0001 ======
0002 dm-ima
0003 ======
0004
0005 For a given system, various external services/infrastructure tools
0006 (including the attestation service) interact with it - both during the
0007 setup and during rest of the system run-time. They share sensitive data
0008 and/or execute critical workload on that system. The external services
0009 may want to verify the current run-time state of the relevant kernel
0010 subsystems before fully trusting the system with business-critical
0011 data/workload.
0012
0013 Device mapper plays a critical role on a given system by providing
0014 various important functionalities to the block devices using various
0015 target types like crypt, verity, integrity etc. Each of these target
0016 types’ functionalities can be configured with various attributes.
0017 The attributes chosen to configure these target types can significantly
0018 impact the security profile of the block device, and in-turn, of the
0019 system itself. For instance, the type of encryption algorithm and the
0020 key size determines the strength of encryption for a given block device.
0021
0022 Therefore, verifying the current state of various block devices as well
0023 as their various target attributes is crucial for external services before
0024 fully trusting the system with business-critical data/workload.
0025
0026 IMA kernel subsystem provides the necessary functionality for
0027 device mapper to measure the state and configuration of
0028 various block devices -
0029
0030 - by device mapper itself, from within the kernel,
0031 - in a tamper resistant way,
0032 - and re-measured - triggered on state/configuration change.
0033
0034 Setting the IMA Policy:
0035 =======================
0036 For IMA to measure the data on a given system, the IMA policy on the
0037 system needs to be updated to have following line, and the system needs
0038 to be restarted for the measurements to take effect.
0039
0040 ::
0041
0042 /etc/ima/ima-policy
0043 measure func=CRITICAL_DATA label=device-mapper template=ima-buf
0044
0045 The measurements will be reflected in the IMA logs, which are located at:
0046
0047 ::
0048
0049 /sys/kernel/security/integrity/ima/ascii_runtime_measurements
0050 /sys/kernel/security/integrity/ima/binary_runtime_measurements
0051
0052 Then IMA ASCII measurement log has the following format:
0053
0054 ::
0055
0056 <PCR> <TEMPLATE_DATA_DIGEST> <TEMPLATE_NAME> <TEMPLATE_DATA>
0057
0058 PCR := Platform Configuration Register, in which the values are registered.
0059 This is applicable if TPM chip is in use.
0060
0061 TEMPLATE_DATA_DIGEST := Template data digest of the IMA record.
0062 TEMPLATE_NAME := Template name that registered the integrity value (e.g. ima-buf).
0063
0064 TEMPLATE_DATA := <ALG> ":" <EVENT_DIGEST> <EVENT_NAME> <EVENT_DATA>
0065 It contains data for the specific event to be measured,
0066 in a given template data format.
0067
0068 ALG := Algorithm to compute event digest
0069 EVENT_DIGEST := Digest of the event data
0070 EVENT_NAME := Description of the event (e.g. 'dm_table_load').
0071 EVENT_DATA := The event data to be measured.
0072
0073 |
0074
0075 | *NOTE #1:*
0076 | The DM target data measured by IMA subsystem can alternatively
0077 be queried from userspace by setting DM_IMA_MEASUREMENT_FLAG with
0078 DM_TABLE_STATUS_CMD.
0079
0080 |
0081
0082 | *NOTE #2:*
0083 | The Kernel configuration CONFIG_IMA_DISABLE_HTABLE allows measurement of duplicate records.
0084 | To support recording duplicate IMA events in the IMA log, the Kernel needs to be configured with
0085 CONFIG_IMA_DISABLE_HTABLE=y.
0086
0087 Supported Device States:
0088 ========================
0089 Following device state changes will trigger IMA measurements:
0090
0091 1. Table load
0092 #. Device resume
0093 #. Device remove
0094 #. Table clear
0095 #. Device rename
0096
0097 1. Table load:
0098 ---------------
0099 When a new table is loaded in a device's inactive table slot,
0100 the device information and target specific details from the
0101 targets in the table are measured.
0102
0103 The IMA measurement log has the following format for 'dm_table_load':
0104
0105 ::
0106
0107 EVENT_NAME := "dm_table_load"
0108 EVENT_DATA := <dm_version_str> ";" <device_metadata> ";" <table_load_data>
0109
0110 dm_version_str := "dm_version=" <N> "." <N> "." <N>
0111 Same as Device Mapper driver version.
0112 device_metadata := <device_name> "," <device_uuid> "," <device_major> "," <device_minor> ","
0113 <minor_count> "," <num_device_targets> ";"
0114
0115 device_name := "name=" <dm-device-name>
0116 device_uuid := "uuid=" <dm-device-uuid>
0117 device_major := "major=" <N>
0118 device_minor := "minor=" <N>
0119 minor_count := "minor_count=" <N>
0120 num_device_targets := "num_targets=" <N>
0121 dm-device-name := Name of the device. If it contains special characters like '\', ',', ';',
0122 they are prefixed with '\'.
0123 dm-device-uuid := UUID of the device. If it contains special characters like '\', ',', ';',
0124 they are prefixed with '\'.
0125
0126 table_load_data := <target_data>
0127 Represents the data (as name=value pairs) from various targets in the table,
0128 which is being loaded into the DM device's inactive table slot.
0129 target_data := <target_data_row> | <target_data><target_data_row>
0130
0131 target_data_row := <target_index> "," <target_begin> "," <target_len> "," <target_name> ","
0132 <target_version> "," <target_attributes> ";"
0133 target_index := "target_index=" <N>
0134 Represents nth target in the table (from 0 to N-1 targets specified in <num_device_targets>)
0135 If all the data for N targets doesn't fit in the given buffer - then the data that fits
0136 in the buffer (say from target 0 to x) is measured in a given IMA event.
0137 The remaining data from targets x+1 to N-1 is measured in the subsequent IMA events,
0138 with the same format as that of 'dm_table_load'
0139 i.e. <dm_version_str> ";" <device_metadata> ";" <table_load_data>.
0140
0141 target_begin := "target_begin=" <N>
0142 target_len := "target_len=" <N>
0143 target_name := Name of the target. 'linear', 'crypt', 'integrity' etc.
0144 The targets that are supported for IMA measurements are documented below in the
0145 'Supported targets' section.
0146 target_version := "target_version=" <N> "." <N> "." <N>
0147 target_attributes := Data containing comma separated list of name=value pairs of target specific attributes.
0148
0149 For instance, if a linear device is created with the following table entries,
0150 # dmsetup create linear1
0151 0 2 linear /dev/loop0 512
0152 2 2 linear /dev/loop0 512
0153 4 2 linear /dev/loop0 512
0154 6 2 linear /dev/loop0 512
0155
0156 Then IMA ASCII measurement log will have the following entry:
0157 (converted from ASCII to text for readability)
0158
0159 10 a8c5ff755561c7a28146389d1514c318592af49a ima-buf sha256:4d73481ecce5eadba8ab084640d85bb9ca899af4d0a122989252a76efadc5b72
0160 dm_table_load
0161 dm_version=4.45.0;
0162 name=linear1,uuid=,major=253,minor=0,minor_count=1,num_targets=4;
0163 target_index=0,target_begin=0,target_len=2,target_name=linear,target_version=1.4.0,device_name=7:0,start=512;
0164 target_index=1,target_begin=2,target_len=2,target_name=linear,target_version=1.4.0,device_name=7:0,start=512;
0165 target_index=2,target_begin=4,target_len=2,target_name=linear,target_version=1.4.0,device_name=7:0,start=512;
0166 target_index=3,target_begin=6,target_len=2,target_name=linear,target_version=1.4.0,device_name=7:0,start=512;
0167
0168 2. Device resume:
0169 ------------------
0170 When a suspended device is resumed, the device information and the hash of the
0171 data from previous load of an active table are measured.
0172
0173 The IMA measurement log has the following format for 'dm_device_resume':
0174
0175 ::
0176
0177 EVENT_NAME := "dm_device_resume"
0178 EVENT_DATA := <dm_version_str> ";" <device_metadata> ";" <active_table_hash> ";" <current_device_capacity> ";"
0179
0180 dm_version_str := As described in the 'Table load' section above.
0181 device_metadata := As described in the 'Table load' section above.
0182 active_table_hash := "active_table_hash=" <table_hash_alg> ":" <table_hash>
0183 Rerpresents the hash of the IMA data being measured for the
0184 active table for the device.
0185 table_hash_alg := Algorithm used to compute the hash.
0186 table_hash := Hash of the (<dm_version_str> ";" <device_metadata> ";" <table_load_data> ";")
0187 as described in the 'dm_table_load' above.
0188 Note: If the table_load data spans across multiple IMA 'dm_table_load'
0189 events for a given device, the hash is computed combining all the event data
0190 i.e. (<dm_version_str> ";" <device_metadata> ";" <table_load_data> ";")
0191 across all those events.
0192 current_device_capacity := "current_device_capacity=" <N>
0193
0194 For instance, if a linear device is resumed with the following command,
0195 #dmsetup resume linear1
0196
0197 then IMA ASCII measurement log will have an entry with:
0198 (converted from ASCII to text for readability)
0199
0200 10 56c00cc062ffc24ccd9ac2d67d194af3282b934e ima-buf sha256:e7d12c03b958b4e0e53e7363a06376be88d98a1ac191fdbd3baf5e4b77f329b6
0201 dm_device_resume
0202 dm_version=4.45.0;
0203 name=linear1,uuid=,major=253,minor=0,minor_count=1,num_targets=4;
0204 active_table_hash=sha256:4d73481ecce5eadba8ab084640d85bb9ca899af4d0a122989252a76efadc5b72;current_device_capacity=8;
0205
0206 3. Device remove:
0207 ------------------
0208 When a device is removed, the device information and a sha256 hash of the
0209 data from an active and inactive table are measured.
0210
0211 The IMA measurement log has the following format for 'dm_device_remove':
0212
0213 ::
0214
0215 EVENT_NAME := "dm_device_remove"
0216 EVENT_DATA := <dm_version_str> ";" <device_active_metadata> ";" <device_inactive_metadata> ";"
0217 <active_table_hash> "," <inactive_table_hash> "," <remove_all> ";" <current_device_capacity> ";"
0218
0219 dm_version_str := As described in the 'Table load' section above.
0220 device_active_metadata := Device metadata that reflects the currently loaded active table.
0221 The format is same as 'device_metadata' described in the 'Table load' section above.
0222 device_inactive_metadata := Device metadata that reflects the inactive table.
0223 The format is same as 'device_metadata' described in the 'Table load' section above.
0224 active_table_hash := Hash of the currently loaded active table.
0225 The format is same as 'active_table_hash' described in the 'Device resume' section above.
0226 inactive_table_hash := Hash of the inactive table.
0227 The format is same as 'active_table_hash' described in the 'Device resume' section above.
0228 remove_all := "remove_all=" <yes_no>
0229 yes_no := "y" | "n"
0230 current_device_capacity := "current_device_capacity=" <N>
0231
0232 For instance, if a linear device is removed with the following command,
0233 #dmsetup remove l1
0234
0235 then IMA ASCII measurement log will have the following entry:
0236 (converted from ASCII to text for readability)
0237
0238 10 790e830a3a7a31590824ac0642b3b31c2d0e8b38 ima-buf sha256:ab9f3c959367a8f5d4403d6ce9c3627dadfa8f9f0e7ec7899299782388de3840
0239 dm_device_remove
0240 dm_version=4.45.0;
0241 device_active_metadata=name=l1,uuid=,major=253,minor=2,minor_count=1,num_targets=2;
0242 device_inactive_metadata=name=l1,uuid=,major=253,minor=2,minor_count=1,num_targets=1;
0243 active_table_hash=sha256:4a7e62efaebfc86af755831998b7db6f59b60d23c9534fb16a4455907957953a,
0244 inactive_table_hash=sha256:9d79c175bc2302d55a183e8f50ad4bafd60f7692fd6249e5fd213e2464384b86,remove_all=n;
0245 current_device_capacity=2048;
0246
0247 4. Table clear:
0248 ----------------
0249 When an inactive table is cleared from the device, the device information and a sha256 hash of the
0250 data from an inactive table are measured.
0251
0252 The IMA measurement log has the following format for 'dm_table_clear':
0253
0254 ::
0255
0256 EVENT_NAME := "dm_table_clear"
0257 EVENT_DATA := <dm_version_str> ";" <device_inactive_metadata> ";" <inactive_table_hash> ";" <current_device_capacity> ";"
0258
0259 dm_version_str := As described in the 'Table load' section above.
0260 device_inactive_metadata := Device metadata that was captured during the load time inactive table being cleared.
0261 The format is same as 'device_metadata' described in the 'Table load' section above.
0262 inactive_table_hash := Hash of the inactive table being cleared from the device.
0263 The format is same as 'active_table_hash' described in the 'Device resume' section above.
0264 current_device_capacity := "current_device_capacity=" <N>
0265
0266 For instance, if a linear device's inactive table is cleared,
0267 #dmsetup clear l1
0268
0269 then IMA ASCII measurement log will have an entry with:
0270 (converted from ASCII to text for readability)
0271
0272 10 77d347408f557f68f0041acb0072946bb2367fe5 ima-buf sha256:42f9ca22163fdfa548e6229dece2959bc5ce295c681644240035827ada0e1db5
0273 dm_table_clear
0274 dm_version=4.45.0;
0275 name=l1,uuid=,major=253,minor=2,minor_count=1,num_targets=1;
0276 inactive_table_hash=sha256:75c0dc347063bf474d28a9907037eba060bfe39d8847fc0646d75e149045d545;current_device_capacity=1024;
0277
0278 5. Device rename:
0279 ------------------
0280 When an device's NAME or UUID is changed, the device information and the new NAME and UUID
0281 are measured.
0282
0283 The IMA measurement log has the following format for 'dm_device_rename':
0284
0285 ::
0286
0287 EVENT_NAME := "dm_device_rename"
0288 EVENT_DATA := <dm_version_str> ";" <device_active_metadata> ";" <new_device_name> "," <new_device_uuid> ";" <current_device_capacity> ";"
0289
0290 dm_version_str := As described in the 'Table load' section above.
0291 device_active_metadata := Device metadata that reflects the currently loaded active table.
0292 The format is same as 'device_metadata' described in the 'Table load' section above.
0293 new_device_name := "new_name=" <dm-device-name>
0294 dm-device-name := Same as <dm-device-name> described in 'Table load' section above
0295 new_device_uuid := "new_uuid=" <dm-device-uuid>
0296 dm-device-uuid := Same as <dm-device-uuid> described in 'Table load' section above
0297 current_device_capacity := "current_device_capacity=" <N>
0298
0299 E.g 1: if a linear device's name is changed with the following command,
0300 #dmsetup rename linear1 --setuuid 1234-5678
0301
0302 then IMA ASCII measurement log will have an entry with:
0303 (converted from ASCII to text for readability)
0304
0305 10 8b0423209b4c66ac1523f4c9848c9b51ee332f48 ima-buf sha256:6847b7258134189531db593e9230b257c84f04038b5a18fd2e1473860e0569ac
0306 dm_device_rename
0307 dm_version=4.45.0;
0308 name=linear1,uuid=,major=253,minor=2,minor_count=1,num_targets=1;new_name=linear1,new_uuid=1234-5678;
0309 current_device_capacity=1024;
0310
0311 E.g 2: if a linear device's name is changed with the following command,
0312 # dmsetup rename linear1 linear=2
0313
0314 then IMA ASCII measurement log will have an entry with:
0315 (converted from ASCII to text for readability)
0316
0317 10 bef70476b99c2bdf7136fae033aa8627da1bf76f ima-buf sha256:8c6f9f53b9ef9dc8f92a2f2cca8910e622543d0f0d37d484870cb16b95111402
0318 dm_device_rename
0319 dm_version=4.45.0;
0320 name=linear1,uuid=1234-5678,major=253,minor=2,minor_count=1,num_targets=1;
0321 new_name=linear\=2,new_uuid=1234-5678;
0322 current_device_capacity=1024;
0323
0324 Supported targets:
0325 ==================
0326
0327 Following targets are supported to measure their data using IMA:
0328
0329 1. cache
0330 #. crypt
0331 #. integrity
0332 #. linear
0333 #. mirror
0334 #. multipath
0335 #. raid
0336 #. snapshot
0337 #. striped
0338 #. verity
0339
0340 1. cache
0341 ---------
0342 The 'target_attributes' (described as part of EVENT_DATA in 'Table load'
0343 section above) has the following data format for 'cache' target.
0344
0345 ::
0346
0347 target_attributes := <target_name> "," <target_version> "," <metadata_mode> "," <cache_metadata_device> ","
0348 <cache_device> "," <cache_origin_device> "," <writethrough> "," <writeback> ","
0349 <passthrough> "," <no_discard_passdown> ";"
0350
0351 target_name := "target_name=cache"
0352 target_version := "target_version=" <N> "." <N> "." <N>
0353 metadata_mode := "metadata_mode=" <cache_metadata_mode>
0354 cache_metadata_mode := "fail" | "ro" | "rw"
0355 cache_device := "cache_device=" <cache_device_name_string>
0356 cache_origin_device := "cache_origin_device=" <cache_origin_device_string>
0357 writethrough := "writethrough=" <yes_no>
0358 writeback := "writeback=" <yes_no>
0359 passthrough := "passthrough=" <yes_no>
0360 no_discard_passdown := "no_discard_passdown=" <yes_no>
0361 yes_no := "y" | "n"
0362
0363 E.g.
0364 When a 'cache' target is loaded, then IMA ASCII measurement log will have an entry
0365 similar to the following, depicting what 'cache' attributes are measured in EVENT_DATA
0366 for 'dm_table_load' event.
0367 (converted from ASCII to text for readability)
0368
0369 dm_version=4.45.0;name=cache1,uuid=cache_uuid,major=253,minor=2,minor_count=1,num_targets=1;
0370 target_index=0,target_begin=0,target_len=28672,target_name=cache,target_version=2.2.0,metadata_mode=rw,
0371 cache_metadata_device=253:4,cache_device=253:3,cache_origin_device=253:5,writethrough=y,writeback=n,
0372 passthrough=n,metadata2=y,no_discard_passdown=n;
0373
0374
0375 2. crypt
0376 ---------
0377 The 'target_attributes' (described as part of EVENT_DATA in 'Table load'
0378 section above) has the following data format for 'crypt' target.
0379
0380 ::
0381
0382 target_attributes := <target_name> "," <target_version> "," <allow_discards> "," <same_cpu_crypt> ","
0383 <submit_from_crypt_cpus> "," <no_read_workqueue> "," <no_write_workqueue> ","
0384 <iv_large_sectors> "," <iv_large_sectors> "," [<integrity_tag_size> ","] [<cipher_auth> ","]
0385 [<sector_size> ","] [<cipher_string> ","] <key_size> "," <key_parts> ","
0386 <key_extra_size> "," <key_mac_size> ";"
0387
0388 target_name := "target_name=crypt"
0389 target_version := "target_version=" <N> "." <N> "." <N>
0390 allow_discards := "allow_discards=" <yes_no>
0391 same_cpu_crypt := "same_cpu_crypt=" <yes_no>
0392 submit_from_crypt_cpus := "submit_from_crypt_cpus=" <yes_no>
0393 no_read_workqueue := "no_read_workqueue=" <yes_no>
0394 no_write_workqueue := "no_write_workqueue=" <yes_no>
0395 iv_large_sectors := "iv_large_sectors=" <yes_no>
0396 integrity_tag_size := "integrity_tag_size=" <N>
0397 cipher_auth := "cipher_auth=" <string>
0398 sector_size := "sector_size=" <N>
0399 cipher_string := "cipher_string="
0400 key_size := "key_size=" <N>
0401 key_parts := "key_parts=" <N>
0402 key_extra_size := "key_extra_size=" <N>
0403 key_mac_size := "key_mac_size=" <N>
0404 yes_no := "y" | "n"
0405
0406 E.g.
0407 When a 'crypt' target is loaded, then IMA ASCII measurement log will have an entry
0408 similar to the following, depicting what 'crypt' attributes are measured in EVENT_DATA
0409 for 'dm_table_load' event.
0410 (converted from ASCII to text for readability)
0411
0412 dm_version=4.45.0;
0413 name=crypt1,uuid=crypt_uuid1,major=253,minor=0,minor_count=1,num_targets=1;
0414 target_index=0,target_begin=0,target_len=1953125,target_name=crypt,target_version=1.23.0,
0415 allow_discards=y,same_cpu=n,submit_from_crypt_cpus=n,no_read_workqueue=n,no_write_workqueue=n,
0416 iv_large_sectors=n,cipher_string=aes-xts-plain64,key_size=32,key_parts=1,key_extra_size=0,key_mac_size=0;
0417
0418 3. integrity
0419 -------------
0420 The 'target_attributes' (described as part of EVENT_DATA in 'Table load'
0421 section above) has the following data format for 'integrity' target.
0422
0423 ::
0424
0425 target_attributes := <target_name> "," <target_version> "," <dev_name> "," <start>
0426 <tag_size> "," <mode> "," [<meta_device> ","] [<block_size> ","] <recalculate> ","
0427 <allow_discards> "," <fix_padding> "," <fix_hmac> "," <legacy_recalculate> ","
0428 <journal_sectors> "," <interleave_sectors> "," <buffer_sectors> ";"
0429
0430 target_name := "target_name=integrity"
0431 target_version := "target_version=" <N> "." <N> "." <N>
0432 dev_name := "dev_name=" <device_name_str>
0433 start := "start=" <N>
0434 tag_size := "tag_size=" <N>
0435 mode := "mode=" <integrity_mode_str>
0436 integrity_mode_str := "J" | "B" | "D" | "R"
0437 meta_device := "meta_device=" <meta_device_str>
0438 block_size := "block_size=" <N>
0439 recalculate := "recalculate=" <yes_no>
0440 allow_discards := "allow_discards=" <yes_no>
0441 fix_padding := "fix_padding=" <yes_no>
0442 fix_hmac := "fix_hmac=" <yes_no>
0443 legacy_recalculate := "legacy_recalculate=" <yes_no>
0444 journal_sectors := "journal_sectors=" <N>
0445 interleave_sectors := "interleave_sectors=" <N>
0446 buffer_sectors := "buffer_sectors=" <N>
0447 yes_no := "y" | "n"
0448
0449 E.g.
0450 When a 'integrity' target is loaded, then IMA ASCII measurement log will have an entry
0451 similar to the following, depicting what 'integrity' attributes are measured in EVENT_DATA
0452 for 'dm_table_load' event.
0453 (converted from ASCII to text for readability)
0454
0455 dm_version=4.45.0;
0456 name=integrity1,uuid=,major=253,minor=1,minor_count=1,num_targets=1;
0457 target_index=0,target_begin=0,target_len=7856,target_name=integrity,target_version=1.10.0,
0458 dev_name=253:0,start=0,tag_size=32,mode=J,recalculate=n,allow_discards=n,fix_padding=n,
0459 fix_hmac=n,legacy_recalculate=n,journal_sectors=88,interleave_sectors=32768,buffer_sectors=128;
0460
0461
0462 4. linear
0463 ----------
0464 The 'target_attributes' (described as part of EVENT_DATA in 'Table load'
0465 section above) has the following data format for 'linear' target.
0466
0467 ::
0468
0469 target_attributes := <target_name> "," <target_version> "," <device_name> <,> <start> ";"
0470
0471 target_name := "target_name=linear"
0472 target_version := "target_version=" <N> "." <N> "." <N>
0473 device_name := "device_name=" <linear_device_name_str>
0474 start := "start=" <N>
0475
0476 E.g.
0477 When a 'linear' target is loaded, then IMA ASCII measurement log will have an entry
0478 similar to the following, depicting what 'linear' attributes are measured in EVENT_DATA
0479 for 'dm_table_load' event.
0480 (converted from ASCII to text for readability)
0481
0482 dm_version=4.45.0;
0483 name=linear1,uuid=linear_uuid1,major=253,minor=2,minor_count=1,num_targets=1;
0484 target_index=0,target_begin=0,target_len=28672,target_name=linear,target_version=1.4.0,
0485 device_name=253:1,start=2048;
0486
0487 5. mirror
0488 ----------
0489 The 'target_attributes' (described as part of EVENT_DATA in 'Table load'
0490 section above) has the following data format for 'mirror' target.
0491
0492 ::
0493
0494 target_attributes := <target_name> "," <target_version> "," <nr_mirrors> ","
0495 <mirror_device_data> "," <handle_errors> "," <keep_log> "," <log_type_status> ";"
0496
0497 target_name := "target_name=mirror"
0498 target_version := "target_version=" <N> "." <N> "." <N>
0499 nr_mirrors := "nr_mirrors=" <NR>
0500 mirror_device_data := <mirror_device_row> | <mirror_device_data><mirror_device_row>
0501 mirror_device_row is repeated <NR> times - for <NR> described in <nr_mirrors>.
0502 mirror_device_row := <mirror_device_name> "," <mirror_device_status>
0503 mirror_device_name := "mirror_device_" <X> "=" <mirror_device_name_str>
0504 where <X> ranges from 0 to (<NR> -1) - for <NR> described in <nr_mirrors>.
0505 mirror_device_status := "mirror_device_" <X> "_status=" <mirror_device_status_char>
0506 where <X> ranges from 0 to (<NR> -1) - for <NR> described in <nr_mirrors>.
0507 mirror_device_status_char := "A" | "F" | "D" | "S" | "R" | "U"
0508 handle_errors := "handle_errors=" <yes_no>
0509 keep_log := "keep_log=" <yes_no>
0510 log_type_status := "log_type_status=" <log_type_status_str>
0511 yes_no := "y" | "n"
0512
0513 E.g.
0514 When a 'mirror' target is loaded, then IMA ASCII measurement log will have an entry
0515 similar to the following, depicting what 'mirror' attributes are measured in EVENT_DATA
0516 for 'dm_table_load' event.
0517 (converted from ASCII to text for readability)
0518
0519 dm_version=4.45.0;
0520 name=mirror1,uuid=mirror_uuid1,major=253,minor=6,minor_count=1,num_targets=1;
0521 target_index=0,target_begin=0,target_len=2048,target_name=mirror,target_version=1.14.0,nr_mirrors=2,
0522 mirror_device_0=253:4,mirror_device_0_status=A,
0523 mirror_device_1=253:5,mirror_device_1_status=A,
0524 handle_errors=y,keep_log=n,log_type_status=;
0525
0526 6. multipath
0527 -------------
0528 The 'target_attributes' (described as part of EVENT_DATA in 'Table load'
0529 section above) has the following data format for 'multipath' target.
0530
0531 ::
0532
0533 target_attributes := <target_name> "," <target_version> "," <nr_priority_groups>
0534 ["," <pg_state> "," <priority_groups> "," <priority_group_paths>] ";"
0535
0536 target_name := "target_name=multipath"
0537 target_version := "target_version=" <N> "." <N> "." <N>
0538 nr_priority_groups := "nr_priority_groups=" <NPG>
0539 priority_groups := <priority_groups_row>|<priority_groups_row><priority_groups>
0540 priority_groups_row := "pg_state_" <X> "=" <pg_state_str> "," "nr_pgpaths_" <X> "=" <NPGP> ","
0541 "path_selector_name_" <X> "=" <string> "," <priority_group_paths>
0542 where <X> ranges from 0 to (<NPG> -1) - for <NPG> described in <nr_priority_groups>.
0543 pg_state_str := "E" | "A" | "D"
0544 <priority_group_paths> := <priority_group_paths_row> | <priority_group_paths_row><priority_group_paths>
0545 priority_group_paths_row := "path_name_" <X> "_" <Y> "=" <string> "," "is_active_" <X> "_" <Y> "=" <is_active_str>
0546 "fail_count_" <X> "_" <Y> "=" <N> "," "path_selector_status_" <X> "_" <Y> "=" <path_selector_status_str>
0547 where <X> ranges from 0 to (<NPG> -1) - for <NPG> described in <nr_priority_groups>,
0548 and <Y> ranges from 0 to (<NPGP> -1) - for <NPGP> described in <priority_groups_row>.
0549 is_active_str := "A" | "F"
0550
0551 E.g.
0552 When a 'multipath' target is loaded, then IMA ASCII measurement log will have an entry
0553 similar to the following, depicting what 'multipath' attributes are measured in EVENT_DATA
0554 for 'dm_table_load' event.
0555 (converted from ASCII to text for readability)
0556
0557 dm_version=4.45.0;
0558 name=mp,uuid=,major=253,minor=0,minor_count=1,num_targets=1;
0559 target_index=0,target_begin=0,target_len=2097152,target_name=multipath,target_version=1.14.0,nr_priority_groups=2,
0560 pg_state_0=E,nr_pgpaths_0=2,path_selector_name_0=queue-length,
0561 path_name_0_0=8:16,is_active_0_0=A,fail_count_0_0=0,path_selector_status_0_0=,
0562 path_name_0_1=8:32,is_active_0_1=A,fail_count_0_1=0,path_selector_status_0_1=,
0563 pg_state_1=E,nr_pgpaths_1=2,path_selector_name_1=queue-length,
0564 path_name_1_0=8:48,is_active_1_0=A,fail_count_1_0=0,path_selector_status_1_0=,
0565 path_name_1_1=8:64,is_active_1_1=A,fail_count_1_1=0,path_selector_status_1_1=;
0566
0567 7. raid
0568 --------
0569 The 'target_attributes' (described as part of EVENT_DATA in 'Table load'
0570 section above) has the following data format for 'raid' target.
0571
0572 ::
0573
0574 target_attributes := <target_name> "," <target_version> "," <raid_type> "," <raid_disks> "," <raid_state>
0575 <raid_device_status> ["," journal_dev_mode] ";"
0576
0577 target_name := "target_name=raid"
0578 target_version := "target_version=" <N> "." <N> "." <N>
0579 raid_type := "raid_type=" <raid_type_str>
0580 raid_disks := "raid_disks=" <NRD>
0581 raid_state := "raid_state=" <raid_state_str>
0582 raid_state_str := "frozen" | "reshape" |"resync" | "check" | "repair" | "recover" | "idle" |"undef"
0583 raid_device_status := <raid_device_status_row> | <raid_device_status_row><raid_device_status>
0584 <raid_device_status_row> is repeated <NRD> times - for <NRD> described in <raid_disks>.
0585 raid_device_status_row := "raid_device_" <X> "_status=" <raid_device_status_str>
0586 where <X> ranges from 0 to (<NRD> -1) - for <NRD> described in <raid_disks>.
0587 raid_device_status_str := "A" | "D" | "a" | "-"
0588 journal_dev_mode := "journal_dev_mode=" <journal_dev_mode_str>
0589 journal_dev_mode_str := "writethrough" | "writeback" | "invalid"
0590
0591 E.g.
0592 When a 'raid' target is loaded, then IMA ASCII measurement log will have an entry
0593 similar to the following, depicting what 'raid' attributes are measured in EVENT_DATA
0594 for 'dm_table_load' event.
0595 (converted from ASCII to text for readability)
0596
0597 dm_version=4.45.0;
0598 name=raid_LV1,uuid=uuid_raid_LV1,major=253,minor=12,minor_count=1,num_targets=1;
0599 target_index=0,target_begin=0,target_len=2048,target_name=raid,target_version=1.15.1,
0600 raid_type=raid10,raid_disks=4,raid_state=idle,
0601 raid_device_0_status=A,
0602 raid_device_1_status=A,
0603 raid_device_2_status=A,
0604 raid_device_3_status=A;
0605
0606
0607 8. snapshot
0608 ------------
0609 The 'target_attributes' (described as part of EVENT_DATA in 'Table load'
0610 section above) has the following data format for 'snapshot' target.
0611
0612 ::
0613
0614 target_attributes := <target_name> "," <target_version> "," <snap_origin_name> ","
0615 <snap_cow_name> "," <snap_valid> "," <snap_merge_failed> "," <snapshot_overflowed> ";"
0616
0617 target_name := "target_name=snapshot"
0618 target_version := "target_version=" <N> "." <N> "." <N>
0619 snap_origin_name := "snap_origin_name=" <string>
0620 snap_cow_name := "snap_cow_name=" <string>
0621 snap_valid := "snap_valid=" <yes_no>
0622 snap_merge_failed := "snap_merge_failed=" <yes_no>
0623 snapshot_overflowed := "snapshot_overflowed=" <yes_no>
0624 yes_no := "y" | "n"
0625
0626 E.g.
0627 When a 'snapshot' target is loaded, then IMA ASCII measurement log will have an entry
0628 similar to the following, depicting what 'snapshot' attributes are measured in EVENT_DATA
0629 for 'dm_table_load' event.
0630 (converted from ASCII to text for readability)
0631
0632 dm_version=4.45.0;
0633 name=snap1,uuid=snap_uuid1,major=253,minor=13,minor_count=1,num_targets=1;
0634 target_index=0,target_begin=0,target_len=4096,target_name=snapshot,target_version=1.16.0,
0635 snap_origin_name=253:11,snap_cow_name=253:12,snap_valid=y,snap_merge_failed=n,snapshot_overflowed=n;
0636
0637 9. striped
0638 -----------
0639 The 'target_attributes' (described as part of EVENT_DATA in 'Table load'
0640 section above) has the following data format for 'striped' target.
0641
0642 ::
0643
0644 target_attributes := <target_name> "," <target_version> "," <stripes> "," <chunk_size> ","
0645 <stripe_data> ";"
0646
0647 target_name := "target_name=striped"
0648 target_version := "target_version=" <N> "." <N> "." <N>
0649 stripes := "stripes=" <NS>
0650 chunk_size := "chunk_size=" <N>
0651 stripe_data := <stripe_data_row>|<stripe_data><stripe_data_row>
0652 stripe_data_row := <stripe_device_name> "," <stripe_physical_start> "," <stripe_status>
0653 stripe_device_name := "stripe_" <X> "_device_name=" <stripe_device_name_str>
0654 where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>.
0655 stripe_physical_start := "stripe_" <X> "_physical_start=" <N>
0656 where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>.
0657 stripe_status := "stripe_" <X> "_status=" <stripe_status_str>
0658 where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>.
0659 stripe_status_str := "D" | "A"
0660
0661 E.g.
0662 When a 'striped' target is loaded, then IMA ASCII measurement log will have an entry
0663 similar to the following, depicting what 'striped' attributes are measured in EVENT_DATA
0664 for 'dm_table_load' event.
0665 (converted from ASCII to text for readability)
0666
0667 dm_version=4.45.0;
0668 name=striped1,uuid=striped_uuid1,major=253,minor=5,minor_count=1,num_targets=1;
0669 target_index=0,target_begin=0,target_len=640,target_name=striped,target_version=1.6.0,stripes=2,chunk_size=64,
0670 stripe_0_device_name=253:0,stripe_0_physical_start=2048,stripe_0_status=A,
0671 stripe_1_device_name=253:3,stripe_1_physical_start=2048,stripe_1_status=A;
0672
0673 10. verity
0674 ----------
0675 The 'target_attributes' (described as part of EVENT_DATA in 'Table load'
0676 section above) has the following data format for 'verity' target.
0677
0678 ::
0679
0680 target_attributes := <target_name> "," <target_version> "," <hash_failed> "," <verity_version> ","
0681 <data_device_name> "," <hash_device_name> "," <verity_algorithm> "," <root_digest> ","
0682 <salt> "," <ignore_zero_blocks> "," <check_at_most_once> ["," <root_hash_sig_key_desc>]
0683 ["," <verity_mode>] ";"
0684
0685 target_name := "target_name=verity"
0686 target_version := "target_version=" <N> "." <N> "." <N>
0687 hash_failed := "hash_failed=" <hash_failed_str>
0688 hash_failed_str := "C" | "V"
0689 verity_version := "verity_version=" <verity_version_str>
0690 data_device_name := "data_device_name=" <data_device_name_str>
0691 hash_device_name := "hash_device_name=" <hash_device_name_str>
0692 verity_algorithm := "verity_algorithm=" <verity_algorithm_str>
0693 root_digest := "root_digest=" <root_digest_str>
0694 salt := "salt=" <salt_str>
0695 salt_str := "-" <verity_salt_str>
0696 ignore_zero_blocks := "ignore_zero_blocks=" <yes_no>
0697 check_at_most_once := "check_at_most_once=" <yes_no>
0698 root_hash_sig_key_desc := "root_hash_sig_key_desc="
0699 verity_mode := "verity_mode=" <verity_mode_str>
0700 verity_mode_str := "ignore_corruption" | "restart_on_corruption" | "panic_on_corruption" | "invalid"
0701 yes_no := "y" | "n"
0702
0703 E.g.
0704 When a 'verity' target is loaded, then IMA ASCII measurement log will have an entry
0705 similar to the following, depicting what 'verity' attributes are measured in EVENT_DATA
0706 for 'dm_table_load' event.
0707 (converted from ASCII to text for readability)
0708
0709 dm_version=4.45.0;
0710 name=test-verity,uuid=,major=253,minor=2,minor_count=1,num_targets=1;
0711 target_index=0,target_begin=0,target_len=1953120,target_name=verity,target_version=1.8.0,hash_failed=V,
0712 verity_version=1,data_device_name=253:1,hash_device_name=253:0,verity_algorithm=sha256,
0713 root_digest=29cb87e60ce7b12b443ba6008266f3e41e93e403d7f298f8e3f316b29ff89c5e,
0714 salt=e48da609055204e89ae53b655ca2216dd983cf3cb829f34f63a297d106d53e2d,
0715 ignore_zero_blocks=n,check_at_most_once=n;
