) doesn't need |
91ccbbac TS |
298 | * to be called again, just the hash needs to be finalized. |
299 | * "last_target_measured" tracks this state. | |
300 | */ | |
301 | last_target_measured = 1; | |
302 | } | |
303 | ||
304 | /* | |
305 | * Fill-in all the target metadata, so that multiple targets for the same | |
306 | * device can be linked together. | |
307 | */ | |
308 | memcpy(ima_buf + l, target_metadata_buf, target_metadata_buf_len); | |
309 | l += target_metadata_buf_len; | |
310 | ||
311 | memcpy(ima_buf + l, target_data_buf, target_data_buf_len); | |
312 | l += target_data_buf_len; | |
313 | } | |
314 | ||
315 | if (!last_target_measured) { | |
9c2adfa6 | 316 | dm_ima_measure_data(table_load_event_name, ima_buf, l, noio); |
91ccbbac TS |
317 | |
318 | r = crypto_shash_update(shash, (const u8 *)ima_buf, l); | |
319 | if (r < 0) | |
320 | goto error; | |
321 | } | |
322 | ||
323 | /* | |
324 | * Finalize the table hash, and store it in table->md->ima.inactive_table.hash, | |
325 | * so that the table data can be verified against the future device state change | |
326 | * events, e.g. resume, rename, remove, table-clear etc. | |
327 | */ | |
328 | r = crypto_shash_final(shash, digest); | |
329 | if (r < 0) | |
330 | goto error; | |
331 | ||
8f509fd4 TS |
332 | digest_buf = dm_ima_alloc((digest_size*2) + hash_alg_prefix_len + 1, GFP_KERNEL, noio); |
333 | ||
91ccbbac TS |
334 | if (!digest_buf) |
335 | goto error; | |
336 | ||
8f509fd4 TS |
337 | snprintf(digest_buf, hash_alg_prefix_len + 1, "%s:", DM_IMA_TABLE_HASH_ALG); |
338 | ||
91ccbbac | 339 | for (i = 0; i < digest_size; i++) |
8f509fd4 | 340 | snprintf((digest_buf + hash_alg_prefix_len + (i*2)), 3, "%02x", digest[i]); |
91ccbbac TS |
341 | |
342 | if (table->md->ima.active_table.hash != table->md->ima.inactive_table.hash) | |
343 | kfree(table->md->ima.inactive_table.hash); | |
344 | ||
345 | table->md->ima.inactive_table.hash = digest_buf; | |
346 | table->md->ima.inactive_table.hash_len = strlen(digest_buf); | |
347 | table->md->ima.inactive_table.num_targets = num_targets; | |
348 | ||
349 | if (table->md->ima.active_table.device_metadata != | |
350 | table->md->ima.inactive_table.device_metadata) | |
351 | kfree(table->md->ima.inactive_table.device_metadata); | |
352 | ||
353 | table->md->ima.inactive_table.device_metadata = device_data_buf; | |
354 | table->md->ima.inactive_table.device_metadata_len = device_data_buf_len; | |
355 | ||
356 | goto exit; | |
357 | error: | |
358 | kfree(digest_buf); | |
359 | kfree(device_data_buf); | |
360 | exit: | |
361 | kfree(digest); | |
362 | if (tfm) | |
363 | crypto_free_shash(tfm); | |
364 | kfree(ima_buf); | |
365 | kfree(target_metadata_buf); | |
366 | kfree(target_data_buf); | |
367 | } | |
8eb6fab4 TS |
368 | |
369 | /* | |
370 | * Measure IMA data on device resume. | |
371 | */ | |
372 | void dm_ima_measure_on_device_resume(struct mapped_device *md, bool swap) | |
373 | { | |
374 | char *device_table_data, *dev_name = NULL, *dev_uuid = NULL, *capacity_str = NULL; | |
375 | char active[] = "active_table_hash="; | |
376 | unsigned int active_len = strlen(active), capacity_len = 0; | |
377 | unsigned int l = 0; | |
378 | bool noio = true; | |
dc7b79cc | 379 | bool nodata = true; |
8eb6fab4 TS |
380 | int r; |
381 | ||
382 | device_table_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN, GFP_KERNEL, noio); | |
383 | if (!device_table_data) | |
384 | return; | |
385 | ||
386 | r = dm_ima_alloc_and_copy_capacity_str(md, &capacity_str, noio); | |
387 | if (r) | |
388 | goto error; | |
389 | ||
dc7b79cc TS |
390 | memcpy(device_table_data + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len); |
391 | l += md->ima.dm_version_str_len; | |
392 | ||
8eb6fab4 TS |
393 | if (swap) { |
394 | if (md->ima.active_table.hash != md->ima.inactive_table.hash) | |
395 | kfree(md->ima.active_table.hash); | |
396 | ||
397 | md->ima.active_table.hash = NULL; | |
398 | md->ima.active_table.hash_len = 0; | |
399 | ||
400 | if (md->ima.active_table.device_metadata != | |
401 | md->ima.inactive_table.device_metadata) | |
402 | kfree(md->ima.active_table.device_metadata); | |
403 | ||
404 | md->ima.active_table.device_metadata = NULL; | |
405 | md->ima.active_table.device_metadata_len = 0; | |
406 | md->ima.active_table.num_targets = 0; | |
407 | ||
408 | if (md->ima.inactive_table.hash) { | |
409 | md->ima.active_table.hash = md->ima.inactive_table.hash; | |
410 | md->ima.active_table.hash_len = md->ima.inactive_table.hash_len; | |
411 | md->ima.inactive_table.hash = NULL; | |
412 | md->ima.inactive_table.hash_len = 0; | |
413 | } | |
414 | ||
415 | if (md->ima.inactive_table.device_metadata) { | |
416 | md->ima.active_table.device_metadata = | |
417 | md->ima.inactive_table.device_metadata; | |
418 | md->ima.active_table.device_metadata_len = | |
419 | md->ima.inactive_table.device_metadata_len; | |
420 | md->ima.active_table.num_targets = md->ima.inactive_table.num_targets; | |
421 | md->ima.inactive_table.device_metadata = NULL; | |
422 | md->ima.inactive_table.device_metadata_len = 0; | |
423 | md->ima.inactive_table.num_targets = 0; | |
424 | } | |
425 | } | |
426 | ||
427 | if (md->ima.active_table.device_metadata) { | |
dc7b79cc TS |
428 | memcpy(device_table_data + l, md->ima.active_table.device_metadata, |
429 | md->ima.active_table.device_metadata_len); | |
430 | l += md->ima.active_table.device_metadata_len; | |
431 | ||
432 | nodata = false; | |
8eb6fab4 TS |
433 | } |
434 | ||
435 | if (md->ima.active_table.hash) { | |
436 | memcpy(device_table_data + l, active, active_len); | |
437 | l += active_len; | |
438 | ||
439 | memcpy(device_table_data + l, md->ima.active_table.hash, | |
440 | md->ima.active_table.hash_len); | |
441 | l += md->ima.active_table.hash_len; | |
442 | ||
443 | memcpy(device_table_data + l, ";", 1); | |
444 | l++; | |
dc7b79cc TS |
445 | |
446 | nodata = false; | |
8eb6fab4 TS |
447 | } |
448 | ||
dc7b79cc | 449 | if (nodata) { |
8eb6fab4 TS |
450 | r = dm_ima_alloc_and_copy_name_uuid(md, &dev_name, &dev_uuid, noio); |
451 | if (r) | |
452 | goto error; | |
453 | ||
454 | scnprintf(device_table_data, DM_IMA_DEVICE_BUF_LEN, | |
dc7b79cc TS |
455 | "%sname=%s,uuid=%s;device_resume=no_data;", |
456 | DM_IMA_VERSION_STR, dev_name, dev_uuid); | |
8eb6fab4 TS |
457 | l += strlen(device_table_data); |
458 | ||
459 | } | |
460 | ||
461 | capacity_len = strlen(capacity_str); | |
462 | memcpy(device_table_data + l, capacity_str, capacity_len); | |
463 | l += capacity_len; | |
464 | ||
9c2adfa6 | 465 | dm_ima_measure_data("dm_device_resume", device_table_data, l, noio); |
8eb6fab4 TS |
466 | |
467 | kfree(dev_name); | |
468 | kfree(dev_uuid); | |
469 | error: | |
470 | kfree(capacity_str); | |
471 | kfree(device_table_data); | |
472 | } | |
84010e51 TS |
473 | |
474 | /* | |
475 | * Measure IMA data on remove. | |
476 | */ | |
477 | void dm_ima_measure_on_device_remove(struct mapped_device *md, bool remove_all) | |
478 | { | |
479 | char *device_table_data, *dev_name = NULL, *dev_uuid = NULL, *capacity_str = NULL; | |
480 | char active_table_str[] = "active_table_hash="; | |
481 | char inactive_table_str[] = "inactive_table_hash="; | |
482 | char device_active_str[] = "device_active_metadata="; | |
483 | char device_inactive_str[] = "device_inactive_metadata="; | |
484 | char remove_all_str[] = "remove_all="; | |
485 | unsigned int active_table_len = strlen(active_table_str); | |
486 | unsigned int inactive_table_len = strlen(inactive_table_str); | |
487 | unsigned int device_active_len = strlen(device_active_str); | |
488 | unsigned int device_inactive_len = strlen(device_inactive_str); | |
489 | unsigned int remove_all_len = strlen(remove_all_str); | |
490 | unsigned int capacity_len = 0; | |
491 | unsigned int l = 0; | |
492 | bool noio = true; | |
dc7b79cc | 493 | bool nodata = true; |
84010e51 TS |
494 | int r; |
495 | ||
496 | device_table_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN*2, GFP_KERNEL, noio); | |
497 | if (!device_table_data) | |
498 | goto exit; | |
499 | ||
500 | r = dm_ima_alloc_and_copy_capacity_str(md, &capacity_str, noio); | |
501 | if (r) { | |
502 | kfree(device_table_data); | |
503 | goto exit; | |
504 | } | |
505 | ||
dc7b79cc TS |
506 | memcpy(device_table_data + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len); |
507 | l += md->ima.dm_version_str_len; | |
508 | ||
84010e51 TS |
509 | if (md->ima.active_table.device_metadata) { |
510 | memcpy(device_table_data + l, device_active_str, device_active_len); | |
511 | l += device_active_len; | |
512 | ||
513 | memcpy(device_table_data + l, md->ima.active_table.device_metadata, | |
514 | md->ima.active_table.device_metadata_len); | |
515 | l += md->ima.active_table.device_metadata_len; | |
dc7b79cc TS |
516 | |
517 | nodata = false; | |
84010e51 TS |
518 | } |
519 | ||
520 | if (md->ima.inactive_table.device_metadata) { | |
521 | memcpy(device_table_data + l, device_inactive_str, device_inactive_len); | |
522 | l += device_inactive_len; | |
523 | ||
524 | memcpy(device_table_data + l, md->ima.inactive_table.device_metadata, | |
525 | md->ima.inactive_table.device_metadata_len); | |
526 | l += md->ima.inactive_table.device_metadata_len; | |
dc7b79cc TS |
527 | |
528 | nodata = false; | |
84010e51 TS |
529 | } |
530 | ||
531 | if (md->ima.active_table.hash) { | |
532 | memcpy(device_table_data + l, active_table_str, active_table_len); | |
533 | l += active_table_len; | |
534 | ||
535 | memcpy(device_table_data + l, md->ima.active_table.hash, | |
536 | md->ima.active_table.hash_len); | |
537 | l += md->ima.active_table.hash_len; | |
538 | ||
539 | memcpy(device_table_data + l, ",", 1); | |
540 | l++; | |
dc7b79cc TS |
541 | |
542 | nodata = false; | |
84010e51 TS |
543 | } |
544 | ||
545 | if (md->ima.inactive_table.hash) { | |
546 | memcpy(device_table_data + l, inactive_table_str, inactive_table_len); | |
547 | l += inactive_table_len; | |
548 | ||
549 | memcpy(device_table_data + l, md->ima.inactive_table.hash, | |
550 | md->ima.inactive_table.hash_len); | |
551 | l += md->ima.inactive_table.hash_len; | |
552 | ||
553 | memcpy(device_table_data + l, ",", 1); | |
554 | l++; | |
dc7b79cc TS |
555 | |
556 | nodata = false; | |
84010e51 TS |
557 | } |
558 | /* | |
559 | * In case both active and inactive tables, and corresponding | |
560 | * device metadata is cleared/missing - record the name and uuid | |
561 | * in IMA measurements. | |
562 | */ | |
dc7b79cc | 563 | if (nodata) { |
84010e51 TS |
564 | if (dm_ima_alloc_and_copy_name_uuid(md, &dev_name, &dev_uuid, noio)) |
565 | goto error; | |
566 | ||
567 | scnprintf(device_table_data, DM_IMA_DEVICE_BUF_LEN, | |
dc7b79cc TS |
568 | "%sname=%s,uuid=%s;device_remove=no_data;", |
569 | DM_IMA_VERSION_STR, dev_name, dev_uuid); | |
84010e51 TS |
570 | l += strlen(device_table_data); |
571 | } | |
572 | ||
573 | memcpy(device_table_data + l, remove_all_str, remove_all_len); | |
574 | l += remove_all_len; | |
575 | memcpy(device_table_data + l, remove_all ? "y;" : "n;", 2); | |
576 | l += 2; | |
577 | ||
578 | capacity_len = strlen(capacity_str); | |
579 | memcpy(device_table_data + l, capacity_str, capacity_len); | |
580 | l += capacity_len; | |
581 | ||
9c2adfa6 | 582 | dm_ima_measure_data("dm_device_remove", device_table_data, l, noio); |
84010e51 TS |
583 | |
584 | error: | |
585 | kfree(device_table_data); | |
586 | kfree(capacity_str); | |
587 | exit: | |
588 | kfree(md->ima.active_table.device_metadata); | |
589 | ||
590 | if (md->ima.active_table.device_metadata != | |
591 | md->ima.inactive_table.device_metadata) | |
592 | kfree(md->ima.inactive_table.device_metadata); | |
593 | ||
594 | kfree(md->ima.active_table.hash); | |
595 | ||
596 | if (md->ima.active_table.hash != md->ima.inactive_table.hash) | |
597 | kfree(md->ima.inactive_table.hash); | |
598 | ||
599 | dm_ima_reset_data(md); | |
600 | ||
601 | kfree(dev_name); | |
602 | kfree(dev_uuid); | |
603 | } | |
99169b93 TS |
604 | |
605 | /* | |
606 | * Measure ima data on table clear. | |
607 | */ | |
608 | void dm_ima_measure_on_table_clear(struct mapped_device *md, bool new_map) | |
609 | { | |
610 | unsigned int l = 0, capacity_len = 0; | |
611 | char *device_table_data = NULL, *dev_name = NULL, *dev_uuid = NULL, *capacity_str = NULL; | |
612 | char inactive_str[] = "inactive_table_hash="; | |
613 | unsigned int inactive_len = strlen(inactive_str); | |
614 | bool noio = true; | |
dc7b79cc | 615 | bool nodata = true; |
99169b93 TS |
616 | int r; |
617 | ||
618 | device_table_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN, GFP_KERNEL, noio); | |
619 | if (!device_table_data) | |
620 | return; | |
621 | ||
622 | r = dm_ima_alloc_and_copy_capacity_str(md, &capacity_str, noio); | |
623 | if (r) | |
624 | goto error1; | |
625 | ||
dc7b79cc TS |
626 | memcpy(device_table_data + l, DM_IMA_VERSION_STR, md->ima.dm_version_str_len); |
627 | l += md->ima.dm_version_str_len; | |
628 | ||
99169b93 TS |
629 | if (md->ima.inactive_table.device_metadata_len && |
630 | md->ima.inactive_table.hash_len) { | |
631 | memcpy(device_table_data + l, md->ima.inactive_table.device_metadata, | |
632 | md->ima.inactive_table.device_metadata_len); | |
633 | l += md->ima.inactive_table.device_metadata_len; | |
634 | ||
635 | memcpy(device_table_data + l, inactive_str, inactive_len); | |
636 | l += inactive_len; | |
637 | ||
638 | memcpy(device_table_data + l, md->ima.inactive_table.hash, | |
639 | md->ima.inactive_table.hash_len); | |
640 | ||
641 | l += md->ima.inactive_table.hash_len; | |
642 | ||
643 | memcpy(device_table_data + l, ";", 1); | |
644 | l++; | |
dc7b79cc TS |
645 | |
646 | nodata = false; | |
99169b93 TS |
647 | } |
648 | ||
dc7b79cc | 649 | if (nodata) { |
99169b93 TS |
650 | if (dm_ima_alloc_and_copy_name_uuid(md, &dev_name, &dev_uuid, noio)) |
651 | goto error2; | |
652 | ||
653 | scnprintf(device_table_data, DM_IMA_DEVICE_BUF_LEN, | |
dc7b79cc TS |
654 | "%sname=%s,uuid=%s;table_clear=no_data;", |
655 | DM_IMA_VERSION_STR, dev_name, dev_uuid); | |
99169b93 TS |
656 | l += strlen(device_table_data); |
657 | } | |
658 | ||
659 | capacity_len = strlen(capacity_str); | |
660 | memcpy(device_table_data + l, capacity_str, capacity_len); | |
661 | l += capacity_len; | |
662 | ||
9c2adfa6 | 663 | dm_ima_measure_data("dm_table_clear", device_table_data, l, noio); |
99169b93 TS |
664 | |
665 | if (new_map) { | |
666 | if (md->ima.inactive_table.hash && | |
667 | md->ima.inactive_table.hash != md->ima.active_table.hash) | |
668 | kfree(md->ima.inactive_table.hash); | |
669 | ||
670 | md->ima.inactive_table.hash = NULL; | |
671 | md->ima.inactive_table.hash_len = 0; | |
672 | ||
673 | if (md->ima.inactive_table.device_metadata && | |
674 | md->ima.inactive_table.device_metadata != md->ima.active_table.device_metadata) | |
675 | kfree(md->ima.inactive_table.device_metadata); | |
676 | ||
677 | md->ima.inactive_table.device_metadata = NULL; | |
678 | md->ima.inactive_table.device_metadata_len = 0; | |
679 | md->ima.inactive_table.num_targets = 0; | |
680 | ||
681 | if (md->ima.active_table.hash) { | |
682 | md->ima.inactive_table.hash = md->ima.active_table.hash; | |
683 | md->ima.inactive_table.hash_len = md->ima.active_table.hash_len; | |
684 | } | |
685 | ||
686 | if (md->ima.active_table.device_metadata) { | |
687 | md->ima.inactive_table.device_metadata = | |
688 | md->ima.active_table.device_metadata; | |
689 | md->ima.inactive_table.device_metadata_len = | |
690 | md->ima.active_table.device_metadata_len; | |
691 | md->ima.inactive_table.num_targets = | |
692 | md->ima.active_table.num_targets; | |
693 | } | |
694 | } | |
695 | ||
696 | kfree(dev_name); | |
697 | kfree(dev_uuid); | |
698 | error2: | |
699 | kfree(capacity_str); | |
700 | error1: | |
701 | kfree(device_table_data); | |
702 | } | |
7d1d1df8 TS |
703 | |
704 | /* | |
705 | * Measure IMA data on device rename. | |
706 | */ | |
707 | void dm_ima_measure_on_device_rename(struct mapped_device *md) | |
708 | { | |
709 | char *old_device_data = NULL, *new_device_data = NULL, *combined_device_data = NULL; | |
710 | char *new_dev_name = NULL, *new_dev_uuid = NULL, *capacity_str = NULL; | |
711 | bool noio = true; | |
712 | int r; | |
713 | ||
714 | if (dm_ima_alloc_and_copy_device_data(md, &new_device_data, | |
715 | md->ima.active_table.num_targets, noio)) | |
716 | return; | |
717 | ||
718 | if (dm_ima_alloc_and_copy_name_uuid(md, &new_dev_name, &new_dev_uuid, noio)) | |
719 | goto error; | |
720 | ||
721 | combined_device_data = dm_ima_alloc(DM_IMA_DEVICE_BUF_LEN * 2, GFP_KERNEL, noio); | |
722 | if (!combined_device_data) | |
723 | goto error; | |
724 | ||
725 | r = dm_ima_alloc_and_copy_capacity_str(md, &capacity_str, noio); | |
726 | if (r) | |
727 | goto error; | |
728 | ||
729 | old_device_data = md->ima.active_table.device_metadata; | |
730 | ||
731 | md->ima.active_table.device_metadata = new_device_data; | |
732 | md->ima.active_table.device_metadata_len = strlen(new_device_data); | |
733 | ||
dc7b79cc TS |
734 | scnprintf(combined_device_data, DM_IMA_DEVICE_BUF_LEN * 2, |
735 | "%s%snew_name=%s,new_uuid=%s;%s", DM_IMA_VERSION_STR, old_device_data, | |
736 | new_dev_name, new_dev_uuid, capacity_str); | |
7d1d1df8 | 737 | |
9c2adfa6 | 738 | dm_ima_measure_data("dm_device_rename", combined_device_data, strlen(combined_device_data), |
7d1d1df8 TS |
739 | noio); |
740 | ||
741 | goto exit; | |
742 | ||
743 | error: | |
744 | kfree(new_device_data); | |
745 | exit: | |
746 | kfree(capacity_str); | |
747 | kfree(combined_device_data); | |
748 | kfree(old_device_data); | |
749 | kfree(new_dev_name); | |
750 | kfree(new_dev_uuid); | |
751 | } |