dm-ima.rst - OpenGrok cross reference for /linux-6.14.4/Documentation/admin-guide/device-mapper/dm-ima.rst

Lines Matching +full:data +full:- +full:mirror
2 dm-ima
6 (including the attestation service) interact with it - both during the
7 setup and during rest of the system run-time.  They share sensitive data
9 may want to verify the current run-time state of the relevant kernel
10 subsystems before fully trusting the system with business-critical
11 data/workload.
18 impact the security profile of the block device, and in-turn, of the
24 fully trusting the system with business-critical data/workload.
28 various block devices -
30 - by device mapper itself, from within the kernel,
31 - in a tamper resistant way,
32 - and re-measured - triggered on state/configuration change.
36 For IMA to measure the data on a given system, the IMA policy on the
42  /etc/ima/ima-policy
43     measure func=CRITICAL_DATA label=device-mapper template=ima-buf
61  TEMPLATE_DATA_DIGEST := Template data digest of the IMA record.
62  TEMPLATE_NAME := Template name that registered the integrity value (e.g. ima-buf).
65                   It contains data for the specific event to be measured,
66                   in a given template data format.
69  EVENT_DIGEST := Digest of the event data
71  EVENT_DATA := The event data to be measured.
76 | The DM target data measured by IMA subsystem can alternatively
98 ---------------
115  device_name := "name=" <dm-device-name>
116  device_uuid := "uuid=" <dm-device-uuid>
121  dm-device-name := Name of the device. If it contains special characters like '\', ',', ';',
123  dm-device-uuid := UUID of the device. If it contains special characters like '\', ',', ';',
127                     Represents the data (as name=value pairs) from various targets in the table,
134 …       Represents nth target in the table (from 0 to N-1 targets specified in <num_device_targets>)
135 …            If all the data for N targets doesn't fit in the given buffer - then the data that fits
137 …               The remaining data from targets x+1 to N-1 is measured in the subsequent IMA events,
147 …target_attributes := Data containing comma separated list of name=value pairs of target specific a…
159 …10 a8c5ff755561c7a28146389d1514c318592af49a ima-buf sha256:4d73481ecce5eadba8ab084640d85bb9ca899af…
169 ------------------
171 data from previous load of an active table are measured.
183                       Rerpresents the hash of the IMA data being measured for the
188                Note: If the table_load data spans across multiple IMA 'dm_table_load'
189                events for a given device, the hash is computed combining all the event data
200 …10 56c00cc062ffc24ccd9ac2d67d194af3282b934e ima-buf sha256:e7d12c03b958b4e0e53e7363a06376be88d98a1…
207 ------------------
209 data from an active and inactive table are measured.
238 …10 790e830a3a7a31590824ac0642b3b31c2d0e8b38 ima-buf sha256:ab9f3c959367a8f5d4403d6ce9c3627dadfa8f9…
248 ----------------
250 data from an inactive table are measured.
272 …10 77d347408f557f68f0041acb0072946bb2367fe5 ima-buf sha256:42f9ca22163fdfa548e6229dece2959bc5ce295…
279 ------------------
293  new_device_name := "new_name=" <dm-device-name>
294  dm-device-name := Same as <dm-device-name> described in 'Table load' section above
295  new_device_uuid := "new_uuid=" <dm-device-uuid>
296  dm-device-uuid := Same as <dm-device-uuid> described in 'Table load' section above
300   #dmsetup rename linear1 --setuuid 1234-5678
305 …10 8b0423209b4c66ac1523f4c9848c9b51ee332f48 ima-buf sha256:6847b7258134189531db593e9230b257c84f040…
308 …name=linear1,uuid=,major=253,minor=2,minor_count=1,num_targets=1;new_name=linear1,new_uuid=1234-56…
317 …10 bef70476b99c2bdf7136fae033aa8627da1bf76f ima-buf sha256:8c6f9f53b9ef9dc8f92a2f2cca8910e622543d0…
320  name=linear1,uuid=1234-5678,major=253,minor=2,minor_count=1,num_targets=1;
321  new_name=linear\=2,new_uuid=1234-5678;
327 Following targets are supported to measure their data using IMA:
333  #. mirror
341 ---------
343 section above) has the following data format for 'cache' target.
376 ---------
378 section above) has the following data format for 'crypt' target.
416 …iv_large_sectors=n,cipher_string=aes-xts-plain64,key_size=32,key_parts=1,key_extra_size=0,key_mac_…
419 -------------
421 section above) has the following data format for 'integrity' target.
463 ----------
465 section above) has the following data format for 'linear' target.
487 5. mirror
488 ----------
490 section above) has the following data format for 'mirror' target.
497  target_name := "target_name=mirror"
501 …                     mirror_device_row is repeated <NR> times - for <NR> described in <nr_mirrors>.
504                        where <X> ranges from 0 to (<NR> -1) - for <NR> described in <nr_mirrors>.
506                          where <X> ranges from 0 to (<NR> -1) - for <NR> described in <nr_mirrors>.
514  When a 'mirror' target is loaded, then IMA ASCII measurement log will have an entry
515  similar to the following, depicting what 'mirror' attributes are measured in EVENT_DATA
521 …target_index=0,target_begin=0,target_len=2048,target_name=mirror,target_version=1.14.0,nr_mirrors=…
527 -------------
529 section above) has the following data format for 'multipath' target.
542 …               where <X> ranges from 0 to (<NPG> -1) - for <NPG> described in <nr_priority_groups>.
547 …               where <X> ranges from 0 to (<NPG> -1) - for <NPG> described in <nr_priority_groups>,
548 …              and <Y> ranges from 0 to (<NPGP> -1) - for <NPGP> described in <priority_groups_row>.
560     pg_state_0=E,nr_pgpaths_0=2,path_selector_name_0=queue-length,
563     pg_state_1=E,nr_pgpaths_1=2,path_selector_name_1=queue-length,
568 --------
570 section above) has the following data format for 'raid' target.
584 …            <raid_device_status_row> is repeated <NRD> times - for <NRD> described in <raid_disks>.
586 …                       where <X> ranges from 0 to (<NRD> -1) - for <NRD> described in <raid_disks>.
587  raid_device_status_str := "A" | "D" | "a" | "-"
608 ------------
610 section above) has the following data format for 'snapshot' target.
638 -----------
640 section above) has the following data format for 'striped' target.
654                        where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>.
656                            where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>.
658                   where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>.
674 ----------
676 section above) has the following data format for 'verity' target.
695  salt_str := "-" <verity_salt_str>
710  name=test-verity,uuid=,major=253,minor=2,minor_count=1,num_targets=1;